lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAKHoSAsWa2fNFUTSy=vmFFWeAMiYgdtTuZX5OP2xtVu5WQhd3Q@mail.gmail.com>
Date: Fri, 3 Jan 2025 15:31:01 +0800
From: cheung wall <zzqq0103.hey@...il.com>
To: "Theodore Ts'o" <tytso@....edu>, Andreas Dilger <adilger.kernel@...ger.ca>
Cc: linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: "kernel BUG corrupted in ext4_writepages" in Linux kernel version 6.13.0-rc2

Hello,

I am writing to report a potential vulnerability identified in the
Linux Kernel version 6.13.0-rc2. This issue was discovered using our
custom vulnerability discovery tool.

HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)

Affected File: fs/ext4/inode.c

File: fs/ext4/inode.c

Function: ext4_writepages

Detailed Call Stack:

------------[ cut here begin]------------

kernel BUG at fs/ext4/inode.c:2732!
invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 2 PID: 9 Comm: kworker/u8:0 Not tainted 5.15.169 #1
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: writeback wb_workfn (flush-7:5)
RIP: 0010:ext4_writepages+0x2832/0x32f0 fs/ext4/inode.c:2732
Code: d1 ff e9 cd e6 ff ff e8 6c c0 a2 ff 0f 0b 8b 84 24 bc 00 00 00
4c 8b 74 24 38 31 db 89 44 24 18 e9 5b fa ff ff e8 4e c0 a2 ff <0f> 0b
e8 47 c0 a2 ff 0f b6 ac 24 0b 01 00 00 89 5c 24 18 e9 2a ea
RSP: 0018:ffff8881009773f0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff819f9669
RDX: ffff888100968000 RSI: ffffffff819faf02 RDI: 0000000000000007
RBP: ffff888007c458a0 R08: 0000000000000000 R09: ffff888007c458a7
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffff888101d08000 R14: ffff888007c45af0 R15: 00000000000000bc
FS: 0000000000000000(0000) GS:ffff88811af00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffca25eaff8 CR3: 0000000021b40000 CR4: 0000000000350ee0
9pnet: p9_fd_create_tcp (13248): problem connecting socket to 127.0.0.1
Call Trace:
<TASK>
do_writepages+0x22a/0x770 mm/page-writeback.c:2386
__writeback_single_inode+0x10a/0xae0 fs/fs-writeback.c:1647
writeback_sb_inodes+0x566/0xfd0 fs/fs-writeback.c:1930
wb_writeback+0x281/0x920 fs/fs-writeback.c:2104
wb_do_writeback fs/fs-writeback.c:2247 [inline]
wb_workfn+0x1a4/0xeb0 fs/fs-writeback.c:2288
process_one_work+0xa3d/0x15a0 kernel/workqueue.c:2310
worker_thread+0x62e/0x1330 kernel/workqueue.c:2457
kthread+0x3c3/0x4a0 kernel/kthread.c:334
ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:287
</TASK>

------------[ cut here end]------------

Root Cause:

The crash is triggered by a kernel bug within the Ext4 filesystem's
inode handling, specifically at line 2732 in fs/ext4/inode.c. The
ext4_writepages function attempts to execute an invalid opcode
(0x0000), which is indicative of corrupted or uninitialized code. This
invalid opcode likely results from memory corruption or improper
handling of inode structures during the writeback process. The
KernelAddressSANitizer (KASAN) has detected a null pointer dereference
in the range [0x40-0x47], suggesting that a critical pointer within
the Ext4 inode or related structures was either not properly
initialized or was corrupted before the write operation. The issue
manifests during the writeback workqueue (wb_workfn), where the kernel
attempts to flush inodes to disk. Additionally, the presence of a
message related to 9pnet: p9_fd_create_tcp indicates potential
interactions with network filesystem operations, which might
exacerbate or contribute to the memory corruption. Consequently, when
the Ext4 subsystem tries to process these corrupted inodes, it
executes invalid instructions, leading to a kernel panic and system
crash. This highlights a serious flaw in the Ext4 writeback mechanism,
potentially caused by concurrent operations, faulty memory management,
or bugs in related filesystem interactions.

Thank you for your time and attention.

Best regards

Wall

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ