From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, stable@kernel.org,
Hulk Robot <hulkci@huawei.com>, Baokun Li <libaokun1@huawei.com>,
"Ritesh Harjani (IBM)" <ritesh.list@gmail.com>,
Jan Kara <jack@suse.cz>, Theodore Tso <tytso@mit.edu>,
Tudor Ambarus <tudor.ambarus@linaro.org>
Subject: [PATCH 5.10 57/68] ext4: fix use-after-free in ext4_xattr_set_entry
Date: Mon, 24 Apr 2023 15:18:28 +0200 [thread overview]
Message-ID: <20230424131129.831898469@linuxfoundation.org> (raw)
In-Reply-To: <20230424131127.653885914@linuxfoundation.org>
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 67d7d8ad99beccd9fe92d585b87f1760dc9018e3 ]
Hulk Robot reported a issue:
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x18ab/0x3500
Write of size 4105 at addr ffff8881675ef5f4 by task syz-executor.0/7092
CPU: 1 PID: 7092 Comm: syz-executor.0 Not tainted 4.19.90-dirty #17
Call Trace:
[...]
memcpy+0x34/0x50 mm/kasan/kasan.c:303
ext4_xattr_set_entry+0x18ab/0x3500 fs/ext4/xattr.c:1747
ext4_xattr_ibody_inline_set+0x86/0x2a0 fs/ext4/xattr.c:2205
ext4_xattr_set_handle+0x940/0x1300 fs/ext4/xattr.c:2386
ext4_xattr_set+0x1da/0x300 fs/ext4/xattr.c:2498
__vfs_setxattr+0x112/0x170 fs/xattr.c:149
__vfs_setxattr_noperm+0x11b/0x2a0 fs/xattr.c:180
__vfs_setxattr_locked+0x17b/0x250 fs/xattr.c:238
vfs_setxattr+0xed/0x270 fs/xattr.c:255
setxattr+0x235/0x330 fs/xattr.c:520
path_setxattr+0x176/0x190 fs/xattr.c:539
__do_sys_lsetxattr fs/xattr.c:561 [inline]
__se_sys_lsetxattr fs/xattr.c:557 [inline]
__x64_sys_lsetxattr+0xc2/0x160 fs/xattr.c:557
do_syscall_64+0xdf/0x530 arch/x86/entry/common.c:298
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x459fe9
RSP: 002b:00007fa5e54b4c08 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
RAX: ffffffffffffffda RBX: 000000000051bf60 RCX: 0000000000459fe9
RDX: 00000000200003c0 RSI: 0000000020000180 RDI: 0000000020000140
RBP: 000000000051bf60 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000001009 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc73c93fc0 R14: 000000000051bf60 R15: 00007fa5e54b4d80
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_xattr_set
ext4_xattr_set_handle
ext4_xattr_ibody_find
>> s->end < s->base
>> no EXT4_STATE_XATTR
>> xattr_check_inode is not executed
ext4_xattr_ibody_set
ext4_xattr_set_entry
>> size_t min_offs = s->end - s->base
>> UAF in memcpy
we can easily reproduce this problem with the following commands:
mkfs.ext4 -F /dev/sda
mount -o debug_want_extra_isize=128 /dev/sda /mnt
touch /mnt/file
setfattr -n user.cat -v `seq -s z 4096|tr -d '[:digit:]'` /mnt/file
In ext4_xattr_ibody_find, we have the following assignment logic:
header = IHDR(inode, raw_inode)
= raw_inode + EXT4_GOOD_OLD_INODE_SIZE + i_extra_isize
is->s.base = IFIRST(header)
= header + sizeof(struct ext4_xattr_ibody_header)
is->s.end = raw_inode + s_inode_size
In ext4_xattr_set_entry
min_offs = s->end - s->base
= s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize -
sizeof(struct ext4_xattr_ibody_header)
last = s->first
free = min_offs - ((void *)last - s->base) - sizeof(__u32)
= s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize -
sizeof(struct ext4_xattr_ibody_header) - sizeof(__u32)
In the calculation formula, all values except s_inode_size and
i_extra_size are fixed values. When i_extra_size is the maximum value
s_inode_size - EXT4_GOOD_OLD_INODE_SIZE, min_offs is -4 and free is -8.
The value overflows. As a result, the preceding issue is triggered when
memcpy is executed.
Therefore, when finding xattr or setting xattr, check whether
there is space for storing xattr in the inode to resolve this issue.
Cc: stable@kernel.org
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220616021358.2504451-3-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -2193,8 +2193,9 @@ int ext4_xattr_ibody_find(struct inode *
struct ext4_inode *raw_inode;
int error;
- if (EXT4_I(inode)->i_extra_isize == 0)
+ if (!EXT4_INODE_HAS_XATTR_SPACE(inode))
return 0;
+
raw_inode = ext4_raw_inode(&is->iloc);
header = IHDR(inode, raw_inode);
is->s.base = is->s.first = IFIRST(header);
@@ -2222,8 +2223,9 @@ int ext4_xattr_ibody_set(handle_t *handl
struct ext4_xattr_search *s = &is->s;
int error;
- if (EXT4_I(inode)->i_extra_isize == 0)
+ if (!EXT4_INODE_HAS_XATTR_SPACE(inode))
return -ENOSPC;
+
error = ext4_xattr_set_entry(i, s, handle, inode, false /* is_block */);
if (error)
return error;
next prev parent reply other threads:[~2023-04-24 13:36 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-24 13:17 [PATCH 5.10 00/68] 5.10.179-rc1 review Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 01/68] ARM: dts: rockchip: fix a typo error for rk3288 spdif node Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 02/68] arm64: dts: qcom: ipq8074-hk01: enable QMP device, not the PHY node Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 03/68] arm64: dts: meson-g12-common: specify full DMC range Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 04/68] arm64: dts: imx8mm-evk: correct pmic clock source Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 05/68] netfilter: br_netfilter: fix recent physdev match breakage Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 06/68] regulator: fan53555: Explicitly include bits header Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 07/68] net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 08/68] virtio_net: bugfix overflow inside xdp_linearize_page() Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 09/68] sfc: Split STATE_READY in to STATE_NET_DOWN and STATE_NET_UP Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 10/68] sfc: Fix use-after-free due to selftest_work Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 11/68] netfilter: nf_tables: fix ifdef to also consider nf_tables=m Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 12/68] i40e: fix accessing vsi->active_filters without holding lock Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 13/68] i40e: fix i40e_setup_misc_vector() error handling Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 14/68] mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 15/68] net: rpl: fix rpl header size calculation Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 16/68] mlxsw: pci: Fix possible crash during initialization Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 17/68] bpf: Fix incorrect verifier pruning due to missing register precision taints Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 18/68] e1000e: Disable TSO on i219-LM card to increase speed Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 19/68] f2fs: Fix f2fs_truncate_partial_nodes ftrace event Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 20/68] Input: i8042 - add quirk for Fujitsu Lifebook A574/H Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 21/68] selftests: sigaltstack: fix -Wuninitialized Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 22/68] scsi: megaraid_sas: Fix fw_crash_buffer_show() Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 23/68] scsi: core: Improve scsi_vpd_inquiry() checks Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 24/68] net: dsa: b53: mmap: add phy ops Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 25/68] s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 26/68] nvme-tcp: fix a possible UAF when failing to allocate an io queue Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 27/68] xen/netback: use same error messages for same errors Greg Kroah-Hartman
2023-04-24 13:17 ` [PATCH 5.10 28/68] powerpc/doc: Fix htmldocs errors Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 29/68] xfs: drop submit side trans alloc for append ioends Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 30/68] iio: light: tsl2772: fix reading proximity-diodes from device tree Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 31/68] nilfs2: initialize unused bytes in segment summary blocks Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 32/68] memstick: fix memory leak if card device is never registered Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 33/68] kernel/sys.c: fix and improve control flow in __sys_setres[ug]id() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 34/68] mmc: sdhci_am654: Set HIGH_SPEED_ENA for SDR12 and SDR25 Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 35/68] mm/khugepaged: check again on anon uffd-wp during isolation Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 36/68] sched/uclamp: Make task_fits_capacity() use util_fits_cpu() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 37/68] sched/uclamp: Fix fits_capacity() check in feec() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 38/68] sched/uclamp: Make select_idle_capacity() use util_fits_cpu() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 39/68] sched/uclamp: Make asym_fits_capacity() " Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 40/68] sched/uclamp: Make cpu_overutilized() " Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 41/68] sched/uclamp: Cater for uclamp in find_energy_efficient_cpu()s early exit condition Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 42/68] sched/fair: Detect capacity inversion Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 43/68] sched/fair: Consider capacity inversion in util_fits_cpu() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 44/68] sched/uclamp: Fix a uninitialized variable warnings Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 45/68] sched/fair: Fixes for capacity inversion detection Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 46/68] MIPS: Define RUNTIME_DISCARD_EXIT in LD script Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 47/68] [PATCH v2 stable-5.10.y stable-5.15.y] docs: futex: Fix kernel-doc references after code split-up preparation Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 48/68] purgatory: fix disabling debug info Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 49/68] virtiofs: clean up error handling in virtio_fs_get_tree() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 50/68] virtiofs: split requests that exceed virtqueue size Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 51/68] fuse: check s_root when destroying sb Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 52/68] fuse: fix attr version comparison in fuse_read_update_size() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 53/68] fuse: always revalidate rename target dentry Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 54/68] fuse: fix deadlock between atomic O_TRUNC and page invalidation Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 55/68] Revert "ext4: fix use-after-free in ext4_xattr_set_entry" Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 56/68] ext4: remove duplicate definition of ext4_xattr_ibody_inline_set() Greg Kroah-Hartman
2023-04-24 13:18 ` Greg Kroah-Hartman [this message]
2023-04-24 13:18 ` [PATCH 5.10 58/68] udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM) Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 59/68] tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 60/68] inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 61/68] dccp: Call inet6_destroy_sock() via sk->sk_destruct() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 62/68] sctp: " Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 63/68] pwm: meson: Explicitly set .polarity in .get_state() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 64/68] pwm: iqs620a: " Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 65/68] pwm: hibvt: " Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 66/68] iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger() Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 67/68] ASoC: fsl_asrc_dma: fix potential null-ptr-deref Greg Kroah-Hartman
2023-04-24 13:18 ` [PATCH 5.10 68/68] ASN.1: Fix check for strdup() success Greg Kroah-Hartman
2023-04-25 1:04 ` [PATCH 5.10 00/68] 5.10.179-rc1 review Guenter Roeck
2023-04-25 10:44 ` Jon Hunter
2023-04-25 13:28 ` Naresh Kamboju
2023-04-25 13:35 ` Chris Paterson
2023-04-25 18:43 ` Florian Fainelli
2023-04-26 0:28 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230424131129.831898469@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hulkci@huawei.com \
--cc=jack@suse.cz \
--cc=libaokun1@huawei.com \
--cc=patches@lists.linux.dev \
--cc=ritesh.list@gmail.com \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tudor.ambarus@linaro.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox