[Bug 205609] New: Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[Bug 205609] New: Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=205609

            Bug ID: 205609
           Summary: Multiple bugs in __ext4_expand_extra_isize (OOB write
                    and UAF write)
           Product: File System
           Version: 2.5
    Kernel Version: 5.x
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@kernel-bugs.osdl.org
          Reporter: tristmd@gmail.com
        Regression: No

BUG #1 - UAF write in __ext4_expand_extra_isize
===

KASAN: use-after-free in __ext4_expand_extra_isize+0x182/0x250
fs/ext4/inode.c:5924
Write of size 189

BUG #2 - OOB write
===

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 205609] Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=205609

--- Comment #1 from Tristan (tristmd@gmail.com) ---
BUG 1 - UAF write in __ext4_expand_extra_isize
===

KASAN: use-after-free in __ext4_expand_extra_isize+0x182/0x250
fs/ext4/inode.c:5924
Write of size 189

Details:

BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x182/0x250
fs/ext4/inode.c:5924
Write of size 189 at addr ffff88802232ffa0 by task syz-executor.1/2654

CPU: 0 PID: 2654 Comm: syz-executor.1 Not tainted 5.4.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x75/0xae lib/dump_stack.c:113
 print_address_description.constprop.6+0x16/0x220 mm/kasan/report.c:374
 __kasan_report.cold.9+0x1a/0x40 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:634
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x144/0x1c0 mm/kasan/generic.c:192
 memset+0x1f/0x40 mm/kasan/common.c:105
 __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924
 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5976 [inline]
 ext4_mark_inode_dirty+0x586/0x6c0 fs/ext4/inode.c:6052
 ext4_ext_truncate+0x8b/0x1d0 fs/ext4/extents.c:4583
 ext4_truncate+0x974/0xf30 fs/ext4/inode.c:4511
 ext4_evict_inode+0x73f/0xf80 fs/ext4/inode.c:289
 evict+0x2d3/0x640 fs/inode.c:574
 iput_final fs/inode.c:1563 [inline]

../..

NB: Full report attached


BUG 2 - OOB write
===

EXT4-fs error (device sda): htree_dirblock_to_tree:1025: inode #15297: block
10531: comm syz-fuzzer: bad entry in directory: rec_len is smaller than minimal
- offset=0, inode=0, rec_len=0, name_len=0, size=4096
BUG: KASAN: out-of-bounds in __ext4_expand_extra_isize+0x182/0x250
fs/ext4/inode.c:5924
Write of size 991 at addr ffff8880177a1fa0 by task syz-executor.3/443

CPU: 1 PID: 443 Comm: syz-executor.3 Not tainted 5.4.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x75/0xae lib/dump_stack.c:113
 print_address_description.constprop.6+0x16/0x220 mm/kasan/report.c:374
 __kasan_report.cold.9+0x1a/0x40 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:634
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x144/0x1c0 mm/kasan/generic.c:192
 memset+0x1f/0x40 mm/kasan/common.c:105
 __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924
 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5976 [inline]
 ext4_mark_inode_dirty+0x586/0x6c0 fs/ext4/inode.c:6052
 ext4_dirty_inode+0x71/0xa0 fs/ext4/inode.c:6086
 __mark_inode_dirty+0x3d4/0xd30 fs/fs-writeback.c:2255
 generic_update_time+0x1b4/0x2d0 fs/inode.c:1667
 update_time fs/inode.c:1683 [inline]
 touch_atime+0x20e/0x270 fs/inode.c:1754
 file_accessed include/linux/fs.h:2202 [inline]
 iterate_dir+0x2e5/0x540 fs/readdir.c:70
 ksys_getdents64+0x11a/0x230 fs/readdir.c:372
 __do_sys_getdents64 fs/readdir.c:391 [inline]
 __se_sys_getdents64 fs/readdir.c:388 [inline]
 __x64_sys_getdents64+0x6f/0xb0 fs/readdir.c:388
 do_syscall_64+0x9a/0x330 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x483157
Code: 04 48 81 ec 80 00 00 00 e8 b6 12 f9 ff 48 81 c4 80 00 00 00 5b c3 66 2e
0f 1f 84 00 00 00 00 00 0f 1f 00 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01
c3 48 c7 c2 bc ff ff ff f7 d8 64 89 02 48
RSP: 002b:00007ffd2d74f558 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000001dcdc30 RCX: 0000000000483157
RDX: 0000000000008000 RSI: 0000000001dcdc60 RDI: 0000000000000004
RBP: 0000000001dcdc60 R08: 0000000000000003 R09: 0000000000000076
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffbc
R13: 0000000000000016 R14: 00000000004a54ec R15: 00000000ffffffff

The buggy address belongs to the page:
page:ffffea00005de840 refcount:2 mapcount:0 mapping:ffff888035848d78
index:0x4de
0xffffffff8aeb2e20 
flags: 0x100000000002032(referenced|lru|active|private)
raw: 0100000000002032 ffffea00005df188 ffffea0000d81d48 ffff888035848d78
raw: 00000000000004de ffff888023614000 00000002ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880177a1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880177a1f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880177a2000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                   ^
 ffff8880177a2080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880177a2100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


NB: Full report attached

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 205609] Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=205609

--- Comment #2 from Tristan (tristmd@gmail.com) ---
Created attachment 285989
  --> https://bugzilla.kernel.org/attachment.cgi?id=285989&action=edit
Bug 2 report

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 205609] Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=205609

--- Comment #3 from Tristan (tristmd@gmail.com) ---
Created attachment 285991
  --> https://bugzilla.kernel.org/attachment.cgi?id=285991&action=edit
Bug 1 report

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 205609] Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=205609

Tristan (tristmd@gmail.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Kernel Version|5.x                         |4x / 5.x

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 205609] Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=205609

--- Comment #4 from Tristan (tristmd@gmail.com) ---
Could someone merge "Comment 1" and "Description" please?

Thanks

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 205609] Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=205609

Theodore Tso (tytso@mit.edu) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tytso@mit.edu

--- Comment #5 from Theodore Tso (tytso@mit.edu) ---
Are you running syzkaller yourself? (e.g., this is different from the syzbot
runs)?   If this is something that you find in the 

The Syzbot run by Dmitry at Google has reported a number of these sorts of
issues which I believe is fixed by:

https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?h=dev&id=4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a

So it might be helpful if you could run your syzkaller against the dev branch
of the ext4.git tree.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 205609] Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=205609

--- Comment #6 from Tristan (tristmd@gmail.com) ---
Dear  Theodore,

- Looks like syzkaller bot have found the UAF too. 

- The OOB write's path is different to be triggered (check the stack trace) but
the root cause seems to be similar at the end

- I am running syzkaller by myself 

- I will work on the dev branch of the ext4.git tree as suggested

- At this time, I think the commit "ext4: add more paranoia checking in
ext4_expand_extra_isize handling" should have fixed both issues but I can
verify

Thanks.

Kind regards,

Tristan

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 205609] Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=205609

Eric Sandeen (sandeen@sandeen.net) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sandeen@sandeen.net

--- Comment #7 from Eric Sandeen (sandeen@sandeen.net) ---
Tristan -

It would be hugely useful if you would provide /any/ reproducer details in
these bugs.  Simply filing bugs w/ KASAN splat forces the reader to try to
guess and reverse engineer your work, which is not a particularly efficient use
of developer time.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 205609] Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=205609

--- Comment #8 from Theodore Tso (tytso@mit.edu) ---
Tristan hasn't updated this bug in the last 4+ months, so I propose that we
close this bug.

Tristan, if you find a problems in the future, please include the C reproducer
and file separate bugs for each syzkaller problem for which you have a clean
reproducer.   For bonus points, please try to take Syzkaller's reproducer
(which often has a lot of unnecessary crud), and streamline it to the smallest
possible reliable repro case.

Many thanks!!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.