Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAO3qeMWAZYXsKtVOnAQMDDq8wvQA=B6ZYDZjvfoe62muQPgALg@mail.gmail.com>
Date: Wed, 8 Jun 2022 10:17:36 +0800
From: Gerald Lee <sundaywind2004@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1973: Linux Kernel: fs/ntfs3: invalid free in log_replay

Hi all,

=*=*=*=*=*=*=*=*=   BUG DETAILS  =*=*=*=*=*=*=*=*=

log_read_rst() returns ENOMEM error when there is not enough memory.
In this case, if info is returned without initialization,
it attempts to kfree the uninitialized info->r_page pointer.

This issue was reported on May 27 and assigned CVE-2022-1973.

C repro is attached.


=*=*=*=*=*=*=*=*=     BACKTRACE     =*=*=*=*=*=*=*=*=

BUG: KASAN: double-free or invalid-free in log_replay+0x5df/0xd310
fs/ntfs3/fslog.c:5197

CPU: 1 PID: 22698 Comm: syz-executor.5 Not tainted 5.18.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:313 [inline]
 print_report.cold+0xe5/0x659 mm/kasan/report.c:429
 kasan_report_invalid_free+0x5c/0x160 mm/kasan/report.c:458
 ____kasan_slab_free mm/kasan/common.c:346 [inline]
 __kasan_slab_free+0x174/0x190 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1728 [inline]
 slab_free_freelist_hook mm/slub.c:1754 [inline]
 slab_free mm/slub.c:3510 [inline]
 kfree+0xec/0x4b0 mm/slub.c:4552
 log_replay+0x5df/0xd310 fs/ntfs3/fslog.c:5197
 ntfs_loadlog_and_replay+0x4a1/0x5d0 fs/ntfs3/fsntfs.c:299
 ntfs_fill_super+0x1c34/0x4b30 fs/ntfs3/super.c:1004
 get_tree_bdev+0x440/0x760 fs/super.c:1292
 vfs_get_tree+0x89/0x2f0 fs/super.c:1497
 do_new_mount fs/namespace.c:3040 [inline]
 path_mount+0x1228/0x1cb0 fs/namespace.c:3370
 do_mount+0xf3/0x110 fs/namespace.c:3383
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __x64_sys_mount+0x18f/0x230 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fee5048f25e
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00
00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fee4f3fda08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007fee5048f25e
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fee4f3fda60
RBP: 00007fee4f3fdaa0 R08: 00007fee4f3fdaa0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000100 R14: 00007fee4f3fda60 R15: 000000002007c6a0
 </TASK>

Allocated by task 22698:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 kmem_cache_alloc_trace+0x1f4/0x460 mm/slub.c:3258
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:714 [inline]
 ntfs_init_fs_context+0x263/0x580 fs/ntfs3/super.c:1398
 alloc_fs_context+0x582/0xa00 fs/fs_context.c:290
 do_new_mount fs/namespace.c:3025 [inline]
 path_mount+0x9ba/0x1cb0 fs/namespace.c:3370
 do_mount+0xf3/0x110 fs/namespace.c:3383
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __x64_sys_mount+0x18f/0x230 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff888045662000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2280 bytes inside of
 4096-byte region [ffff888045662000, ffff888045663000)

The buggy address belongs to the physical page:
page:ffffea0001159800 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x45660
head:ffffea0001159800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000010200 0000000000000000 dead000000000122 ffff888010c42140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask
0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC),
pid 22698, tgid 22689 (syz-executor.5), ts 493053136116, free_ts
493040762977
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2434 [inline]
 prep_new_page+0x297/0x330 mm/page_alloc.c:2441
 get_page_from_freelist+0x210e/0x3ab0 mm/page_alloc.c:4182
 __alloc_pages+0x30c/0x6e0 mm/page_alloc.c:5408
 alloc_pages+0x119/0x250 mm/mempolicy.c:2272
 alloc_slab_page mm/slub.c:1799 [inline]
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x2a9/0x3f0 mm/slub.c:2004
 ___slab_alloc+0xc62/0x1080 mm/slub.c:3005
 __slab_alloc.isra.0+0x4d/0xa0 mm/slub.c:3092
 slab_alloc_node mm/slub.c:3183 [inline]
 slab_alloc mm/slub.c:3225 [inline]
 __kmalloc+0x3a9/0x4c0 mm/slub.c:4410
 kmalloc include/linux/slab.h:586 [inline]
 tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254
 tomoyo_mount_acl+0x2cd/0x840 security/tomoyo/mount.c:141
 tomoyo_mount_permission+0x151/0x3f0 security/tomoyo/mount.c:237
 security_sb_mount+0x66/0xc0 security/security.c:976
 path_mount+0x12f/0x1cb0 fs/namespace.c:3312
 do_mount+0xf3/0x110 fs/namespace.c:3383
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __x64_sys_mount+0x18f/0x230 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1356 [inline]
 free_pcp_prepare+0x51f/0xd00 mm/page_alloc.c:1406
 free_unref_page_prepare mm/page_alloc.c:3328 [inline]
 free_unref_page+0x19/0x5b0 mm/page_alloc.c:3423
 do_slab_free mm/slub.c:3498 [inline]
 ___cache_free+0x12c/0x140 mm/slub.c:3517
 qlink_free mm/kasan/quarantine.c:157 [inline]
 qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x13d/0x180 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook+0x4d/0x4f0 mm/slab.h:749
 slab_alloc_node mm/slub.c:3217 [inline]
 slab_alloc mm/slub.c:3225 [inline]
 __kmalloc+0x184/0x4c0 mm/slub.c:4410
 kmalloc include/linux/slab.h:586 [inline]
 tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x219/0x420 security/tomoyo/file.c:822
 security_inode_getattr+0xcf/0x140 security/security.c:1350
 vfs_getattr+0x22/0x60 fs/stat.c:157
 vfs_fstat+0x49/0x90 fs/stat.c:182
 __do_sys_newfstat+0x81/0x100 fs/stat.c:435
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Memory state around the buggy address:
 ffff888045662780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888045662800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888045662880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                          ^
 ffff888045662900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff888045662980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc


=*=*=*=*=*=*=*=*=     PATCH     =*=*=*=*=*=*=*=*=

The patch has been merged into the Linux kernel mainline and can be found
here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f26967b9f7a830e228bb13fb41bd516ddd9d789d


=*=*=*=*=*=*=*=*=     CREDIT     =*=*=*=*=*=*=*=*=

Zhixin Li (Zero-one Security) <sundaywind2004@...il.com>


Thanks

Content of type "text/html" skipped

View attachment "repro.c" of type "text/x-csrc" (19800 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.