buffer overrun in fs/ntfs3 log_replay() if log restart area is corrupt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The attached NTFS image has a corrupt log, one of whose restart areas
results in ra2->client_off being 24 rather than the expected 64. As a
result, this memcpy() in log_replay() writes off the end of the space
allocated for ra:

                memcpy(ra->clients, Add2Ptr(ra2, t16),
                       le16_to_cpu(ra2->ra_len) - t16);

The space allocated for ra is log->restart_size=200; t16 is 24 (not 64,
the offset of ra->clients[]); ra2->ra_len is 200; so 200-24=176 bytes
are copied to &ra->clients=ra+64, even though there are only 200-64=136
bytes there.


# uname -a
Linux ubuntu66 6.7.0-11091-g296455ade1fd #4 SMP PREEMPT_DYNAMIC Thu Jan 18 11:25:51 EST 2024 x86_64 x86_64 x86_64 GNU/Linux
# gunzip ntfs29a.img.gz
# mount -t ntfs3 -o loop,rw ntfs29a.img /mnt

ntfs3: loop0: $LogFile version 2.-1 is not supported
=============================================================================
BUG kmalloc-256 (Not tainted): kmalloc Redzone overwritten
-----------------------------------------------------------------------------

0xffff92c944c544c8-0xffff92c944c544ef @offset=1224. First byte 0xff instead of 0xcc
Allocated in log_replay+0xa81/0x4100 age=0 cpu=9 pid=13117
 log_replay+0xa81/0x4100
 ntfs_loadlog_and_replay+0x196/0x1c0
 ntfs_fill_super+0xb09/0x17a0
 get_tree_bdev+0x12f/0x1c0
 vfs_get_tree+0x24/0xe0
 path_mount+0x2df/0xab0
 __x64_sys_mount+0x106/0x140
 do_syscall_64+0x56/0x120
 entry_SYSCALL_64_after_hwframe+0x6e/0x76
Freed in kvfree_rcu_bulk+0x18e/0x200 age=3625 cpu=4 pid=192
 kvfree_rcu_bulk+0x18e/0x200
 kfree_rcu_monitor+0x138/0x450
 process_one_work+0x134/0x2f0
 worker_thread+0x2ef/0x400
 kthread+0xe1/0x110
 ret_from_fork+0x2f/0x50
 ret_from_fork_asm+0x1b/0x30
Slab 0xffffe9cac4131500 objects=21 used=18 fp=0xffff92c944c56800 flags=0x200000000000a40(workingset|slab|head|node=0|zone=2)
Object 0xffff92c944c54400 @offset=1024 fp=0xffff92c944c56800

Redzone  ffff92c944c54300: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54310: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54320: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54330: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54340: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54350: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54360: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54370: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54380: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54390: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543a0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543b0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543c0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543d0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543e0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543f0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Object   ffff92c944c54400: ff ff ff ff ff ff ff ff 01 00 ff ff 00 00 ff ff  ................
Object   ffff92c944c54410: f1 ff ff ff a0 00 40 00 00 00 04 00 00 00 00 00  ......@.........
Object   ffff92c944c54420: ff ff ff ff f8 ff f8 ff a4 2d d8 56 ff ff ff ff  .........-.V....
Object   ffff92c944c54430: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c54440: 00 00 04 00 00 00 00 00 ff ff ff ff f8 ff f8 ff  ................
Object   ffff92c944c54450: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c54460: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c54470: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c54480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c54490: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544f0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54500: cc cc cc cc cc cc cc cc                          ........
Padding  ffff92c944c54554: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c54564: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c54574: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c54584: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c54594: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545a4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545b4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545c4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ
CPU: 9 PID: 13117 Comm: mount Not tainted 6.7.0-11091-g296455ade1fd #4
Hardware name: FreeBSD BHYVE/BHYVE, BIOS 13.0 11/10/2020
Call Trace:
 <TASK>
 dump_stack_lvl+0x37/0x50
 check_bytes_and_report+0xd8/0x150
 check_object+0x329/0x340
 free_to_partial_list+0x1d1/0x520
 ? log_replay+0x1af/0x4100
 log_replay+0x1af/0x4100
 ? inode_init_once+0xf0/0x100
 ntfs_loadlog_and_replay+0x196/0x1c0
 ntfs_fill_super+0xb09/0x17a0
 ? __pfx_ntfs_fill_super+0x10/0x10
 get_tree_bdev+0x12f/0x1c0
 vfs_get_tree+0x24/0xe0
 path_mount+0x2df/0xab0
 __x64_sys_mount+0x106/0x140
 do_syscall_64+0x56/0x120
 entry_SYSCALL_64_after_hwframe+0x6e/0x76
RIP: 0033:0x7fe8c95e6b0e
Code: 48 8b 0d 25 23 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f2 22 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffcd2662a68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe8c95e6b0e
RDX: 000055c57d935370 RSI: 000055c57d935980 RDI: 000055c57d93acc0
RBP: 000055c57d935750 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000055c57d935370 R14: 000055c57d93acc0 R15: 000055c57d935750
 </TASK>
Disabling lock debugging due to kernel taint
FIX kmalloc-256: Restoring kmalloc Redzone 0xffff92c944c544c8-0xffff92c944c544ef=0xcc
FIX kmalloc-256: Object at 0xffff92c944c54400 not freed
ntfs3: loop0: Mark volume as dirty due to NTFS errors
ntfs3: loop0: failed to replay log file. Can't mount rw!

Robert Morris
rtm@xxxxxxxxxxxxx

Attachment: ntfs29a.img.gz
Description: Binary data

[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux