Patch "ntfs: fix use-after-free in ntfs_ucsncmp()" has been added to the 4.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 13 Aug 2022 19:12:44 -0400

This is a note to let you know that I've just added the patch titled

    ntfs: fix use-after-free in ntfs_ucsncmp()

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit eaab4ae0a7e1b4f19dfd654defeda1f694431c8d
Author: ChenXiaoSong <chenxiaosong2@xxxxxxxxxx>
Date:   Thu Jul 7 18:53:29 2022 +0800

    ntfs: fix use-after-free in ntfs_ucsncmp()
    
    commit 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 upstream.
    
    Syzkaller reported use-after-free bug as follows:
    
    ==================================================================
    BUG: KASAN: use-after-free in ntfs_ucsncmp+0x123/0x130
    Read of size 2 at addr ffff8880751acee8 by task a.out/879
    
    CPU: 7 PID: 879 Comm: a.out Not tainted 5.19.0-rc4-next-20220630-00001-gcc5218c8bd2c-dirty #7
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
    Call Trace:
     <TASK>
     dump_stack_lvl+0x1c0/0x2b0
     print_address_description.constprop.0.cold+0xd4/0x484
     print_report.cold+0x55/0x232
     kasan_report+0xbf/0xf0
     ntfs_ucsncmp+0x123/0x130
     ntfs_are_names_equal.cold+0x2b/0x41
     ntfs_attr_find+0x43b/0xb90
     ntfs_attr_lookup+0x16d/0x1e0
     ntfs_read_locked_attr_inode+0x4aa/0x2360
     ntfs_attr_iget+0x1af/0x220
     ntfs_read_locked_inode+0x246c/0x5120
     ntfs_iget+0x132/0x180
     load_system_files+0x1cc6/0x3480
     ntfs_fill_super+0xa66/0x1cf0
     mount_bdev+0x38d/0x460
     legacy_get_tree+0x10d/0x220
     vfs_get_tree+0x93/0x300
     do_new_mount+0x2da/0x6d0
     path_mount+0x496/0x19d0
     __x64_sys_mount+0x284/0x300
     do_syscall_64+0x3b/0xc0
     entry_SYSCALL_64_after_hwframe+0x46/0xb0
    RIP: 0033:0x7f3f2118d9ea
    Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48
    RSP: 002b:00007ffc269deac8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3f2118d9ea
    RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc269dec00
    RBP: 00007ffc269dec80 R08: 00007ffc269deb00 R09: 00007ffc269dec44
    R10: 0000000000000000 R11: 0000000000000202 R12: 000055f81ab1d220
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
     </TASK>
    
    The buggy address belongs to the physical page:
    page:0000000085430378 refcount:1 mapcount:1 mapping:0000000000000000 index:0x555c6a81d pfn:0x751ac
    memcg:ffff888101f7e180
    anon flags: 0xfffffc00a0014(uptodate|lru|mappedtodisk|swapbacked|node=0|zone=1|lastcpupid=0x1fffff)
    raw: 000fffffc00a0014 ffffea0001bf2988 ffffea0001de2448 ffff88801712e201
    raw: 0000000555c6a81d 0000000000000000 0000000100000000 ffff888101f7e180
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff8880751acd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff8880751ace00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    >ffff8880751ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                              ^
     ffff8880751acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff8880751acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    ==================================================================
    
    The reason is that struct ATTR_RECORD->name_offset is 6485, end address of
    name string is out of bounds.
    
    Fix this by adding sanity check on end address of attribute name string.
    
    [akpm@xxxxxxxxxxxxxxxxxxxx: coding-style cleanups]
    [chenxiaosong2@xxxxxxxxxx: cleanup suggested by Hawkins Jiawei]
      Link: https://lkml.kernel.org/r/20220709064511.3304299-1-chenxiaosong2@xxxxxxxxxx
    Link: https://lkml.kernel.org/r/20220707105329.4020708-1-chenxiaosong2@xxxxxxxxxx
    Signed-off-by: ChenXiaoSong <chenxiaosong2@xxxxxxxxxx>
    Signed-off-by: Hawkins Jiawei <yin31149@xxxxxxxxx>
    Cc: Anton Altaparmakov <anton@xxxxxxxxxx>
    Cc: ChenXiaoSong <chenxiaosong2@xxxxxxxxxx>
    Cc: Yongqiang Liu <liuyongqiang13@xxxxxxxxxx>
    Cc: Zhang Yi <yi.zhang@xxxxxxxxxx>
    Cc: Zhang Xiaoxu <zhangxiaoxu5@xxxxxxxxxx>
    Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c
index 44a39a099b54..62b49197e5f6 100644
--- a/fs/ntfs/attrib.c
+++ b/fs/ntfs/attrib.c
@@ -606,8 +606,12 @@ static int ntfs_attr_find(const ATTR_TYPE type, const ntfschar *name,
 		a = (ATTR_RECORD*)((u8*)ctx->attr +
 				le32_to_cpu(ctx->attr->length));
 	for (;;	a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))) {
-		if ((u8*)a < (u8*)ctx->mrec || (u8*)a > (u8*)ctx->mrec +
-				le32_to_cpu(ctx->mrec->bytes_allocated))
+		u8 *mrec_end = (u8 *)ctx->mrec +
+		               le32_to_cpu(ctx->mrec->bytes_allocated);
+		u8 *name_end = (u8 *)a + le16_to_cpu(a->name_offset) +
+			       a->name_length * sizeof(ntfschar);
+		if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end ||
+		    name_end > mrec_end)
 			break;
 		ctx->attr = a;
 		if (unlikely(le32_to_cpu(a->type) > le32_to_cpu(type) ||






