* NULL pointer dereference in xfs_trans_binval() when mounting and operating a crafted xfs image
@ 2018-06-07 20:41 Xu, Wen
2018-06-07 22:01 ` Eric Sandeen
0 siblings, 1 reply; 4+ messages in thread
From: Xu, Wen @ 2018-06-07 20:41 UTC (permalink / raw)
To: linux-xfs@vger.kernel.org
Dear XFS developers,
There is a NULL pointer dereference in xfs_trans_binval() when mounting and operating a crafted xfs image in 4.17-rc7 w/ for-next branch found by fuzzing.
- Reproduce
# mkdir mnt
# mount -t xfs 0.img mnt
# gcc -o poc poc.c
# ./poc ./mnt
- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>
#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <linux/falloc.h>
#include <linux/loop.h>
static void activity(char *mpoint) {
char *xattr;
int err;
err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);
// xattr
char buf2[113];
memset(buf2, 0, sizeof(buf2));
setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE);
}
int main(int argc, char *argv[]) {
activity(argv[1]);
return 0;
}
- Kernel Message
[ 330.099346] BUG: unable to handle kernel NULL pointer dereference at 00000000000000e8
[ 330.101061] PGD 80000001e0c03067 P4D 80000001e0c03067 PUD 1de4d2067 PMD 0
[ 330.102498] Oops: 0000 [#1] SMP KASAN PTI
[ 330.103324] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl crct10dif_pclmul drm_kms_helper syscopyarea crc32_pclmul sysfillrect sysimgblt fb_sys_fops ttm drm aesni_intel aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[ 330.113023] CPU: 0 PID: 1348 Comm: a.out Tainted: G B W 4.17.0-rc5+ #7
[ 330.114576] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 330.116510] RIP: 0010:xfs_trans_binval+0x24/0x1b0
[ 330.117476] RSP: 0018:ffff8801de3e75b0 EFLAGS: 00010292
[ 330.118549] RAX: 0000000000000000 RBX: ffff8801de3e79c0 RCX: 0000000000000000
[ 330.120002] RDX: 0000000000000000 RSI: 0000000000000297 RDI: 0000000000000297
[ 330.121458] RBP: ffff8801de3e75d8 R08: ffffed003e803ebb R09: ffffed003e803ebb
[ 330.122911] R10: 0000000000000001 R11: ffffed003e803eba R12: ffff8801eb128460
[ 330.124374] R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801eb128460
[ 330.125829] FS: 00007fb348ac0700(0000) GS:ffff8801f4000000(0000) knlGS:0000000000000000
[ 330.127474] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 330.128659] CR2: 00000000000000e8 CR3: 00000001e9efc000 CR4: 00000000000006f0
[ 330.130106] Call Trace:
[ 330.130628] xfs_da_shrink_inode+0x15e/0x2d0
[ 330.131511] ? xfs_da3_swap_lastblock+0xcb0/0xcb0
[ 330.132488] xfs_attr_shortform_to_leaf+0x483/0x4d0
[ 330.133490] ? xfs_attr3_leaf_add+0x370/0x370
[ 330.134389] ? kasan_unpoison_shadow+0x36/0x50
[ 330.135306] ? kasan_kmalloc+0xad/0xe0
[ 330.136082] ? __kmalloc+0x11f/0x240
[ 330.136837] ? kmem_alloc+0x91/0x120
[ 330.137579] ? kmem_alloc+0x91/0x120
[ 330.138327] ? xfs_attr_shortform_bytesfit+0x119/0x2a0
[ 330.139385] ? memset+0x31/0x40
[ 330.140041] xfs_attr_set+0x5e2/0x730
[ 330.140814] ? xfs_attr_get+0x230/0x230
[ 330.141613] ? save_stack+0xb5/0xd0
[ 330.142339] ? __kmalloc_node+0x11e/0x2e0
[ 330.143169] ? kvmalloc_node+0x75/0x80
[ 330.143945] ? setxattr+0x114/0x260
[ 330.144682] ? path_setxattr+0x134/0x170
[ 330.145493] ? __x64_sys_setxattr+0x6d/0x80
[ 330.146356] ? do_syscall_64+0x78/0x170
[ 330.147156] ? legitimize_path.isra.28+0x61/0xa0
[ 330.148107] xfs_xattr_set+0x66/0xb0
[ 330.148909] __vfs_setxattr+0x7c/0xa0
[ 330.149669] __vfs_setxattr_noperm+0x8d/0x200
[ 330.150563] vfs_setxattr+0xb3/0xc0
[ 330.151286] setxattr+0x1b3/0x260
[ 330.151974] ? vfs_setxattr+0xc0/0xc0
[ 330.152741] ? filename_lookup+0x191/0x280
[ 330.153582] ? filename_parentat+0x2b0/0x2b0
[ 330.154458] ? kasan_kmalloc+0xad/0xe0
[ 330.155232] ? kasan_check_write+0x14/0x20
[ 330.156072] ? strncpy_from_user+0xa8/0x1c0
[ 330.156944] ? __mnt_is_readonly.part.13+0x23/0x30
[ 330.157923] ? __mnt_want_write+0x9d/0xb0
[ 330.158749] path_setxattr+0x134/0x170
[ 330.159523] ? setxattr+0x260/0x260
[ 330.160255] __x64_sys_setxattr+0x6d/0x80
[ 330.161086] do_syscall_64+0x78/0x170
[ 330.161843] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 330.162870] RIP: 0033:0x7fb3485e11fa
[ 330.163605] RSP: 002b:00007fff0ecbe3c8 EFLAGS: 00000202 ORIG_RAX: 00000000000000bc
[ 330.165142] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb3485e11fa
[ 330.166577] RDX: 00007fff0ecbe4b0 RSI: 0000000000401498 RDI: 0000000000bce0c0
[ 330.168018] RBP: 00007fff0ecbe530 R08: 0000000000000001 R09: 0000000000000001
[ 330.169470] R10: 0000000000000071 R11: 0000000000000202 R12: 0000000000400c20
[ 330.170906] R13: 00007fff0ecbe630 R14: 0000000000000000 R15: 0000000000000000
[ 330.172351] Code: 4d 85 e4 75 d7 eb 81 66 66 66 66 90 55 48 89 e5 41 57 49 89 ff 41 56 48 8d be e8 00 00 00 41 55 41 54 53 49 89 f6 e8 0c 14 cc ff <4d> 8b a6 e8 00 00 00 66 66 66 66 90 49 8d 9c 24 90 00 00 00 48
[ 330.176167] RIP: xfs_trans_binval+0x24/0x1b0 RSP: ffff8801de3e75b0
[ 330.177431] CR2: 00000000000000e8
[ 330.178160] ---[ end trace e7495c72c0d9a35f ]---
- Reason
https://elixir.bootlin.com/linux/latest/source/fs/xfs/xfs_trans_buf.c#L610
bp is NULL when calling xfs_trans_binval().
Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.
Files:
0.img.zip: https://bugzilla.kernel.org/attachment.cgi?id=276373
Kernel config: https://bugzilla.kernel.org/attachment.cgi?id=276375
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: NULL pointer dereference in xfs_trans_binval() when mounting and operating a crafted xfs image
2018-06-07 20:41 NULL pointer dereference in xfs_trans_binval() when mounting and operating a crafted xfs image Xu, Wen
@ 2018-06-07 22:01 ` Eric Sandeen
2018-06-07 22:25 ` Xu, Wen
0 siblings, 1 reply; 4+ messages in thread
From: Eric Sandeen @ 2018-06-07 22:01 UTC (permalink / raw)
To: Xu, Wen, linux-xfs@vger.kernel.org
On 6/7/18 3:41 PM, Xu, Wen wrote:
> Dear XFS developers,
>
> There is a NULL pointer dereference in xfs_trans_binval() when mounting and operating a crafted xfs image in 4.17-rc7 w/ for-next branch found by fuzzing.
...
> - Reason
> https://elixir.bootlin.com/linux/latest/source/fs/xfs/xfs_trans_buf.c#L610
> bp is NULL when calling xfs_trans_binval().
Yep, it looks like xfs_da_shrink_inode can error out before allocating
bp (i.e. in this case with an out of bounds blkno). Does this fix it?
=========
xfs: don't call xfs_da_shrink_inode with NULL bp
xfs_attr3_leaf_create may have errored out before instantiating a buffer,
for example if the blkno is out of range. In that case there is no work
to do to remove it, and in fact xfs_da_shrink_inode will lead to an oops
if we try.
This also seems to fix a flaw where the original error from
xfs_attr3_leaf_create gets overwritten in the cleanup case, and it
removes a pointless assignment to bp which isn't used after this.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199969
Reported-by: Xu, Wen <wen.xu@gatech.edu>
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---
diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index 2135b8e..397699d 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -803,9 +803,8 @@ STATIC void xfs_attr3_leaf_moveents(struct xfs_da_args *args,
ASSERT(blkno == 0);
error = xfs_attr3_leaf_create(args, blkno, &bp);
if (error) {
- error = xfs_da_shrink_inode(args, 0, bp);
- bp = NULL;
- if (error)
+ /* xfs_attr3_leaf_create may not have instantiated a block */
+ if (bp && (xfs_da_shrink_inode(args, 0, bp) != 0))
goto out;
xfs_idata_realloc(dp, size, XFS_ATTR_FORK); /* try to put */
memcpy(ifp->if_u1.if_data, tmpbuffer, size); /* it back */
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: NULL pointer dereference in xfs_trans_binval() when mounting and operating a crafted xfs image
2018-06-07 22:01 ` Eric Sandeen
@ 2018-06-07 22:25 ` Xu, Wen
2018-06-08 16:49 ` Darrick J. Wong
0 siblings, 1 reply; 4+ messages in thread
From: Xu, Wen @ 2018-06-07 22:25 UTC (permalink / raw)
To: Eric Sandeen; +Cc: linux-xfs@vger.kernel.org
I tested the patch that works.
Thanks,
Wen
> On Jun 7, 2018, at 6:01 PM, Eric Sandeen <sandeen@sandeen.net> wrote:
>
> if (bp && (xfs_da_shrink_inode(args, 0, bp) != 0))
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: NULL pointer dereference in xfs_trans_binval() when mounting and operating a crafted xfs image
2018-06-07 22:25 ` Xu, Wen
@ 2018-06-08 16:49 ` Darrick J. Wong
0 siblings, 0 replies; 4+ messages in thread
From: Darrick J. Wong @ 2018-06-08 16:49 UTC (permalink / raw)
To: Xu, Wen; +Cc: Eric Sandeen, linux-xfs@vger.kernel.org
On Thu, Jun 07, 2018 at 10:25:56PM +0000, Xu, Wen wrote:
> I tested the patch that works.
ok. Eric, would you mind adding a tested-by to the patch and sending it
with '[PATCH]' subject as a separate thread?
--D
> Thanks,
> Wen
>
> > On Jun 7, 2018, at 6:01 PM, Eric Sandeen <sandeen@sandeen.net> wrote:
> >
> > if (bp && (xfs_da_shrink_inode(args, 0, bp) != 0))
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-06-08 16:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-07 20:41 NULL pointer dereference in xfs_trans_binval() when mounting and operating a crafted xfs image Xu, Wen
2018-06-07 22:01 ` Eric Sandeen
2018-06-07 22:25 ` Xu, Wen
2018-06-08 16:49 ` Darrick J. Wong
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).