Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 19 Apr 2023 11:57:31 +0800
From: Kyle Zeng <yzeng56@....edu>
To: oss-security@...ts.openwall.com
Cc: Fish Wang <fishw@....edu>, Akshay Ajayan <aajayan@....edu>
Subject: CVE-2023-2124: OOB access in the Linux kernel's XFS subsystem

Hi there,

We recently found a slab OOB access bug in the Linux kernel's XFS
subsystem. It can cause denial-of-service and potentially privilege
escalation.

The root cause of the bug is a missing metadata validation when
mounting a user-supplied XFS disk image. More specifically, in a
corner case where there is a dirty log with a buffer log item for an
AGF and the on-disk buffer appears to be newer, XFS will discard the
old dirty log and directly use the newer on-disk buffer without
validating its content. This can lead to malformed metadata flow into
the kernel and cause catastrophic results. More details can be found
in the patch mentioned below.

The patch for this bug can be found here:
https://lore.kernel.org/linux-xfs/20230412214034.GL3223426@dread.disaster.area/T/#m1ebbcd1ad061d2d33bef6f0534a2b014744d152d
It has been merged into linux-next, 22ed903eee23 ("xfs: verify buffer
contents when we skip log replay") and will be merged into the main
tree soon.

Notice that we are aware of two different crashes this bug can lead to
(the one we found because of invalid `agi_level`, and the one
discussed in the patch: invalid refcountbt), it is possible that this
bug can be exploitable to achieve LPE.

A crash log is attached to the email.

Best,
Kyle Zeng
Akshay Ajayan
Fish Wang

=================================================
root@pwn:~# mount 2 test
[   11.652439] loop0: detected capacity change from 0 to 32768
[   11.702972] XFS (loop0): Mounting V5 Filesystem
58c42324-ea61-4f93-a670-9fa85a561ec4
[   11.704748] XFS (loop0): null uuid in log - IRIX style log
[   11.705545] XFS (loop0): Torn write (CRC failure) detected at log
block 0x9. Truncating head block from 0x10.
[   11.759259] XFS (loop0): Starting recovery (logdev: internal)
[   11.760440] XFS (loop0): Metadata corruption detected at
xfs_btree_lookup_get_block+0x259/0x2d0, xfs_inobt block 0x18
[   11.760950] XFS (loop0): Unmount and run xfs_repair
[   11.761195] general protection fault, probably for non-canonical
address 0x6043be0fbf88a15d: 0000 [#1] PREEMPT SMP NOPTI
[   11.761740] CPU: 2 PID: 510 Comm: mount Not tainted 6.3.0-rc6 #9
[   11.762018] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
[   11.762433] RIP: 0010:xfs_trans_brelse+0x1c/0x1b0
[   11.762668] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f
44 00 00 55 48 89 e5 41 55 41 54 49 89 f4 53 48 89 fb e8 e7 b3 4c ff
48 85 db <4d> 8b ac 24 e0 00 00 00 0f 84 5b 01 00 00 e8 d1 b3 4c ff 66
90 e8
[   11.763497] RSP: 0018:ffffa91541c07ab0 EFLAGS: 00010246
[   11.763746] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff939e5529
[   11.764071] RDX: ffff8d01062b3f80 RSI: 0000000000000000 RDI: 0000000000000000
[   11.764398] RBP: ffffa91541c07ac8 R08: ffff8d01062b3f80 R09: 0000000000000000
[   11.764725] R10: 000000006f6c2820 R11: 0000000020534658 R12: 6043be0fbf88a07d
[   11.765049] R13: 00000000ffffff8b R14: 6043be0fbf88a07d R15: ffff8d0101db2000
[   11.765375] FS:  00007f06d7a5ee40(0000) GS:ffff8d013ed00000(0000)
knlGS:0000000000000000
[   11.765742] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   11.766009] CR2: 000000000070bdb4 CR3: 0000000006396006 CR4: 0000000000770ee0
[   11.766336] PKRU: 55555554
[   11.766467] Call Trace:
[   11.766590]  <TASK>
[   11.766706]  xfs_btree_del_cursor+0x45/0x120
[   11.766918]  xfs_imap_lookup+0x190/0x2d0
[   11.767111]  ? kmem_cache_alloc+0x17e/0x330
[   11.767319]  xfs_imap+0x35a/0x4c0
[   11.767486]  xfs_iget+0x4c7/0x10f0
[   11.767662]  xfs_mountfs+0x776/0xe00
[   11.767837]  xfs_fs_fill_super+0x9ee/0xdc0
[   11.768037]  get_tree_bdev+0x22b/0x350
[   11.768217]  ? __pfx_xfs_fs_fill_super+0x10/0x10
[   11.768439]  xfs_fs_get_tree+0x22/0x30
[   11.768621]  vfs_get_tree+0x35/0x130
[   11.768797]  path_mount+0xc64/0x1110
[   11.768973]  __x64_sys_mount+0x19a/0x1f0
[   11.769164]  do_syscall_64+0x59/0x90
[   11.769348]  ? syscall_exit_to_user_mode+0x30/0x60
[   11.769576]  ? do_syscall_64+0x69/0x90
[   11.769757]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   11.769998] RIP: 0033:0x7f06d6ce948a
[   11.770168] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d de f9 2a 00 f7 d8 64 89
01 48
[   11.770999] RSP: 002b:00007fffdcf3fae8 EFLAGS: 00000206 ORIG_RAX:
00000000000000a5
[   11.771345] RAX: ffffffffffffffda RBX: 0000559716172060 RCX: 00007f06d6ce948a
[   11.771674] RDX: 0000559716174740 RSI: 0000559716173f40 RDI: 000055971617b2a0
[   11.772000] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000020
[   11.772352] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 000055971617b2a0
[   11.772696] R13: 0000559716174740 R14: 0000000000000000 R15: 00000000ffffffff
[   11.773022]  </TASK>
[   11.773130] Modules linked in:
[   11.773303] ---[ end trace 0000000000000000 ]---
[   11.773601] RIP: 0010:xfs_trans_brelse+0x1c/0x1b0
[   11.773825] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f
44 00 00 55 48 89 e5 41 55 41 54 49 89 f4 53 48 89 fb e8 e7 b3 4c ff
48 85 db <4d> 8b ac 24 e0 00 00 00 0f 84 5b 01 00 00 e8 d1 b3 4c ff 66
90 e8
[   11.774693] RSP: 0018:ffffa91541c07ab0 EFLAGS: 00010246
[   11.774977] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff939e5529
[   11.775313] RDX: ffff8d01062b3f80 RSI: 0000000000000000 RDI: 0000000000000000
[   11.775654] RBP: ffffa91541c07ac8 R08: ffff8d01062b3f80 R09: 0000000000000000
[   11.775979] R10: 000000006f6c2820 R11: 0000000020534658 R12: 6043be0fbf88a07d
[   11.776307] R13: 00000000ffffff8b R14: 6043be0fbf88a07d R15: ffff8d0101db2000
[   11.776636] FS:  00007f06d7a5ee40(0000) GS:ffff8d013ed00000(0000)
knlGS:0000000000000000
[   11.777003] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   11.777269] CR2: 000000000070bdb4 CR3: 0000000006396006 CR4: 0000000000770ee0
[   11.777595] PKRU: 55555554
============

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.