From: rtm@csail.mit.edu
To: almaz.alexandrovich@paragon-software.com
Cc: ntfs3@lists.linux.dev
Subject: potential buffer overrun in ntfs_fix_post_read()
Date: Sat, 20 Jan 2024 16:54:06 -0500 [thread overview]
Message-ID: <29241.1705787646@localhost> (raw)
[-- Attachment #1: Type: text/plain, Size: 6225 bytes --]
read_log_page() in fs/ntfs3/fslog.c allocates log->page_size bytes:
to_free = kmalloc(log->page_size, GFP_NOFS);
but then passes a length of PAGE_SIZE to ntfs_fix_post_read():
if (page_buf->rhdr.sign != NTFS_FFFF_SIGNATURE)
ntfs_fix_post_read(&page_buf->rhdr, PAGE_SIZE, false);
The attached corrupt file system image causes log->page_size to be
2048, so ntfs_fix_post_read() reads and writes off the end of the buffer.
# uname -a
Linux ubuntu66 6.7.0-11091-g296455ade1fd #5 SMP PREEMPT_DYNAMIC Fri Jan 19 15:38:07 EST 2024 x86_64 x86_64 x86_64 GNU/Linux
# gunzip ntfs33a.img.gz
# mount -t ntfs3 -o loop,ro ntfs33a.img /mnt
[11954.012988] ==================================================================
[11954.013361] BUG: KASAN: slab-out-of-bounds in ntfs_fix_post_read+0x1e7/0x210
[11954.013711] Read of size 2 at addr ffff8881199541fe by task mount/13238
[11954.014052] CPU: 5 PID: 13238 Comm: mount Not tainted 6.7.0-11091-g296455ade1fd #5
[11954.014416] Hardware name: FreeBSD BHYVE/BHYVE, BIOS 13.0 11/10/2020
[11954.014707] Call Trace:
[11954.014790] <TASK>
[11954.014855] dump_stack_lvl+0x37/0x50
[11954.015033] print_report+0xcc/0x610
[11954.015182] ? __virt_addr_valid+0x1ce/0x2a0
[11954.015369] ? ntfs_fix_post_read+0x1e7/0x210
[11954.015554] kasan_report+0xb0/0xe0
[11954.015692] ? ntfs_fix_post_read+0x1e7/0x210
[11954.015880] ntfs_fix_post_read+0x1e7/0x210
[11954.016058] read_log_page+0x1b0/0x510
[11954.016213] log_replay+0x4445/0xd490
[11954.016360] ? __pfx_wake_up_bit+0x10/0x10
[11954.016534] ? __pfx_log_replay+0x10/0x10
[11954.016697] ? mi_read+0x120/0x520
[11954.016833] ? ntfs_iget5+0x1e21/0x3290
[11954.016988] ? unlock_new_inode+0x79/0xc0
[11954.017153] ? __pfx_ntfs_iget5+0x10/0x10
[11954.017321] ntfs_loadlog_and_replay+0x3fe/0x530
[11954.017522] ? __pfx_ntfs_loadlog_and_replay+0x10/0x10
[11954.017748] ? __kasan_record_aux_stack+0xbe/0xe0
[11954.017953] ? __call_rcu_common.constprop.0+0x49b/0xab0
[11954.018190] ? __destroy_inode+0x32/0x250
[11954.018354] ntfs_fill_super+0x1c5f/0x3d70
[11954.018521] ? __pfx_ntfs_fill_super+0x10/0x10
[11954.018712] ? __pfx_snprintf+0x10/0x10
[11954.018868] ? _raw_spin_lock+0x80/0xe0
[11954.019025] ? __pfx__raw_spin_lock+0x10/0x10
[11954.019211] ? bdev_open_by_dev+0x7f4/0xc30
[11954.019392] ? sb_set_blocksize+0x3d/0xe0
[11954.019555] ? setup_bdev_super+0x2e9/0x630
[11954.019733] get_tree_bdev+0x2e5/0x530
[11954.019885] ? __pfx_ntfs_fill_super+0x10/0x10
[11954.020075] ? __pfx_get_tree_bdev+0x10/0x10
[11954.020256] ? vfs_parse_fs_string+0xd6/0x130
[11954.020444] ? __pfx_vfs_parse_fs_string+0x10/0x10
[11954.020651] vfs_get_tree+0x83/0x320
[11954.020795] path_mount+0x4e0/0x1bf0
[11954.020940] ? __pfx_path_mount+0x10/0x10
[11954.021102] ? __kasan_slab_free+0x119/0x1d0
[11954.021287] ? user_path_at_empty+0x44/0x60
[11954.021464] ? kmem_cache_free+0x96/0x320
[11954.021629] __x64_sys_mount+0x1fd/0x270
[11954.021789] ? __pfx___x64_sys_mount+0x10/0x10
[11954.021986] ? getname_flags.part.0+0xb4/0x450
[11954.022185] do_syscall_64+0x56/0x120
[11954.022337] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[11954.022571] RIP: 0033:0x7f0067d31b0e
[11954.022718] Code: 48 8b 0d 25 23 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f2 22 0f 00 f7 d8 64 89 01 48
[11954.023717] RSP: 002b:00007ffe04b81a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[11954.024091] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0067d31b0e
[11954.024436] RDX: 000055f9b627c370 RSI: 000055f9b627c980 RDI: 000055f9b6281cc0
[11954.024781] RBP: 000055f9b627c750 R08: 0000000000000000 R09: 0000000000000001
[11954.025145] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[11954.025490] R13: 000055f9b627c370 R14: 000055f9b6281cc0 R15: 000055f9b627c750
[11954.025832] </TASK>
[11954.025932] Allocated by task 13238:
[11954.026076] kasan_save_stack+0x24/0x50
[11954.026080] kasan_save_track+0x14/0x30
[11954.026083] __kasan_kmalloc+0x7f/0x90
[11954.026086] __kmalloc+0x179/0x370
[11954.026089] read_log_page+0x2ee/0x510
[11954.026092] log_replay+0x4445/0xd490
[11954.026094] ntfs_loadlog_and_replay+0x3fe/0x530
[11954.026096] ntfs_fill_super+0x1c5f/0x3d70
[11954.026098] get_tree_bdev+0x2e5/0x530
[11954.026101] vfs_get_tree+0x83/0x320
[11954.026104] path_mount+0x4e0/0x1bf0
[11954.026106] __x64_sys_mount+0x1fd/0x270
[11954.026108] do_syscall_64+0x56/0x120
[11954.026110] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[11954.026145] The buggy address belongs to the object at ffff888119953800
which belongs to the cache kmalloc-2k of size 2048
[11954.026716] The buggy address is located 510 bytes to the right of
allocated 2048-byte region [ffff888119953800, ffff888119954000)
[11954.027359] The buggy address belongs to the physical page:
[11954.027617] page:ffffea0004665400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888119955000 pfn:0x119950
[11954.027621] head:ffffea0004665400 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[11954.027624] flags: 0x200000000000a40(workingset|slab|head|node=0|zone=2)
[11954.027629] page_type: 0xffffffff()
[11954.027632] raw: 0200000000000a40 ffff888100043240 ffffea00042be410 ffff888100040c50
[11954.027635] raw: ffff888119955000 0000000000050003 00000001ffffffff 0000000000000000
[11954.027637] page dumped because: kasan: bad access detected
[11954.027670] Memory state around the buggy address:
[11954.027885] ffff888119954080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11954.028243] ffff888119954100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11954.028593] >ffff888119954180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11954.028943] ^
[11954.029287] ffff888119954200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11954.029631] ffff888119954280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11954.029979] ==================================================================
[11954.030365] Disabling lock debugging due to kernel taint
Robert Morris
rtm@csail.mit.edu
[-- Attachment #2: ntfs33a.img.gz --]
[-- Type: application/octet-stream, Size: 124445 bytes --]
reply other threads:[~2024-01-20 21:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=29241.1705787646@localhost \
--to=rtm@csail.mit.edu \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=ntfs3@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.