BUG: KASAN: use-after-free in ntfs_read_hdr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Our fuzzer reported a use-after-free in ntfs_read_hdr, tested in 6.1.29
The producer is under
https://github.com/WenqingLiu0120/bugs/tmp1833.zip, which involves the .config and the mount image and script to reproduce the bug 

The kernel dump is as following:
[  103.487559] loop6: detected capacity change from 0 to 32768
[  103.586351] ntfs3: Max link count 4000
[  103.586355] ntfs3: Enabled Linux POSIX ACLs support
[ 103.603405] ================================================================== [ 103.603476] BUG: KASAN: use-after-free in ntfs_read_hdr (/home/wq/kernel/linux-6.1.29/fs/ntfs3/dir.c:335) ntfs3 
[  103.603539] Read of size 2 at addr ffff88812b2a597b by task ls/996

[  103.603602] CPU: 1 PID: 996 Comm: ls Not tainted 6.1.29 #1
[ 103.603643] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 
[  103.603703] Call Trace:
[  103.603723]  <TASK>
[ 103.603741] dump_stack_lvl (/home/wq/kernel/linux-6.1.29/lib/dump_stack.c:107) [ 103.603772] print_report (/home/wq/kernel/linux-6.1.29/mm/kasan/report.c:285 /home/wq/kernel/linux-6.1.29/mm/kasan/report.c:395) [ 103.603804] ? ntfs_read_hdr (/home/wq/kernel/linux-6.1.29/fs/ntfs3/dir.c:335) ntfs3 [ 103.603849] kasan_report (/home/wq/kernel/linux-6.1.29/mm/kasan/report.c:162 /home/wq/kernel/linux-6.1.29/mm/kasan/report.c:497) [ 103.603878] ? ntfs_read_hdr (/home/wq/kernel/linux-6.1.29/fs/ntfs3/dir.c:335) ntfs3 [ 103.603925] ntfs_read_hdr (/home/wq/kernel/linux-6.1.29/fs/ntfs3/dir.c:335) ntfs3 [ 103.603970] ntfs_readdir (/home/wq/kernel/linux-6.1.29/fs/ntfs3/dir.c:425) ntfs3 [ 103.604014] ? __x64_sys_getdents64 (/home/wq/kernel/linux-6.1.29/fs/readdir.c:312) [ 103.604049] ? _raw_spin_unlock (/home/wq/kernel/linux-6.1.29/./arch/x86/include/asm/preempt.h:103 /home/wq/kernel/linux-6.1.29/./include/linux/spinlock_api_smp.h:143 /home/wq/kernel/linux-6.1.29/kernel/locking/spinlock.c:186) [ 103.604081] ? __handle_mm_fault (/home/wq/kernel/linux-6.1.29/mm/memory.c:4171 /home/wq/kernel/linux-6.1.29/mm/memory.c:4962 /home/wq/kernel/linux-6.1.29/mm/memory.c:5106) [ 103.604115] ? ntfs_read_hdr (/home/wq/kernel/linux-6.1.29/fs/ntfs3/dir.c:366) ntfs3 [ 103.604164] ? down_read (/home/wq/kernel/linux-6.1.29/kernel/locking/rwsem.c:1541) [ 103.604192] ? copy_page_range (/home/wq/kernel/linux-6.1.29/mm/memory.c:5016) [ 103.604225] ? security_file_permission (/home/wq/kernel/linux-6.1.29/./arch/x86/include/asm/atomic64_64.h:22 /home/wq/kernel/linux-6.1.29/./include/linux/atomic/atomic-long.h:29 /home/wq/kernel/linux-6.1.29/./include/linux/atomic/atomic-instrumented.h:1266 /home/wq/kernel/linux-6.1.29/./include/linux/fsnotify.h:62 /home/wq/kernel/linux-6.1.29/./include/linux/fsnotify.h:99 /home/wq/kernel/linux-6.1.29/./include/linux/fsnotify.h:124 /home/wq/kernel/linux-6.1.29/./include/linux/fsnotify.h:103 /home/wq/kernel/linux-6.1.29/security/security.c:1524) [ 103.604263] iterate_dir (/home/wq/kernel/linux-6.1.29/fs/readdir.c:65) [ 103.604292] __x64_sys_getdents64 (/home/wq/kernel/linux-6.1.29/fs/readdir.c:370 /home/wq/kernel/linux-6.1.29/fs/readdir.c:354 /home/wq/kernel/linux-6.1.29/fs/readdir.c:354) [ 103.604328] ? __x64_sys_getdents (/home/wq/kernel/linux-6.1.29/fs/readdir.c:354) [ 103.604358] ? handle_mm_fault (/home/wq/kernel/linux-6.1.29/mm/memory.c:5227) [ 103.604391] ? __x64_sys_getdents64 (/home/wq/kernel/linux-6.1.29/fs/readdir.c:312) [ 103.604421] ? do_user_addr_fault (/home/wq/kernel/linux-6.1.29/arch/x86/mm/fault.c:1457) [ 103.604453] do_syscall_64 (/home/wq/kernel/linux-6.1.29/arch/x86/entry/common.c:50 /home/wq/kernel/linux-6.1.29/arch/x86/entry/common.c:80) [ 103.604483] entry_SYSCALL_64_after_hwframe (/home/wq/kernel/linux-6.1.29/arch/x86/entry/entry_64.S:120) 
[  103.604521] RIP: 0033:0x7f2d675142bb
[ 103.604546] Code: 0f 1e fa 48 8b 47 20 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 81 fa ff ff ff 7f b8 ff ff ff 7f 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 a1 db 10 00 f7 d8 
All code
========
   0:	0f 1e fa             	nop    %edx
   3:	48 8b 47 20          	mov    0x20(%rdi),%rax
   7:	c3                   	retq
   8:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
   f:	f3 0f 1e fa          	endbr64
  13:	48 81 fa ff ff ff 7f 	cmp    $0x7fffffff,%rdx
  1a:	b8 ff ff ff 7f       	mov    $0x7fffffff,%eax
  1f:	48 0f 47 d0          	cmova  %rax,%rdx
  23:	b8 d9 00 00 00       	mov    $0xd9,%eax
  28:	0f 05                	syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 
  30:	77 05                	ja     0x37
  32:	c3                   	retq
  33:	0f 1f 40 00          	nopl   0x0(%rax)
  37:	48 8b 15 a1 db 10 00 	mov    0x10dba1(%rip),%rdx        # 0x10dbdf
  3e:	f7 d8                	neg    %eax

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 05                	ja     0xd
   8:	c3                   	retq
   9:	0f 1f 40 00          	nopl   0x0(%rax)
   d:	48 8b 15 a1 db 10 00 	mov    0x10dba1(%rip),%rdx        # 0x10dbb5
  14:	f7 d8                	neg    %eax
[ 103.604615] RSP: 002b:00007ffe72c666a8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 103.604646] RAX: ffffffffffffffda RBX: 000055a6fee88460 RCX: 00007f2d675142bb [ 103.604674] RDX: 0000000000008000 RSI: 000055a6fee88460 RDI: 0000000000000003 [ 103.604701] RBP: fffffffffffffe98 R08: 0000000000000030 R09: 000000000000007c [ 103.604729] R10: 0000000000000000 R11: 0000000000000293 R12: 000055a6fee88434 [ 103.604756] R13: 0000000000000000 R14: 000055a6fee88430 R15: 000055a6fe27d7fe 
[  103.604785]  </TASK>

[  103.604803] Allocated by task 982:
[ 103.604820] kasan_save_stack (/home/wq/kernel/linux-6.1.29/mm/kasan/common.c:46) [ 103.604823] kasan_set_track (/home/wq/kernel/linux-6.1.29/mm/kasan/common.c:52) [ 103.604825] __kasan_slab_alloc (/home/wq/kernel/linux-6.1.29/mm/kasan/common.c:328) [ 103.604827] kmem_cache_alloc (/home/wq/kernel/linux-6.1.29/mm/slab.h:738 /home/wq/kernel/linux-6.1.29/mm/slub.c:3398 /home/wq/kernel/linux-6.1.29/mm/slub.c:3406 /home/wq/kernel/linux-6.1.29/mm/slub.c:3413 /home/wq/kernel/linux-6.1.29/mm/slub.c:3422) [ 103.604829] getname_flags (/home/wq/kernel/linux-6.1.29/fs/namei.c:139 /home/wq/kernel/linux-6.1.29/fs/namei.c:129) [ 103.604831] do_sys_openat2 (/home/wq/kernel/linux-6.1.29/fs/open.c:1304) 
[  103.604833] do_sys_open (/home/wq/kernel/linux-6.1.29/fs/open.c:1324)
[ 103.604836] do_syscall_64 (/home/wq/kernel/linux-6.1.29/arch/x86/entry/common.c:50 /home/wq/kernel/linux-6.1.29/arch/x86/entry/common.c:80) [ 103.604838] entry_SYSCALL_64_after_hwframe (/home/wq/kernel/linux-6.1.29/arch/x86/entry/entry_64.S:120) 

[  103.604848] Freed by task 982:
[ 103.604862] kasan_save_stack (/home/wq/kernel/linux-6.1.29/mm/kasan/common.c:46) [ 103.604864] kasan_set_track (/home/wq/kernel/linux-6.1.29/mm/kasan/common.c:52) [ 103.604865] kasan_save_free_info (/home/wq/kernel/linux-6.1.29/mm/kasan/generic.c:518) [ 103.604868] __kasan_slab_free (/home/wq/kernel/linux-6.1.29/mm/kasan/common.c:238 /home/wq/kernel/linux-6.1.29/mm/kasan/common.c:200 /home/wq/kernel/linux-6.1.29/mm/kasan/common.c:244) [ 103.604869] kmem_cache_free (/home/wq/kernel/linux-6.1.29/mm/slub.c:1750 /home/wq/kernel/linux-6.1.29/mm/slub.c:3661 /home/wq/kernel/linux-6.1.29/mm/slub.c:3683) [ 103.604871] do_sys_openat2 (/home/wq/kernel/linux-6.1.29/fs/open.c:1320) 
[  103.604873] do_sys_open (/home/wq/kernel/linux-6.1.29/fs/open.c:1324)
[ 103.604875] do_syscall_64 (/home/wq/kernel/linux-6.1.29/arch/x86/entry/common.c:50 /home/wq/kernel/linux-6.1.29/arch/x86/entry/common.c:80) [ 103.604878] entry_SYSCALL_64_after_hwframe (/home/wq/kernel/linux-6.1.29/arch/x86/entry/entry_64.S:120)
[ 103.605525] The buggy address belongs to the object at ffff88812b2a5500 
which belongs to the cache names_cache of size 4096
[  103.606836] The buggy address is located 1147 bytes inside of
4096-byte region [ffff88812b2a5500, ffff88812b2a6500)

[  103.608717] The buggy address belongs to the physical page:
[ 103.609396] page:00000000d879c985 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12b2a0 [ 103.609403] head:00000000d879c985 order:3 compound_mapcount:0 compound_pincount:0 [ 103.609405] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) [ 103.609410] raw: 0017ffffc0010200 0000000000000000 dead000000000122 ffff88810023cf00 [ 103.609414] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 
[  103.609415] page dumped because: kasan: bad access detected

[  103.610082] Memory state around the buggy address:
[ 103.610698] ffff88812b2a5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.611317] ffff88812b2a5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.611933] >ffff88812b2a5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.612544] ^ [ 103.613167] ffff88812b2a5980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.613920] ffff88812b2a5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.614542] ================================================================== 
[  103.615201] Disabling lock debugging due to kernel taint

Wenqing Liu

<<attachment: tmp1833.zip>>

[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux