Re: [PATCH 2/2] e2fsck: fix use after free in calculate_tree()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ping...

On Tue, Nov 26, 2019 at 5:04 PM Wang Shilong <wangshilong1991@xxxxxxxxx> wrote:
>
> From: Wang Shilong <wshilong@xxxxxxx>
>
> Hit following Seg errors randomly when running f_large_dir test:
>
> +Signal (11) SIGSEGV si_code=SEGV_MAPERR fault addr=0x7f02cfffbc1a
> +../e2fsck/e2fsck[0x43766e]
> +/lib64/libpthread.so.0(+0xf7e0)[0x7f02d8c9a7e0]
> +../e2fsck/e2fsck(e2fsck_rehash_dir+0x10f3)[0x436173]
> +../e2fsck/e2fsck(e2fsck_rehash_directories+0xf4)[0x4362d4]
> +../e2fsck/e2fsck(e2fsck_pass3+0x722)[0x4292c2]
> +../e2fsck/e2fsck(e2fsck_run+0x47)[0x414ef7]
> +../e2fsck/e2fsck(main+0x1c1d)[0x41319d]
> +/lib64/libc.so.6(__libc_start_main+0x100)[0x7f02d8915d20]
> +../e2fsck/e2fsck[0x40fc59]
> +Exit status is 8
>
> gdb output is:
> 0x436173 is in e2fsck_rehash_dir (rehash.c:752).
> warning: Source file is more recent than executable.
> 747                                     dx_ent->hash =
> 748                                             ext2fs_cpu_to_le32(outdir->hashes[i]);
> 749                             dx_ent++;
> 750                             c3--;
> 751                     }
> 752                     int_limit->count = ext2fs_cpu_to_le16(limit->limit - c2);
> 753                     int_limit->limit = ext2fs_cpu_to_le16(limit->limit);
> 754
> 755                     limit->count = ext2fs_cpu_to_le16(limit->limit - c3);
> 756                     limit->limit = ext2fs_cpu_to_le16(limit->limit);
>
> The problem is alloc_blocks() will call get_next_block()
> which might reallocate @outdir->buf, and memory address
> could be changed after this. @int_limit and @root should
> be recalculated based on new start address. Otherwise,
> it will try to access freed memory and cause SEGV_MAPERR
> errors.
>
> Signed-off-by: Wang Shilong <wshilong@xxxxxxx>
> ---
>  e2fsck/rehash.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
> index 5250652e..0eb99328 100644
> --- a/e2fsck/rehash.c
> +++ b/e2fsck/rehash.c
> @@ -636,6 +636,9 @@ static int alloc_blocks(ext2_filsys fs,
>         if (retval)
>                 return retval;
>
> +       /* outdir->buf might be reallocated */
> +       *prev_ent = (struct ext2_dx_entry *) (outdir->buf + *prev_offset);
> +
>         *next_ent = set_int_node(fs, block_start);
>         *limit = (struct ext2_dx_countlimit *)(*next_ent);
>         if (next_offset)
> @@ -725,12 +728,18 @@ static errcode_t calculate_tree(ext2_filsys fs,
>                                         return retval;
>                         }
>                         if (c3 == 0) {
> +                               int delta1 = int_offset;;
> +                               int delta2 = (char *)root - outdir->buf;
> +
>                                 retval = alloc_blocks(fs, &limit, &int_ent,
>                                                       &dx_ent, &int_offset,
>                                                       NULL, outdir, i, &c2,
>                                                       &c3);
>                                 if (retval)
>                                         return retval;
> +                               /* outdir->buf might be reallocated */
> +                               int_limit = (struct ext2_dx_countlimit *)(outdir->buf + delta1);
> +                               root = (struct ext2_dx_entry *)(outdir->buf + delta2);
>
>                         }
>                         dx_ent->block = ext2fs_cpu_to_le32(i);
> --
> 2.21.0
>



[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux