buffer overrun in fs/ntfs3 log_replay() if log restart area is corrupt

All of lore.kernel.org
 help / color / mirror / Atom feed

From: rtm@csail.mit.edu
To: almaz.alexandrovich@paragon-software.com
Cc: ntfs3@lists.linux.dev
Subject: buffer overrun in fs/ntfs3 log_replay() if log restart area is corrupt
Date: Fri, 19 Jan 2024 09:27:22 -0500	[thread overview]
Message-ID: <25861.1705674442@localhost> (raw)

[-- Attachment #1: Type: text/plain, Size: 7561 bytes --]

The attached NTFS image has a corrupt log, one of whose restart areas
results in ra2->client_off being 24 rather than the expected 64. As a
result, this memcpy() in log_replay() writes off the end of the space
allocated for ra:

                memcpy(ra->clients, Add2Ptr(ra2, t16),
                       le16_to_cpu(ra2->ra_len) - t16);

The space allocated for ra is log->restart_size=200; t16 is 24 (not 64,
the offset of ra->clients[]); ra2->ra_len is 200; so 200-24=176 bytes
are copied to &ra->clients=ra+64, even though there are only 200-64=136
bytes there.


# uname -a
Linux ubuntu66 6.7.0-11091-g296455ade1fd #4 SMP PREEMPT_DYNAMIC Thu Jan 18 11:25:51 EST 2024 x86_64 x86_64 x86_64 GNU/Linux
# gunzip ntfs29a.img.gz
# mount -t ntfs3 -o loop,rw ntfs29a.img /mnt

ntfs3: loop0: $LogFile version 2.-1 is not supported
=============================================================================
BUG kmalloc-256 (Not tainted): kmalloc Redzone overwritten
-----------------------------------------------------------------------------

0xffff92c944c544c8-0xffff92c944c544ef @offset=1224. First byte 0xff instead of 0xcc
Allocated in log_replay+0xa81/0x4100 age=0 cpu=9 pid=13117
 log_replay+0xa81/0x4100
 ntfs_loadlog_and_replay+0x196/0x1c0
 ntfs_fill_super+0xb09/0x17a0
 get_tree_bdev+0x12f/0x1c0
 vfs_get_tree+0x24/0xe0
 path_mount+0x2df/0xab0
 __x64_sys_mount+0x106/0x140
 do_syscall_64+0x56/0x120
 entry_SYSCALL_64_after_hwframe+0x6e/0x76
Freed in kvfree_rcu_bulk+0x18e/0x200 age=3625 cpu=4 pid=192
 kvfree_rcu_bulk+0x18e/0x200
 kfree_rcu_monitor+0x138/0x450
 process_one_work+0x134/0x2f0
 worker_thread+0x2ef/0x400
 kthread+0xe1/0x110
 ret_from_fork+0x2f/0x50
 ret_from_fork_asm+0x1b/0x30
Slab 0xffffe9cac4131500 objects=21 used=18 fp=0xffff92c944c56800 flags=0x200000000000a40(workingset|slab|head|node=0|zone=2)
Object 0xffff92c944c54400 @offset=1024 fp=0xffff92c944c56800

Redzone  ffff92c944c54300: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54310: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54320: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54330: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54340: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54350: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54360: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54370: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54380: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54390: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543a0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543b0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543c0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543d0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543e0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c543f0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Object   ffff92c944c54400: ff ff ff ff ff ff ff ff 01 00 ff ff 00 00 ff ff  ................
Object   ffff92c944c54410: f1 ff ff ff a0 00 40 00 00 00 04 00 00 00 00 00  ......@.........
Object   ffff92c944c54420: ff ff ff ff f8 ff f8 ff a4 2d d8 56 ff ff ff ff  .........-.V....
Object   ffff92c944c54430: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c54440: 00 00 04 00 00 00 00 00 ff ff ff ff f8 ff f8 ff  ................
Object   ffff92c944c54450: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c54460: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c54470: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c54480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c54490: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
Object   ffff92c944c544f0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
Redzone  ffff92c944c54500: cc cc cc cc cc cc cc cc                          ........
Padding  ffff92c944c54554: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c54564: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c54574: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c54584: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c54594: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545a4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545b4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545c4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
Padding  ffff92c944c545f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ
CPU: 9 PID: 13117 Comm: mount Not tainted 6.7.0-11091-g296455ade1fd #4
Hardware name: FreeBSD BHYVE/BHYVE, BIOS 13.0 11/10/2020
Call Trace:
 <TASK>
 dump_stack_lvl+0x37/0x50
 check_bytes_and_report+0xd8/0x150
 check_object+0x329/0x340
 free_to_partial_list+0x1d1/0x520
 ? log_replay+0x1af/0x4100
 log_replay+0x1af/0x4100
 ? inode_init_once+0xf0/0x100
 ntfs_loadlog_and_replay+0x196/0x1c0
 ntfs_fill_super+0xb09/0x17a0
 ? __pfx_ntfs_fill_super+0x10/0x10
 get_tree_bdev+0x12f/0x1c0
 vfs_get_tree+0x24/0xe0
 path_mount+0x2df/0xab0
 __x64_sys_mount+0x106/0x140
 do_syscall_64+0x56/0x120
 entry_SYSCALL_64_after_hwframe+0x6e/0x76
RIP: 0033:0x7fe8c95e6b0e
Code: 48 8b 0d 25 23 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f2 22 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffcd2662a68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe8c95e6b0e
RDX: 000055c57d935370 RSI: 000055c57d935980 RDI: 000055c57d93acc0
RBP: 000055c57d935750 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000055c57d935370 R14: 000055c57d93acc0 R15: 000055c57d935750
 </TASK>
Disabling lock debugging due to kernel taint
FIX kmalloc-256: Restoring kmalloc Redzone 0xffff92c944c544c8-0xffff92c944c544ef=0xcc
FIX kmalloc-256: Object at 0xffff92c944c54400 not freed
ntfs3: loop0: Mark volume as dirty due to NTFS errors
ntfs3: loop0: failed to replay log file. Can't mount rw!

Robert Morris
rtm@csail.mit.edu


[-- Attachment #2: ntfs29a.img.gz --]
[-- Type: application/octet-stream, Size: 124416 bytes --]

                 reply	other threads:[~2024-01-19 14:57 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=25861.1705674442@localhost \
    --to=rtm@csail.mit.edu \
    --cc=almaz.alexandrovich@paragon-software.com \
    --cc=ntfs3@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.