lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAJeEPu++aAiF=ybq+XHEdGad+RsxR8d=tmEe5LxCOnDjWY_OFg@mail.gmail.com>
Date: Tue, 7 Jan 2025 16:53:57 +0800
From: Dylan Wolff <wolffd@...p.nus.edu.sg>
To: Dave Kleikamp <shaggy@...nel.org>, jfs-discussion@...ts.sourceforge.net, 
	linux-kernel@...r.kernel.org
Cc: Jiacheng Xu <stitch@....edu.cn>
Subject: General Protection Fault / KASAN: null-ptr-deref in jfs_ioc_trim

Hello kernel developers!

We believe that we have found a concurrency bug in the `fs/jfs` module that
results in a null pointer dereference. There is a closely related issue
which has been fixed:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234

... but, unfortunately, the accepted patch appears to still be susceptible
to a null pointer dereference under some interleavings.

To trigger the bug, we think that `JFS_SBI(ipbmap->i_sb)->bmap` is set to
NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This bug
manifests quite rarely under normal circumstances, but is triggereable with
the attached syz program. We've also attached a trace of an execution that
leads to the crash (thread id:location). If needed, we can share our setup
in detail which reproduces the bug with very high probability.

Here's a proposed patch:

```
diff --git a/fs/jfs/jfs_discard.c b/fs/jfs/jfs_discard.c
index 5f4b30503..4b660296c 100644
--- a/fs/jfs/jfs_discard.c
+++ b/fs/jfs/jfs_discard.c
@@ -86,7 +86,8 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range
*range)
        down_read(&sb->s_umount);
        bmp = JFS_SBI(ip->i_sb)->bmap;

-       if (minlen > bmp->db_agsize ||
+       if (bmp == NULL ||
+           minlen > bmp->db_agsize ||
            start >= bmp->db_mapsize ||
            range->len < sb->s_blocksize) {
                up_read(&sb->s_umount);
```

Applying this patch to our kernel locally appears to resolve the issue.

If this looks like it might be a security vulnerability, please let us know
if there is anything we need to provide for the CVE process.

We would also appreciate attribution for the discovery / fix if applicable:
>Reported-by: Jiacheng Xu<stitch@....edu.cn>,  Dylan Wolff <
wolffd@...p.nus.edu.sg>

Environment:
     Qemu (invocation attached) running a Syzkaller image on an Ubuntu
22.04.4 LTS host
Kernel:
     HEAD commit: fbfd64d25
     tree: upstream
     compiler toolchain: clang-17

Thanks!
Dylan

Content of type "text/html" skipped

View attachment "jfs-nullptr-crash.txt" of type "text/plain" (10100 bytes)

View attachment "jfs-nullptr-trace.txt" of type "text/plain" (73925 bytes)

Download attachment "repro-jfs.prog" of type "application/octet-stream" (33836 bytes)

Download attachment "KCONFIG.config" of type "application/octet-stream" (264592 bytes)

View attachment "qemu.txt" of type "text/plain" (425 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ