korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-17 09:14:19 +08:00
Code Issues Packages Projects Releases Wiki Activity
e3912775b4
linux/fs/ext4
History
Ye Bin e3912775b4 ext4: fix use-after-free in ext4_search_dir 
commit c186f0887f upstream.

We got issue as follows:
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir fs/ext4/namei.c:1394 [inline]
BUG: KASAN: use-after-free in search_dirblock fs/ext4/namei.c:1199 [inline]
BUG: KASAN: use-after-free in __ext4_find_entry+0xdca/0x1210 fs/ext4/namei.c:1553
Read of size 1 at addr ffff8881317c3005 by task syz-executor117/2331

CPU: 1 PID: 2331 Comm: syz-executor117 Not tainted 5.10.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:83 [inline]
 dump_stack+0x144/0x187 lib/dump_stack.c:124
 print_address_description+0x7d/0x630 mm/kasan/report.c:387
 __kasan_report+0x132/0x190 mm/kasan/report.c:547
 kasan_report+0x47/0x60 mm/kasan/report.c:564
 ext4_search_dir fs/ext4/namei.c:1394 [inline]
 search_dirblock fs/ext4/namei.c:1199 [inline]
 __ext4_find_entry+0xdca/0x1210 fs/ext4/namei.c:1553
 ext4_lookup_entry fs/ext4/namei.c:1622 [inline]
 ext4_lookup+0xb8/0x3a0 fs/ext4/namei.c:1690
 __lookup_hash+0xc5/0x190 fs/namei.c:1451
 do_rmdir+0x19e/0x310 fs/namei.c:3760
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x445e59
Code: 4d c7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b c7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff2277fac8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054
RAX: ffffffffffffffda RBX: 0000000000400280 RCX: 0000000000445e59
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000002
R10: 00007fff2277f990 R11: 0000000000000246 R12: 0000000000000000
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:0000000048cd3304 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1317c3
flags: 0x200000000000000()
raw: 0200000000000000 ffffea0004526588 ffffea0004528088 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881317c2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881317c2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881317c3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8881317c3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881317c3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

ext4_search_dir:
  ...
  de = (struct ext4_dir_entry_2 *)search_buf;
  dlimit = search_buf + buf_size;
  while ((char *) de < dlimit) {
  ...
    if ((char *) de + de->name_len <= dlimit &&
	 ext4_match(dir, fname, de)) {
	    ...
    }
  ...
    de_len = ext4_rec_len_from_disk(de->rec_len, dir->i_sb->s_blocksize);
    if (de_len <= 0)
      return -1;
    offset += de_len;
    de = (struct ext4_dir_entry_2 *) ((char *) de + de_len);
  }

Assume:
de=0xffff8881317c2fff
dlimit=0x0xffff8881317c3000

If read 'de->name_len' which address is 0xffff8881317c3005, obviously is
out of range, then will trigger use-after-free.
To solve this issue, 'dlimit' must reserve 8 bytes, as we will read
'de->name_len' to judge if '(char *) de + de->name_len' out of range.

Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220324064816.1209985-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-04-27 14:39:01 +02:00
..
.kunitconfig ext4: add .kunitconfig fragment to enable ext4-specific tests 2021-02-11 23:16:30 -05:00
acl.c vfs: add rcu argument to ->get_acl() callback 2021-08-18 22:08:24 +02:00
acl.h vfs: add rcu argument to ->get_acl() callback 2021-08-18 22:08:24 +02:00
balloc.c ext4: flush background discard kwork when retry allocation 2021-08-30 23:35:53 -04:00
bitmap.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
block_validity.c ext4: standardize error message in ext4_protect_reserved_inode() 2020-12-17 13:30:55 -05:00
dir.c ext4: fix potential infinite loop in ext4_dx_readdir() 2021-10-01 00:05:09 -04:00
ext4_extents.h ext4: fix sparse warnings 2021-08-30 23:36:50 -04:00
ext4_jbd2.c ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits' 2022-01-27 11:05:17 +01:00
ext4_jbd2.h ext4: Support for checksumming from journal triggers 2021-08-30 23:36:50 -04:00
ext4.h ext4: fix use-after-free in ext4_search_dir 2022-04-27 14:39:01 +02:00
extents_status.c ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit 2021-06-22 21:34:17 -04:00
extents_status.h ext4: fix extent_status trace points 2020-01-25 02:03:03 -05:00
extents.c ext4: fix fallocate to use file_modified to update permissions consistently 2022-04-27 14:39:01 +02:00
fast_commit.c ext4: fast commit may miss file actions 2022-03-08 19:12:32 +01:00
fast_commit.h ext4: simplify updating of fast commit stats 2022-03-08 19:12:32 +01:00
file.c In addition to some ext4 bug fixes and cleanups, this cycle we add the 2021-09-02 09:37:09 -07:00
fsmap.c treewide: Change list_sort to use const pointers 2021-04-08 16:04:22 -07:00
fsmap.h ext4: fsmap: fix the block/inode bitmap comment 2021-06-24 09:48:29 -04:00
fsync.c block: use an on-stack bio in blkdev_issue_flush 2021-01-27 09:51:48 -07:00
hash.c ext4: handle casefolding with encryption 2021-04-05 22:04:20 -04:00
ialloc.c ext4: Support for checksumming from journal triggers 2021-08-30 23:36:50 -04:00
indirect.c ext4: Support for checksumming from journal triggers 2021-08-30 23:36:50 -04:00
inline.c ext4: fix fs corruption when tring to remove a non-empty directory with IO error 2022-04-08 14:22:59 +02:00
inode-test.c fs: ext4: Modify inode-test.c to use KUnit parameterized testing feature 2020-12-02 16:07:25 -07:00
inode.c ext4: fix fallocate to use file_modified to update permissions consistently 2022-04-27 14:39:01 +02:00
ioctl.c ext4: fast commit may not fallback for ineligible commit 2022-03-08 19:12:32 +01:00
Kconfig ext: EXT4_KUNIT_TESTS should depend on EXT4_FS instead of selecting it 2021-02-11 23:12:59 -05:00
Makefile ext4: Move orphan inode handling into a separate file 2021-08-30 23:36:51 -04:00
mballoc.c ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit 2022-04-08 14:23:57 +02:00
mballoc.h ext4: fix various seppling typos 2021-04-09 23:14:59 -04:00
migrate.c ext4: don't use the orphan list when migrating an inode 2022-01-27 11:05:18 +01:00
mmp.c ext4: fix potential uninitialized access to retval in kmmpd 2021-07-23 07:31:29 -04:00
move_extent.c ext4: use common helpers in all places reading metadata buffers 2020-10-18 10:37:14 -04:00
namei.c ext4: fix use-after-free in ext4_search_dir 2022-04-27 14:39:01 +02:00
orphan.c ext4: Improve scalability of ext4 orphan file handling 2021-08-30 23:36:51 -04:00
page-io.c ext4: fix symlink file size not match to file content 2022-04-27 14:39:01 +02:00
readpage.c block: Add bio_max_segs 2021-02-26 15:49:51 -07:00
resize.c ext4: Support for checksumming from journal triggers 2021-08-30 23:36:50 -04:00
super.c ext4: fast commit may miss file actions 2022-03-08 19:12:32 +01:00
symlink.c ext4: report correct st_size for encrypted symlinks 2021-07-25 20:01:06 -07:00
sysfs.c ext4: notify sysfs on errors_count value change 2021-06-29 21:06:02 -04:00
truncate.h ext4: Convert to use mapping->invalidate_lock 2021-07-13 14:29:00 +02:00
verity.c New features for ext4 this cycle include support for encrypted 2021-04-30 15:35:30 -07:00
xattr_hurd.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr_security.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr_trusted.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr_user.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr.c ext4: fast commit may not fallback for ineligible commit 2022-03-08 19:12:32 +01:00
xattr.h ext4: remove duplicate definition of ext4_xattr_ibody_inline_set() 2021-06-24 10:09:39 -04:00