From patchwork Tue Mar 21 21:55:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1759644 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=tfPOxr7P; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Ph55V5Yj3z247J for ; Wed, 22 Mar 2023 08:55:57 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pejxG-0001gF-Re; Tue, 21 Mar 2023 21:55:42 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pejxE-0001f9-GI for kernel-team@lists.ubuntu.com; Tue, 21 Mar 2023 21:55:40 +0000 Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 143A43F04C for ; Tue, 21 Mar 2023 21:55:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1679435740; bh=cHinltuPfanM+2mZnI7ZubQiBZfUsIPFKpJ4V6gDtbw=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=tfPOxr7PSm0o6HRm7Xp3ADoUJBhfcS7Ly6kjAFRlOqI8nf9k8ztu4Rzt5Gr3+xRjC rH1DO75y733wWSqo/7R9BeLyXyH/lLMMvfRUcvB88rNxHbsMuTqB9TmqdVCDzqG1AF z7hcm2L5Os89dOsEwZYNsmZ8X9qvmpxfG9Y7zXG9cZ7/x5aZS0eL9uOJrnbnjOY/k0 o2eaIY2xlGCS33qwFncF4/vPS9JEoHtUUdhFElWh1hrqJacheN2bH06CaRhKiZpOJO Wd3V3Em9TzmUF4JfUFXPzSBqHJe9VFuUT54+dcmmUK3gwrOdmITFu4aE9AGOjfjXzD BCp55/vbYHc9g== Received: by mail-qt1-f197.google.com with SMTP id j4-20020ac85f84000000b003d864ebfc20so9427224qta.14 for ; Tue, 21 Mar 2023 14:55:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679435737; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cHinltuPfanM+2mZnI7ZubQiBZfUsIPFKpJ4V6gDtbw=; b=aVryd7TBMHoRUM0RlvQiOBhfrojwWSr1QBiF74FS6HMIMxJ3eDwqTuDRhCeJL06llx 2qiAd1WE6ROLiqH8LI4xbDlUmLozFSYBQH+DdEBrmxB8ounqSk/SRTCv1HQC61SWOO0d S1TXmclNewTpAXgpfHXyaSf2cZZ/8Z6PlIdTYhy3P4GdGPRbQuqbehI5xL6QQ3RHpkTb 2i+xtqItAXxdrTgFypm3xzqTXNzaPHTJmYvJMJNIVi6C+2/gO5KZSaYXolR+zEF2DOOL VwLuSvo4QFtNgt89sFqTZMIBKD5cBm3eSD1mpmFG1Iveb0+XAcl6O8WMS7dg5Fw31csU 7rGQ== X-Gm-Message-State: AO0yUKWAfSud7Dv3R0moOB0CWh1lYu58HoU1qsKjuw5JHULPS8QE19tw SAO0cyR05uM210K5Tf4z1+lzuLRapV9yxdLKXaN7KI5LHHZ3WH/j44Ku2CCpW2cDhTXDBw1Xizb lNNdMPYDAv6WNx7TPxJCXkJWEDXouJVRNXtkkvE/67e9SoWoZOg== X-Received: by 2002:a05:622a:1341:b0:3e3:867e:17f7 with SMTP id w1-20020a05622a134100b003e3867e17f7mr1959046qtk.15.1679435737632; Tue, 21 Mar 2023 14:55:37 -0700 (PDT) X-Google-Smtp-Source: AK7set9O7E2rvEbFIjwF0w44WEGWcfBqtJNyt3BBS2xddxR0N+Bm7D8YaReiJREsSDn4FdDFCPxHsA== X-Received: by 2002:a05:622a:1341:b0:3e3:867e:17f7 with SMTP id w1-20020a05622a134100b003e3867e17f7mr1959024qtk.15.1679435737276; Tue, 21 Mar 2023 14:55:37 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:bbc5:882d:21a0:58a0]) by smtp.gmail.com with ESMTPSA id v10-20020ac873ca000000b003e29583cf22sm3635468qtp.91.2023.03.21.14.55.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Mar 2023 14:55:36 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][OEM-5.14/OEM-5.17][PATCH 1/2] ntfs: fix use-after-free in ntfs_ucsncmp() Date: Tue, 21 Mar 2023 17:55:33 -0400 Message-Id: <20230321215534.44019-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230321215534.44019-1-yuxuan.luo@canonical.com> References: <20230321215534.44019-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: ChenXiaoSong Syzkaller reported use-after-free bug as follows: ================================================================== BUG: KASAN: use-after-free in ntfs_ucsncmp+0x123/0x130 Read of size 2 at addr ffff8880751acee8 by task a.out/879 CPU: 7 PID: 879 Comm: a.out Not tainted 5.19.0-rc4-next-20220630-00001-gcc5218c8bd2c-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x1c0/0x2b0 print_address_description.constprop.0.cold+0xd4/0x484 print_report.cold+0x55/0x232 kasan_report+0xbf/0xf0 ntfs_ucsncmp+0x123/0x130 ntfs_are_names_equal.cold+0x2b/0x41 ntfs_attr_find+0x43b/0xb90 ntfs_attr_lookup+0x16d/0x1e0 ntfs_read_locked_attr_inode+0x4aa/0x2360 ntfs_attr_iget+0x1af/0x220 ntfs_read_locked_inode+0x246c/0x5120 ntfs_iget+0x132/0x180 load_system_files+0x1cc6/0x3480 ntfs_fill_super+0xa66/0x1cf0 mount_bdev+0x38d/0x460 legacy_get_tree+0x10d/0x220 vfs_get_tree+0x93/0x300 do_new_mount+0x2da/0x6d0 path_mount+0x496/0x19d0 __x64_sys_mount+0x284/0x300 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f3f2118d9ea Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48 RSP: 002b:00007ffc269deac8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3f2118d9ea RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc269dec00 RBP: 00007ffc269dec80 R08: 00007ffc269deb00 R09: 00007ffc269dec44 R10: 0000000000000000 R11: 0000000000000202 R12: 000055f81ab1d220 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the physical page: page:0000000085430378 refcount:1 mapcount:1 mapping:0000000000000000 index:0x555c6a81d pfn:0x751ac memcg:ffff888101f7e180 anon flags: 0xfffffc00a0014(uptodate|lru|mappedtodisk|swapbacked|node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc00a0014 ffffea0001bf2988 ffffea0001de2448 ffff88801712e201 raw: 0000000555c6a81d 0000000000000000 0000000100000000 ffff888101f7e180 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880751acd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880751ace00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880751ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8880751acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880751acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== The reason is that struct ATTR_RECORD->name_offset is 6485, end address of name string is out of bounds. Fix this by adding sanity check on end address of attribute name string. [akpm@linux-foundation.org: coding-style cleanups] [chenxiaosong2@huawei.com: cleanup suggested by Hawkins Jiawei] Link: https://lkml.kernel.org/r/20220709064511.3304299-1-chenxiaosong2@huawei.com Link: https://lkml.kernel.org/r/20220707105329.4020708-1-chenxiaosong2@huawei.com Signed-off-by: ChenXiaoSong Signed-off-by: Hawkins Jiawei Cc: Anton Altaparmakov Cc: ChenXiaoSong Cc: Yongqiang Liu Cc: Zhang Yi Cc: Zhang Xiaoxu Signed-off-by: Andrew Morton (cherry picked from commit 38c9c22a85aeed28d0831f230136e9cf6fa2ed44) CVE-2023-26607 Signed-off-by: Yuxuan Luo --- fs/ntfs/attrib.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c index d563abc3e1364..914e991731300 100644 --- a/fs/ntfs/attrib.c +++ b/fs/ntfs/attrib.c @@ -592,8 +592,12 @@ static int ntfs_attr_find(const ATTR_TYPE type, const ntfschar *name, a = (ATTR_RECORD*)((u8*)ctx->attr + le32_to_cpu(ctx->attr->length)); for (;; a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))) { - if ((u8*)a < (u8*)ctx->mrec || (u8*)a > (u8*)ctx->mrec + - le32_to_cpu(ctx->mrec->bytes_allocated)) + u8 *mrec_end = (u8 *)ctx->mrec + + le32_to_cpu(ctx->mrec->bytes_allocated); + u8 *name_end = (u8 *)a + le16_to_cpu(a->name_offset) + + a->name_length * sizeof(ntfschar); + if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end || + name_end > mrec_end) break; ctx->attr = a; if (unlikely(le32_to_cpu(a->type) > le32_to_cpu(type) ||