From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, ChenXiaoSong <chenxiaosong2@huawei.com>,
Hawkins Jiawei <yin31149@gmail.com>,
Anton Altaparmakov <anton@tuxera.com>,
Yongqiang Liu <liuyongqiang13@huawei.com>,
Zhang Yi <yi.zhang@huawei.com>,
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 5.10 03/65] ntfs: fix use-after-free in ntfs_ucsncmp()
Date: Mon, 1 Aug 2022 13:46:20 +0200 [thread overview]
Message-ID: <20220801114133.797062024@linuxfoundation.org> (raw)
In-Reply-To: <20220801114133.641770326@linuxfoundation.org>
From: ChenXiaoSong <chenxiaosong2@huawei.com>
commit 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 upstream.
Syzkaller reported use-after-free bug as follows:
==================================================================
BUG: KASAN: use-after-free in ntfs_ucsncmp+0x123/0x130
Read of size 2 at addr ffff8880751acee8 by task a.out/879
CPU: 7 PID: 879 Comm: a.out Not tainted 5.19.0-rc4-next-20220630-00001-gcc5218c8bd2c-dirty #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x1c0/0x2b0
print_address_description.constprop.0.cold+0xd4/0x484
print_report.cold+0x55/0x232
kasan_report+0xbf/0xf0
ntfs_ucsncmp+0x123/0x130
ntfs_are_names_equal.cold+0x2b/0x41
ntfs_attr_find+0x43b/0xb90
ntfs_attr_lookup+0x16d/0x1e0
ntfs_read_locked_attr_inode+0x4aa/0x2360
ntfs_attr_iget+0x1af/0x220
ntfs_read_locked_inode+0x246c/0x5120
ntfs_iget+0x132/0x180
load_system_files+0x1cc6/0x3480
ntfs_fill_super+0xa66/0x1cf0
mount_bdev+0x38d/0x460
legacy_get_tree+0x10d/0x220
vfs_get_tree+0x93/0x300
do_new_mount+0x2da/0x6d0
path_mount+0x496/0x19d0
__x64_sys_mount+0x284/0x300
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f3f2118d9ea
Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc269deac8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3f2118d9ea
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc269dec00
RBP: 00007ffc269dec80 R08: 00007ffc269deb00 R09: 00007ffc269dec44
R10: 0000000000000000 R11: 0000000000000202 R12: 000055f81ab1d220
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
The buggy address belongs to the physical page:
page:0000000085430378 refcount:1 mapcount:1 mapping:0000000000000000 index:0x555c6a81d pfn:0x751ac
memcg:ffff888101f7e180
anon flags: 0xfffffc00a0014(uptodate|lru|mappedtodisk|swapbacked|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc00a0014 ffffea0001bf2988 ffffea0001de2448 ffff88801712e201
raw: 0000000555c6a81d 0000000000000000 0000000100000000 ffff888101f7e180
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880751acd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880751ace00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880751ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff8880751acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880751acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
The reason is that struct ATTR_RECORD->name_offset is 6485, end address of
name string is out of bounds.
Fix this by adding sanity check on end address of attribute name string.
[akpm@linux-foundation.org: coding-style cleanups]
[chenxiaosong2@huawei.com: cleanup suggested by Hawkins Jiawei]
Link: https://lkml.kernel.org/r/20220709064511.3304299-1-chenxiaosong2@huawei.com
Link: https://lkml.kernel.org/r/20220707105329.4020708-1-chenxiaosong2@huawei.com
Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Cc: Anton Altaparmakov <anton@tuxera.com>
Cc: ChenXiaoSong <chenxiaosong2@huawei.com>
Cc: Yongqiang Liu <liuyongqiang13@huawei.com>
Cc: Zhang Yi <yi.zhang@huawei.com>
Cc: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs/attrib.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/ntfs/attrib.c
+++ b/fs/ntfs/attrib.c
@@ -592,8 +592,12 @@ static int ntfs_attr_find(const ATTR_TYP
a = (ATTR_RECORD*)((u8*)ctx->attr +
le32_to_cpu(ctx->attr->length));
for (;; a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))) {
- if ((u8*)a < (u8*)ctx->mrec || (u8*)a > (u8*)ctx->mrec +
- le32_to_cpu(ctx->mrec->bytes_allocated))
+ u8 *mrec_end = (u8 *)ctx->mrec +
+ le32_to_cpu(ctx->mrec->bytes_allocated);
+ u8 *name_end = (u8 *)a + le16_to_cpu(a->name_offset) +
+ a->name_length * sizeof(ntfschar);
+ if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end ||
+ name_end > mrec_end)
break;
ctx->attr = a;
if (unlikely(le32_to_cpu(a->type) > le32_to_cpu(type) ||
next prev parent reply other threads:[~2022-08-01 11:54 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-01 11:46 [PATCH 5.10 00/65] 5.10.135-rc1 review Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 01/65] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 02/65] Revert "ocfs2: mount shared volume without ha stack" Greg Kroah-Hartman
2022-08-01 11:46 ` Greg Kroah-Hartman [this message]
2022-08-01 11:46 ` [PATCH 5.10 04/65] s390/archrandom: prevent CPACF trng invocations in interrupt context Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 05/65] nouveau/svm: Fix to migrate all requested pages Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 06/65] watch_queue: Fix missing rcu annotation Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 07/65] watch_queue: Fix missing locking in add_watch_to_object() Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 08/65] tcp: Fix data-races around sysctl_tcp_dsack Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 09/65] tcp: Fix a data-race around sysctl_tcp_app_win Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 10/65] tcp: Fix a data-race around sysctl_tcp_adv_win_scale Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 11/65] tcp: Fix a data-race around sysctl_tcp_frto Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 12/65] tcp: Fix a data-race around sysctl_tcp_nometrics_save Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 13/65] tcp: Fix data-races around sysctl_tcp_no_ssthresh_metrics_save Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 14/65] ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 15/65] ice: do not setup vlan for loopback VSI Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 16/65] scsi: ufs: host: Hold reference returned by of_parse_phandle() Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 17/65] Revert "tcp: change pingpong threshold to 3" Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 18/65] tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 19/65] tcp: Fix a data-race around sysctl_tcp_limit_output_bytes Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 20/65] tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 21/65] net: ping6: Fix memleak in ipv6_renew_options() Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 22/65] ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 23/65] net/tls: Remove the context from the list in tls_device_down Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 24/65] igmp: Fix data-races around sysctl_igmp_qrv Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 25/65] net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 26/65] tcp: Fix a data-race around sysctl_tcp_min_tso_segs Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 27/65] tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 28/65] tcp: Fix a data-race around sysctl_tcp_autocorking Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 29/65] tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 30/65] Documentation: fix sctp_wmem in ip-sysctl.rst Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 31/65] macsec: fix NULL deref in macsec_add_rxsa Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 32/65] macsec: fix error message in macsec_add_rxsa and _txsa Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 33/65] macsec: limit replay window size with XPN Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 34/65] macsec: always read MACSEC_SA_ATTR_PN as a u64 Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 35/65] net: macsec: fix potential resource leak in macsec_add_rxsa() and macsec_add_txsa() Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 36/65] tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 37/65] tcp: Fix a data-race around sysctl_tcp_comp_sack_slack_ns Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 38/65] tcp: Fix a data-race around sysctl_tcp_comp_sack_nr Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 39/65] tcp: Fix data-races around sysctl_tcp_reflect_tos Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 40/65] i40e: Fix interface init with MSI interrupts (no MSI-X) Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 41/65] sctp: fix sleep in atomic context bug in timer handlers Greg Kroah-Hartman
2022-08-01 11:46 ` [PATCH 5.10 42/65] netfilter: nf_queue: do not allow packet truncation below transport header offset Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 43/65] virtio-net: fix the race between refill work and close Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 44/65] perf symbol: Correct address for bss symbols Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 45/65] sfc: disable softirqs for ptp TX Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 46/65] sctp: leave the err path free in sctp_stream_init to sctp_stream_free Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 47/65] ARM: crypto: comment out gcc warning that breaks clang builds Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 48/65] page_alloc: fix invalid watermark check on a negative value Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 49/65] mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 50/65] ARM: 9216/1: Fix MAX_DMA_ADDRESS overflow Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 51/65] EDAC/ghes: Set the DIMM label unconditionally Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 52/65] docs/kernel-parameters: Update descriptions for "mitigations=" param with retbleed Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 53/65] xfs: refactor xfs_file_fsync Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 54/65] xfs: xfs_log_force_lsn isnt passed a LSN Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 55/65] xfs: prevent UAF in xfs_log_item_in_current_chkpt Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 56/65] xfs: fix log intent recovery ENOSPC shutdowns when inactivating inodes Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 57/65] xfs: force the log offline when log intent item recovery fails Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 58/65] xfs: hold buffer across unpin and potential shutdown processing Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 59/65] xfs: remove dead stale buf unpin handling code Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 60/65] xfs: logging the on disk inode LSN can make it go backwards Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 61/65] xfs: Enforce attr3 buffer recovery order Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 62/65] x86/bugs: Do not enable IBPB at firmware entry when IBPB is not available Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 63/65] bpf: Consolidate shared test timing code Greg Kroah-Hartman
2022-08-02 12:13 ` Pavel Machek
2022-08-02 13:27 ` Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 64/65] bpf: Add PROG_TEST_RUN support for sk_lookup programs Greg Kroah-Hartman
2022-08-01 11:47 ` [PATCH 5.10 65/65] selftests: bpf: Dont run sk_lookup in verifier tests Greg Kroah-Hartman
2022-08-01 14:26 ` [PATCH 5.10 00/65] 5.10.135-rc1 review Jon Hunter
2022-08-01 20:53 ` Florian Fainelli
2022-08-01 22:14 ` Daniel Díaz
2022-08-01 22:21 ` Shuah Khan
2022-08-02 5:28 ` Guenter Roeck
2022-08-02 11:28 ` Rudi Heitbaum
2022-08-02 17:01 ` Pavel Machek
2022-08-02 17:33 ` Sudip Mukherjee (Codethink)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220801114133.797062024@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=anton@tuxera.com \
--cc=chenxiaosong2@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=liuyongqiang13@huawei.com \
--cc=stable@vger.kernel.org \
--cc=yi.zhang@huawei.com \
--cc=yin31149@gmail.com \
--cc=zhangxiaoxu5@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.