From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, stable@kernel.org,
Hulk Robot <hulkci@huawei.com>, Baokun Li <libaokun1@huawei.com>,
"Ritesh Harjani (IBM)" <ritesh.list@gmail.com>,
Jan Kara <jack@suse.cz>, Theodore Tso <tytso@mit.edu>
Subject: [PATCH 4.9 052/101] ext4: fix use-after-free in ext4_xattr_set_entry
Date: Tue, 23 Aug 2022 10:03:25 +0200 [thread overview]
Message-ID: <20220823080036.549277980@linuxfoundation.org> (raw)
In-Reply-To: <20220823080034.579196046@linuxfoundation.org>
From: Baokun Li <libaokun1@huawei.com>
commit 67d7d8ad99beccd9fe92d585b87f1760dc9018e3 upstream.
Hulk Robot reported a issue:
==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x18ab/0x3500
Write of size 4105 at addr ffff8881675ef5f4 by task syz-executor.0/7092
CPU: 1 PID: 7092 Comm: syz-executor.0 Not tainted 4.19.90-dirty #17
Call Trace:
[...]
memcpy+0x34/0x50 mm/kasan/kasan.c:303
ext4_xattr_set_entry+0x18ab/0x3500 fs/ext4/xattr.c:1747
ext4_xattr_ibody_inline_set+0x86/0x2a0 fs/ext4/xattr.c:2205
ext4_xattr_set_handle+0x940/0x1300 fs/ext4/xattr.c:2386
ext4_xattr_set+0x1da/0x300 fs/ext4/xattr.c:2498
__vfs_setxattr+0x112/0x170 fs/xattr.c:149
__vfs_setxattr_noperm+0x11b/0x2a0 fs/xattr.c:180
__vfs_setxattr_locked+0x17b/0x250 fs/xattr.c:238
vfs_setxattr+0xed/0x270 fs/xattr.c:255
setxattr+0x235/0x330 fs/xattr.c:520
path_setxattr+0x176/0x190 fs/xattr.c:539
__do_sys_lsetxattr fs/xattr.c:561 [inline]
__se_sys_lsetxattr fs/xattr.c:557 [inline]
__x64_sys_lsetxattr+0xc2/0x160 fs/xattr.c:557
do_syscall_64+0xdf/0x530 arch/x86/entry/common.c:298
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x459fe9
RSP: 002b:00007fa5e54b4c08 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
RAX: ffffffffffffffda RBX: 000000000051bf60 RCX: 0000000000459fe9
RDX: 00000000200003c0 RSI: 0000000020000180 RDI: 0000000020000140
RBP: 000000000051bf60 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000001009 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc73c93fc0 R14: 000000000051bf60 R15: 00007fa5e54b4d80
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_xattr_set
ext4_xattr_set_handle
ext4_xattr_ibody_find
>> s->end < s->base
>> no EXT4_STATE_XATTR
>> xattr_check_inode is not executed
ext4_xattr_ibody_set
ext4_xattr_set_entry
>> size_t min_offs = s->end - s->base
>> UAF in memcpy
we can easily reproduce this problem with the following commands:
mkfs.ext4 -F /dev/sda
mount -o debug_want_extra_isize=128 /dev/sda /mnt
touch /mnt/file
setfattr -n user.cat -v `seq -s z 4096|tr -d '[:digit:]'` /mnt/file
In ext4_xattr_ibody_find, we have the following assignment logic:
header = IHDR(inode, raw_inode)
= raw_inode + EXT4_GOOD_OLD_INODE_SIZE + i_extra_isize
is->s.base = IFIRST(header)
= header + sizeof(struct ext4_xattr_ibody_header)
is->s.end = raw_inode + s_inode_size
In ext4_xattr_set_entry
min_offs = s->end - s->base
= s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize -
sizeof(struct ext4_xattr_ibody_header)
last = s->first
free = min_offs - ((void *)last - s->base) - sizeof(__u32)
= s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize -
sizeof(struct ext4_xattr_ibody_header) - sizeof(__u32)
In the calculation formula, all values except s_inode_size and
i_extra_size are fixed values. When i_extra_size is the maximum value
s_inode_size - EXT4_GOOD_OLD_INODE_SIZE, min_offs is -4 and free is -8.
The value overflows. As a result, the preceding issue is triggered when
memcpy is executed.
Therefore, when finding xattr or setting xattr, check whether
there is space for storing xattr in the inode to resolve this issue.
Cc: stable@kernel.org
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220616021358.2504451-3-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1053,8 +1053,9 @@ int ext4_xattr_ibody_find(struct inode *
struct ext4_inode *raw_inode;
int error;
- if (EXT4_I(inode)->i_extra_isize == 0)
+ if (!EXT4_INODE_HAS_XATTR_SPACE(inode))
return 0;
+
raw_inode = ext4_raw_inode(&is->iloc);
header = IHDR(inode, raw_inode);
is->s.base = is->s.first = IFIRST(header);
@@ -1107,8 +1108,9 @@ static int ext4_xattr_ibody_set(handle_t
struct ext4_xattr_search *s = &is->s;
int error;
- if (EXT4_I(inode)->i_extra_isize == 0)
+ if (!EXT4_INODE_HAS_XATTR_SPACE(inode))
return -ENOSPC;
+
error = ext4_xattr_set_entry(i, s, inode);
if (error)
return error;
next prev parent reply other threads:[~2022-08-23 8:22 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-23 8:02 [PATCH 4.9 000/101] 4.9.326-rc1 review Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 001/101] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 002/101] ntfs: fix use-after-free in ntfs_ucsncmp() Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 003/101] scsi: ufs: host: Hold reference returned by of_parse_phandle() Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 004/101] net: ping6: Fix memleak in ipv6_renew_options() Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 005/101] net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 006/101] netfilter: nf_queue: do not allow packet truncation below transport header offset Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 007/101] ARM: crypto: comment out gcc warning that breaks clang builds Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 008/101] mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 009/101] ion: Make user_ion_handle_put_nolock() a void function Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 010/101] selinux: Minor cleanups Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 011/101] proc: Pass file mode to proc_pid_make_inode Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 012/101] selinux: Clean up initialization of isec->sclass Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 013/101] selinux: Convert isec->lock into a spinlock Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 014/101] selinux: fix error initialization in inode_doinit_with_dentry() Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 015/101] selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 016/101] include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 017/101] init/main: Fix double "the" in comment Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 018/101] init/main: properly align the multi-line comment Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 019/101] init: move stack canary initialization after setup_arch Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 020/101] init/main.c: extract early boot entropy from the passed cmdline Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 021/101] ACPI: video: Force backlight native for some TongFang devices Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 022/101] ACPI: video: Shortening quirk list by identifying Clevo by board_name only Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 023/101] random: only call boot_init_stack_canary() once Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 024/101] macintosh/adb: fix oob read in do_adb_query() function Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 025/101] Makefile: link with -z noexecstack --no-warn-rwx-segments Greg Kroah-Hartman
2022-08-23 8:02 ` [PATCH 4.9 026/101] x86: link vdso and boot " Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 027/101] ALSA: bcd2000: Fix a UAF bug on the error path of probing Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 028/101] add barriers to buffer_uptodate and set_buffer_uptodate Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 029/101] KVM: SVM: Dont BUG if userspace injects an interrupt with GIF=0 Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 030/101] KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 031/101] ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 032/101] ALSA: hda/cirrus - support for iMac 12,1 model Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 033/101] vfs: Check the truncate maximum size in inode_newsize_ok() Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 034/101] usbnet: Fix linkwatch use-after-free on disconnect Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 035/101] parisc: Fix device names in /proc/iomem Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 036/101] drm/nouveau: fix another off-by-one in nvbios_addr Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 037/101] bpf: fix overflow in prog accounting Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 038/101] fuse: limit nsec Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 039/101] md-raid10: fix KASAN warning Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 040/101] ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 041/101] PCI: Add defines for normal and subtractive PCI bridges Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 042/101] powerpc/fsl-pci: Fix Class Code of PCIe Root Port Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 043/101] powerpc/powernv: Avoid crashing if rng is NULL Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 044/101] MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 045/101] USB: HCD: Fix URB giveback issue in tasklet function Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 046/101] netfilter: nf_tables: fix null deref due to zeroed list head Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 047/101] scsi: zfcp: Fix missing auto port scan and thus missing target ports Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 048/101] x86/olpc: fix logical not is only applied to the left hand side Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 049/101] spmi: trace: fix stack-out-of-bound access in SPMI tracing functions Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 050/101] ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 051/101] ext4: make sure ext4_append() always allocates new block Greg Kroah-Hartman
2022-08-23 8:03 ` Greg Kroah-Hartman [this message]
2022-08-23 8:03 ` [PATCH 4.9 053/101] ext4: update s_overhead_clusters in the superblock during an on-line resize Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 054/101] ext4: fix extent status tree race in writeback error recovery path Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 055/101] ext4: correct max_inline_xattr_value_size computing Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 056/101] dm raid: fix address sanitizer warning in raid_status Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 057/101] net_sched: cls_route: remove from list when handle is 0 Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 058/101] btrfs: reject log replay if there is unsupported RO compat flag Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 059/101] tcp: fix over estimation in sk_forced_mem_schedule() Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 060/101] scsi: sg: Allow waiting for commands to complete on removed device Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 061/101] Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 062/101] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 063/101] nios2: time: Read timer in get_cycles only if initialized Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 064/101] net/9p: Initialize the iounit field during fid creation Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 065/101] net_sched: cls_route: disallow handle of 0 Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 066/101] ALSA: info: Fix llseek return value when using callback Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 067/101] rds: add missing barrier to release_refill Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 068/101] ata: libata-eh: Add missing command name Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 069/101] btrfs: fix lost error handling when looking up extended ref on log replay Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 070/101] can: ems_usb: fix clangs -Wunaligned-access warning Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 071/101] NFSv4.1: RECLAIM_COMPLETE must handle EACCES Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 072/101] SUNRPC: Reinitialise the backchannel request buffers before reuse Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 073/101] pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 074/101] pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 075/101] vsock: Fix memory leak in vsock_connect() Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 076/101] xen/xenbus: fix return type in xenbus_file_read() Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 077/101] atm: idt77252: fix use-after-free bugs caused by tst_timer Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 078/101] nios2: page fault et.al. are *not* restartable syscalls Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 079/101] nios2: dont leave NULLs in sys_call_table[] Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 080/101] nios2: traced syscall does need to check the syscall number Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 081/101] nios2: fix syscall restart checks Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 082/101] nios2: restarts apply only to the first sigframe we build Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 083/101] nios2: add force_successful_syscall_return() Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 084/101] netfilter: nf_tables: really skip inactive sets when allocating name Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 085/101] fec: Fix timer capture timing in `fec_ptp_enable_pps()` Greg Kroah-Hartman
2022-08-23 8:03 ` [PATCH 4.9 086/101] kbuild: clear LDFLAGS in the top Makefile Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 087/101] irqchip/tegra: Fix overflow implicit truncation warnings Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 088/101] usb: host: ohci-ppc-of: Fix refcount leak bug Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 089/101] gadgetfs: ep_io - wait until IRQ finishes Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 090/101] cxl: Fix a memory leak in an error handling path Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 091/101] drivers:md:fix a potential use-after-free bug Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 092/101] ext4: avoid remove directory when directory is corrupted Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 093/101] ext4: avoid resizing to a partial cluster size Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 094/101] tty: serial: Fix refcount leak bug in ucc_uart.c Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 095/101] vfio: Clear the caps->buf to NULL after free Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 096/101] mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 097/101] ALSA: core: Add async signal helpers Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 098/101] ALSA: timer: Use deferred fasync helper Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 099/101] powerpc/64: Init jump labels before parse_early_param() Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 100/101] video: fbdev: i740fb: Check the argument of i740_calc_vclk() Greg Kroah-Hartman
2022-08-23 8:04 ` [PATCH 4.9 101/101] MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 Greg Kroah-Hartman
2022-08-23 9:46 ` [PATCH 4.9 000/101] 4.9.326-rc1 review Pavel Machek
2022-08-23 21:00 ` Guenter Roeck
2022-08-23 21:25 ` Guenter Roeck
2022-08-24 7:24 ` Greg Kroah-Hartman
2022-08-23 22:18 ` Shuah Khan
2022-08-24 6:13 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220823080036.549277980@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hulkci@huawei.com \
--cc=jack@suse.cz \
--cc=libaokun1@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ritesh.list@gmail.com \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox