Bug 205609

Summary: Multiple bugs in __ext4_expand_extra_isize (OOB write and UAF write)
Product: File System Reporter: Tristan Madani (tristmd)
Component: ext4Assignee: fs_ext4 (fs_ext4)
Status: NEW ---    
Severity: normal CC: sandeen, tytso
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4x / 5.x Subsystem:
Regression: No Bisected commit-id:
Attachments: Bug 2 report
Bug 1 report

Description Tristan Madani 2019-11-20 17:27:02 UTC 
BUG #1 - UAF write in __ext4_expand_extra_isize
===

KASAN: use-after-free in __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924
Write of size 189

BUG #2 - OOB write
===
Comment 1 Tristan Madani 2019-11-20 17:31:42 UTC 
BUG 1 - UAF write in __ext4_expand_extra_isize
===

KASAN: use-after-free in __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924
Write of size 189

Details:

BUG: KASAN: use-after-free in __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924
Write of size 189 at addr ffff88802232ffa0 by task syz-executor.1/2654

CPU: 0 PID: 2654 Comm: syz-executor.1 Not tainted 5.4.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x75/0xae lib/dump_stack.c:113
 print_address_description.constprop.6+0x16/0x220 mm/kasan/report.c:374
 __kasan_report.cold.9+0x1a/0x40 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:634
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x144/0x1c0 mm/kasan/generic.c:192
 memset+0x1f/0x40 mm/kasan/common.c:105
 __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924
 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5976 [inline]
 ext4_mark_inode_dirty+0x586/0x6c0 fs/ext4/inode.c:6052
 ext4_ext_truncate+0x8b/0x1d0 fs/ext4/extents.c:4583
 ext4_truncate+0x974/0xf30 fs/ext4/inode.c:4511
 ext4_evict_inode+0x73f/0xf80 fs/ext4/inode.c:289
 evict+0x2d3/0x640 fs/inode.c:574
 iput_final fs/inode.c:1563 [inline]

../..

NB: Full report attached


BUG 2 - OOB write
===

EXT4-fs error (device sda): htree_dirblock_to_tree:1025: inode #15297: block 10531: comm syz-fuzzer: bad entry in directory: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0, size=4096
BUG: KASAN: out-of-bounds in __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924
Write of size 991 at addr ffff8880177a1fa0 by task syz-executor.3/443

CPU: 1 PID: 443 Comm: syz-executor.3 Not tainted 5.4.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x75/0xae lib/dump_stack.c:113
 print_address_description.constprop.6+0x16/0x220 mm/kasan/report.c:374
 __kasan_report.cold.9+0x1a/0x40 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:634
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x144/0x1c0 mm/kasan/generic.c:192
 memset+0x1f/0x40 mm/kasan/common.c:105
 __ext4_expand_extra_isize+0x182/0x250 fs/ext4/inode.c:5924
 ext4_try_to_expand_extra_isize fs/ext4/inode.c:5976 [inline]
 ext4_mark_inode_dirty+0x586/0x6c0 fs/ext4/inode.c:6052
 ext4_dirty_inode+0x71/0xa0 fs/ext4/inode.c:6086
 __mark_inode_dirty+0x3d4/0xd30 fs/fs-writeback.c:2255
 generic_update_time+0x1b4/0x2d0 fs/inode.c:1667
 update_time fs/inode.c:1683 [inline]
 touch_atime+0x20e/0x270 fs/inode.c:1754
 file_accessed include/linux/fs.h:2202 [inline]
 iterate_dir+0x2e5/0x540 fs/readdir.c:70
 ksys_getdents64+0x11a/0x230 fs/readdir.c:372
 __do_sys_getdents64 fs/readdir.c:391 [inline]
 __se_sys_getdents64 fs/readdir.c:388 [inline]
 __x64_sys_getdents64+0x6f/0xb0 fs/readdir.c:388
 do_syscall_64+0x9a/0x330 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x483157
Code: 04 48 81 ec 80 00 00 00 e8 b6 12 f9 ff 48 81 c4 80 00 00 00 5b c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 bc ff ff ff f7 d8 64 89 02 48
RSP: 002b:00007ffd2d74f558 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000001dcdc30 RCX: 0000000000483157
RDX: 0000000000008000 RSI: 0000000001dcdc60 RDI: 0000000000000004
RBP: 0000000001dcdc60 R08: 0000000000000003 R09: 0000000000000076
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffbc
R13: 0000000000000016 R14: 00000000004a54ec R15: 00000000ffffffff

The buggy address belongs to the page:
page:ffffea00005de840 refcount:2 mapcount:0 mapping:ffff888035848d78 index:0x4de
0xffffffff8aeb2e20 
flags: 0x100000000002032(referenced|lru|active|private)
raw: 0100000000002032 ffffea00005df188 ffffea0000d81d48 ffff888035848d78
raw: 00000000000004de ffff888023614000 00000002ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880177a1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880177a1f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880177a2000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                   ^
 ffff8880177a2080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880177a2100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


NB: Full report attached
Comment 2 Tristan Madani 2019-11-20 17:32:28 UTC 
Created attachment 285989 [details]
Bug 2 report
Comment 3 Tristan Madani 2019-11-20 17:32:47 UTC 
Created attachment 285991 [details]
Bug 1 report
Comment 4 Tristan Madani 2019-11-20 17:36:56 UTC 
Could someone merge "Comment 1" and "Description" please?

Thanks
Comment 5 Theodore Tso 2019-11-21 00:47:15 UTC 
Are you running syzkaller yourself? (e.g., this is different from the syzbot runs)?   If this is something that you find in the 

The Syzbot run by Dmitry at Google has reported a number of these sorts of issues which I believe is fixed by:

https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?h=dev&id=4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a

So it might be helpful if you could run your syzkaller against the dev branch of the ext4.git tree.
Comment 6 Tristan Madani 2019-11-25 10:09:07 UTC 
Dear  Theodore,

- Looks like syzkaller bot have found the UAF too. 

- The OOB write's path is different to be triggered (check the stack trace) but the root cause seems to be similar at the end

- I am running syzkaller by myself 

- I will work on the dev branch of the ext4.git tree as suggested

- At this time, I think the commit "ext4: add more paranoia checking in ext4_expand_extra_isize handling" should have fixed both issues but I can verify

Thanks.

Kind regards,

Tristan
Comment 7 Eric Sandeen 2020-04-08 15:05:55 UTC 
Tristan -

It would be hugely useful if you would provide /any/ reproducer details in these bugs.  Simply filing bugs w/ KASAN splat forces the reader to try to guess and reverse engineer your work, which is not a particularly efficient use of developer time.
Comment 8 Theodore Tso 2020-04-09 01:50:19 UTC 
Tristan hasn't updated this bug in the last 4+ months, so I propose that we close this bug.

Tristan, if you find a problems in the future, please include the C reproducer and file separate bugs for each syzkaller problem for which you have a clean reproducer.   For bonus points, please try to take Syzkaller's reproducer (which often has a lot of unnecessary crud), and streamline it to the smallest possible reliable repro case.

Many thanks!!