From patchwork Mon Aug 7 20:01:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1818197 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Z7FJl1sc; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RKRzk0dVjz1ybZ for ; Tue, 8 Aug 2023 06:01:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qT6QA-0002W2-V3; Mon, 07 Aug 2023 20:01:42 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qT6Q6-0002Va-RR for kernel-team@lists.ubuntu.com; Mon, 07 Aug 2023 20:01:38 +0000 Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 983553F189 for ; Mon, 7 Aug 2023 20:01:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1691438498; bh=DgTRdY/x37gwa1qJJ4ZVcciBFa88ijG7NGvd8BonxZs=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Z7FJl1scd6fwLCf3IJ5uPU/UHm8lzJN8TfUv0NdAbxns0SlSH3BLCAmp3v6nsc+kS zyKABVedwHLr/pYMq3eAepgKnZ9hN9wFfQd8H+UesxKg+RjdnUWLZsFv3XzZwDdmbD c0aVBYfpwDGgdAV/mV9OhvBkJH4Hchi80QNVGT4Qv0JZ6zxd4mEOggZAoolHElNCEi ogHtL0xHNA9XyHHFuNIKO6CZefX+CfAH1ZRZIiu8xUOBTqztOcrt04eymzW77vPw3+ KHM4lUM4CLYQDOTnglfkeg6gK+KrGmxeaqfSn12JUOa/DtrSDYSzmuegLLlrqCFfrJ kATn7aNejQjHw== Received: by mail-qv1-f72.google.com with SMTP id 6a1803df08f44-63d41d15574so54729786d6.0 for ; Mon, 07 Aug 2023 13:01:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691438497; x=1692043297; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DgTRdY/x37gwa1qJJ4ZVcciBFa88ijG7NGvd8BonxZs=; b=cmU0bzD86o13ZPfrUp9kzrW7ONbvJdA8UuiBGv3IFnPbwA5LMKQ7YMX8hwgbSriv/O Bb8p+6U4aNNlTHzm/6AnIGlX+fg10mOXYrZji420sPjYDxDHJnxiR65Ns+vmI1RgpmWw Z5YYuf+WWY0bPDbN6Gsd3Y87ZyvnQUfjZcXiPDquUaYQ5BYTm/MAoTxz3YtmIDLuQt5X tsaP2rz3SDSvktmQB5EqaoINAkHTtN72Fmhdwr8ri4CtxkrP8bbWVraywNEeNh0b6cJR MF+PNrD2b1BNP6NcwSN8GrKPtQr3fHLRPpcBdw3/juXapq4fKYtP+1zyxF7Yp5HXM6Rh nqGg== X-Gm-Message-State: AOJu0YyjxRgW1jFXwXRqyrCWwp9GSRRZagDuXK2DbYxQ1cYOs7KKaGwh 7M7EbzyzbvNDK69L1V92qpsD4O4iz0GMlzNde9qRB3AUKNvxgLqVkBLZ8W93RpT0xhSDlSWTZnB f9AVTly+nhGQZv3/HHUVFIYJcaO9G8HPMV3H/WPl+r+ocRhtuKA== X-Received: by 2002:a0c:e8c5:0:b0:632:1aa1:1a86 with SMTP id m5-20020a0ce8c5000000b006321aa11a86mr9301081qvo.18.1691438497190; Mon, 07 Aug 2023 13:01:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF84IauILDPRnrWQLf25mo3E2o1RXeJSzOIXDWoCsLxZncvdGx43NRBcVq1Zgs3k6A+rAjhQQ== X-Received: by 2002:a0c:e8c5:0:b0:632:1aa1:1a86 with SMTP id m5-20020a0ce8c5000000b006321aa11a86mr9301069qvo.18.1691438496919; Mon, 07 Aug 2023 13:01:36 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:e473:a45f:5674:a297]) by smtp.gmail.com with ESMTPSA id m14-20020a0cf18e000000b0063646f1147asm3129330qvl.135.2023.08.07.13.01.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Aug 2023 13:01:36 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy-OEM-5.17][PATCH 1/2] ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h Date: Mon, 7 Aug 2023 16:01:32 -0400 Message-Id: <20230807200133.48993-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230807200133.48993-1-yuxuan.luo@canonical.com> References: <20230807200133.48993-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Baokun Li When adding an xattr to an inode, we must ensure that the inode_size is not less than EXT4_GOOD_OLD_INODE_SIZE + extra_isize + pad. Otherwise, the end position may be greater than the start position, resulting in UAF. Signed-off-by: Baokun Li Reviewed-by: Jan Kara Reviewed-by: Ritesh Harjani (IBM) Link: https://lore.kernel.org/r/20220616021358.2504451-2-libaokun1@huawei.com Signed-off-by: Theodore Ts'o (cherry picked from commit 179b14152dcb6a24c3415200603aebca70ff13af) CVE-2023-2513 Signed-off-by: Yuxuan Luo --- fs/ext4/xattr.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h index 77efb9a627ad..f885f362add4 100644 --- a/fs/ext4/xattr.h +++ b/fs/ext4/xattr.h @@ -95,6 +95,19 @@ struct ext4_xattr_entry { #define EXT4_ZERO_XATTR_VALUE ((void *)-1) +/* + * If we want to add an xattr to the inode, we should make sure that + * i_extra_isize is not 0 and that the inode size is not less than + * EXT4_GOOD_OLD_INODE_SIZE + extra_isize + pad. + * EXT4_GOOD_OLD_INODE_SIZE extra_isize header entry pad data + * |--------------------------|------------|------|---------|---|-------| + */ +#define EXT4_INODE_HAS_XATTR_SPACE(inode) \ + ((EXT4_I(inode)->i_extra_isize != 0) && \ + (EXT4_GOOD_OLD_INODE_SIZE + EXT4_I(inode)->i_extra_isize + \ + sizeof(struct ext4_xattr_ibody_header) + EXT4_XATTR_PAD <= \ + EXT4_INODE_SIZE((inode)->i_sb))) + struct ext4_xattr_info { const char *name; const void *value; From patchwork Mon Aug 7 20:01:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1818195 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=eT08ZVIe; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RKRzk0gr2z1yf3 for ; Tue, 8 Aug 2023 06:01:52 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qT6QB-0002WE-3G; Mon, 07 Aug 2023 20:01:43 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qT6Q7-0002Vh-F1 for kernel-team@lists.ubuntu.com; Mon, 07 Aug 2023 20:01:39 +0000 Received: from mail-qv1-f71.google.com (mail-qv1-f71.google.com [209.85.219.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 4A9CA3F189 for ; Mon, 7 Aug 2023 20:01:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1691438499; bh=QjoDNJ4nixy2iqYBqa2rWygxyUoLkO6pDJ1kCz3VcJw=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=eT08ZVIe3g8qIts2A7wZGefLx7E3SFnIee2LOkKGhrr+5X6DTpkIegxBEx0VI+/Lb hMtM+0csz1l0AW2GjJt/H1wWIfBThfHsAFYu+BqLD0CANqDL26iKZ0aZSpyEOSAi00 Gm0VXXb3V4ph9c2e186Nihl8YY4MTruF0hxNRBbO7cZZYBaJe6mmGqBziAX2hrglii yI/O+T7r2q+JoXe/n4+iN2Z0CFO3Y/YV22Hv9KperT3oRa49NugC4J3TG1uxShiwCp /P5KXYZCDrC0o/9dcDjLjk0+gRfR6/KBCG8VWlktklv+lboXmlAMZD3HCooq62g10l t5HRjJjL//Y2Q== Received: by mail-qv1-f71.google.com with SMTP id 6a1803df08f44-63cec391457so41974366d6.0 for ; Mon, 07 Aug 2023 13:01:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691438498; x=1692043298; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QjoDNJ4nixy2iqYBqa2rWygxyUoLkO6pDJ1kCz3VcJw=; b=divdgCFUvlx9URDFpW+RCOc2pnygj+RggMjg5BNvFXuG0DEUXWiIsmiaRiDXxf2VPD siJRRRTbq4NLCSXWt5XtD6DtGrQ2v/TRI91x3DD1mznC4fx+Qc6d+OkiJ7/6iJVmgLQa 8u3DyymkBxDmFEP6GPLIHdPxxY8d0KgVrPTTkx2cFB4ddZHsON8uzB3+jzaQh0hr/vpv DtknPSR0KHWnY3LlNoCNujwM6c1H/M1Z1y7Z0MnY7JPiM/hEXkliilD+SjR/zqkLKuV0 sm5IlhTsL9Y2JoZw+g+fRHJ//D2A/JmjDdPRbUlsVP5RNskt+M5t2i1BGz+BJHBloMZQ 1+Kw== X-Gm-Message-State: AOJu0YwZE8FPLbsIlcqE8Kd4xvU1q1xAOlofRCTN1F71pPGdx4FLVG6G pTmMlEZ0ziyC52TZhaUX+edeLsu/IMYXlhtfDBqYjrKnYrGJv03T83ay6oM3k2Gl2iZESV9f+cp sBdfNz5G09STrvAEng7ZlBf8rWdtYsJPwICJNkrKpRIX042tEtQ== X-Received: by 2002:ad4:4e82:0:b0:636:955e:3dd7 with SMTP id dy2-20020ad44e82000000b00636955e3dd7mr8563408qvb.42.1691438497918; Mon, 07 Aug 2023 13:01:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEwx79Gqk+vuiC8td8ZAP6POYDg4eE0FsFjFcP3xUNnofHtD87trAhlma5rrw27mVKx56tY8w== X-Received: by 2002:ad4:4e82:0:b0:636:955e:3dd7 with SMTP id dy2-20020ad44e82000000b00636955e3dd7mr8563387qvb.42.1691438497579; Mon, 07 Aug 2023 13:01:37 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:e473:a45f:5674:a297]) by smtp.gmail.com with ESMTPSA id m14-20020a0cf18e000000b0063646f1147asm3129330qvl.135.2023.08.07.13.01.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Aug 2023 13:01:37 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy-OEM-5.17][PATCH 2/2] ext4: fix use-after-free in ext4_xattr_set_entry Date: Mon, 7 Aug 2023 16:01:33 -0400 Message-Id: <20230807200133.48993-3-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230807200133.48993-1-yuxuan.luo@canonical.com> References: <20230807200133.48993-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Baokun Li Hulk Robot reported a issue: ================================================================== BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x18ab/0x3500 Write of size 4105 at addr ffff8881675ef5f4 by task syz-executor.0/7092 CPU: 1 PID: 7092 Comm: syz-executor.0 Not tainted 4.19.90-dirty #17 Call Trace: [...] memcpy+0x34/0x50 mm/kasan/kasan.c:303 ext4_xattr_set_entry+0x18ab/0x3500 fs/ext4/xattr.c:1747 ext4_xattr_ibody_inline_set+0x86/0x2a0 fs/ext4/xattr.c:2205 ext4_xattr_set_handle+0x940/0x1300 fs/ext4/xattr.c:2386 ext4_xattr_set+0x1da/0x300 fs/ext4/xattr.c:2498 __vfs_setxattr+0x112/0x170 fs/xattr.c:149 __vfs_setxattr_noperm+0x11b/0x2a0 fs/xattr.c:180 __vfs_setxattr_locked+0x17b/0x250 fs/xattr.c:238 vfs_setxattr+0xed/0x270 fs/xattr.c:255 setxattr+0x235/0x330 fs/xattr.c:520 path_setxattr+0x176/0x190 fs/xattr.c:539 __do_sys_lsetxattr fs/xattr.c:561 [inline] __se_sys_lsetxattr fs/xattr.c:557 [inline] __x64_sys_lsetxattr+0xc2/0x160 fs/xattr.c:557 do_syscall_64+0xdf/0x530 arch/x86/entry/common.c:298 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x459fe9 RSP: 002b:00007fa5e54b4c08 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd RAX: ffffffffffffffda RBX: 000000000051bf60 RCX: 0000000000459fe9 RDX: 00000000200003c0 RSI: 0000000020000180 RDI: 0000000020000140 RBP: 000000000051bf60 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000001009 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc73c93fc0 R14: 000000000051bf60 R15: 00007fa5e54b4d80 [...] ================================================================== Above issue may happen as follows: ------------------------------------- ext4_xattr_set ext4_xattr_set_handle ext4_xattr_ibody_find >> s->end < s->base >> no EXT4_STATE_XATTR >> xattr_check_inode is not executed ext4_xattr_ibody_set ext4_xattr_set_entry >> size_t min_offs = s->end - s->base >> UAF in memcpy we can easily reproduce this problem with the following commands: mkfs.ext4 -F /dev/sda mount -o debug_want_extra_isize=128 /dev/sda /mnt touch /mnt/file setfattr -n user.cat -v `seq -s z 4096|tr -d '[:digit:]'` /mnt/file In ext4_xattr_ibody_find, we have the following assignment logic: header = IHDR(inode, raw_inode) = raw_inode + EXT4_GOOD_OLD_INODE_SIZE + i_extra_isize is->s.base = IFIRST(header) = header + sizeof(struct ext4_xattr_ibody_header) is->s.end = raw_inode + s_inode_size In ext4_xattr_set_entry min_offs = s->end - s->base = s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize - sizeof(struct ext4_xattr_ibody_header) last = s->first free = min_offs - ((void *)last - s->base) - sizeof(__u32) = s_inode_size - EXT4_GOOD_OLD_INODE_SIZE - i_extra_isize - sizeof(struct ext4_xattr_ibody_header) - sizeof(__u32) In the calculation formula, all values except s_inode_size and i_extra_size are fixed values. When i_extra_size is the maximum value s_inode_size - EXT4_GOOD_OLD_INODE_SIZE, min_offs is -4 and free is -8. The value overflows. As a result, the preceding issue is triggered when memcpy is executed. Therefore, when finding xattr or setting xattr, check whether there is space for storing xattr in the inode to resolve this issue. Cc: stable@kernel.org Reported-by: Hulk Robot Signed-off-by: Baokun Li Reviewed-by: Ritesh Harjani (IBM) Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220616021358.2504451-3-libaokun1@huawei.com Signed-off-by: Theodore Ts'o (cherry picked from commit 67d7d8ad99beccd9fe92d585b87f1760dc9018e3) CVE-2023-2513 Signed-off-by: Yuxuan Luo --- fs/ext4/xattr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 042325349098..c3c3194f3ee1 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -2176,8 +2176,9 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i, struct ext4_inode *raw_inode; int error; - if (EXT4_I(inode)->i_extra_isize == 0) + if (!EXT4_INODE_HAS_XATTR_SPACE(inode)) return 0; + raw_inode = ext4_raw_inode(&is->iloc); header = IHDR(inode, raw_inode); is->s.base = is->s.first = IFIRST(header); @@ -2205,8 +2206,9 @@ int ext4_xattr_ibody_set(handle_t *handle, struct inode *inode, struct ext4_xattr_search *s = &is->s; int error; - if (EXT4_I(inode)->i_extra_isize == 0) + if (!EXT4_INODE_HAS_XATTR_SPACE(inode)) return -ENOSPC; + error = ext4_xattr_set_entry(i, s, handle, inode, false /* is_block */); if (error) return error;