oss-sec mailing list archives
CVE-2022-1973: Linux Kernel: fs/ntfs3: invalid free in log_replay
From: Gerald Lee <sundaywind2004 () gmail com>
Date: Wed, 8 Jun 2022 10:17:36 +0800
Hi all, =*=*=*=*=*=*=*=*= BUG DETAILS =*=*=*=*=*=*=*=*= log_read_rst() returns ENOMEM error when there is not enough memory. In this case, if info is returned without initialization, it attempts to kfree the uninitialized info->r_page pointer. This issue was reported on May 27 and assigned CVE-2022-1973. C repro is attached. =*=*=*=*=*=*=*=*= BACKTRACE =*=*=*=*=*=*=*=*= BUG: KASAN: double-free or invalid-free in log_replay+0x5df/0xd310 fs/ntfs3/fslog.c:5197 CPU: 1 PID: 22698 Comm: syz-executor.5 Not tainted 5.18.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:313 [inline] print_report.cold+0xe5/0x659 mm/kasan/report.c:429 kasan_report_invalid_free+0x5c/0x160 mm/kasan/report.c:458 ____kasan_slab_free mm/kasan/common.c:346 [inline] __kasan_slab_free+0x174/0x190 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook mm/slub.c:1754 [inline] slab_free mm/slub.c:3510 [inline] kfree+0xec/0x4b0 mm/slub.c:4552 log_replay+0x5df/0xd310 fs/ntfs3/fslog.c:5197 ntfs_loadlog_and_replay+0x4a1/0x5d0 fs/ntfs3/fsntfs.c:299 ntfs_fill_super+0x1c34/0x4b30 fs/ntfs3/super.c:1004 get_tree_bdev+0x440/0x760 fs/super.c:1292 vfs_get_tree+0x89/0x2f0 fs/super.c:1497 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x1228/0x1cb0 fs/namespace.c:3370 do_mount+0xf3/0x110 fs/namespace.c:3383 __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x18f/0x230 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fee5048f25e Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fee4f3fda08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007fee5048f25e RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fee4f3fda60 RBP: 00007fee4f3fdaa0 R08: 00007fee4f3fdaa0 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000 R13: 0000000020000100 R14: 00007fee4f3fda60 R15: 000000002007c6a0 </TASK> Allocated by task 22698: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kasan_kmalloc include/linux/kasan.h:234 [inline] kmem_cache_alloc_trace+0x1f4/0x460 mm/slub.c:3258 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:714 [inline] ntfs_init_fs_context+0x263/0x580 fs/ntfs3/super.c:1398 alloc_fs_context+0x582/0xa00 fs/fs_context.c:290 do_new_mount fs/namespace.c:3025 [inline] path_mount+0x9ba/0x1cb0 fs/namespace.c:3370 do_mount+0xf3/0x110 fs/namespace.c:3383 __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x18f/0x230 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The buggy address belongs to the object at ffff888045662000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 2280 bytes inside of 4096-byte region [ffff888045662000, ffff888045663000) The buggy address belongs to the physical page: page:ffffea0001159800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x45660 head:ffffea0001159800 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000010200 0000000000000000 dead000000000122 ffff888010c42140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 22698, tgid 22689 (syz-executor.5), ts 493053136116, free_ts 493040762977 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2434 [inline] prep_new_page+0x297/0x330 mm/page_alloc.c:2441 get_page_from_freelist+0x210e/0x3ab0 mm/page_alloc.c:4182 __alloc_pages+0x30c/0x6e0 mm/page_alloc.c:5408 alloc_pages+0x119/0x250 mm/mempolicy.c:2272 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab mm/slub.c:1944 [inline] new_slab+0x2a9/0x3f0 mm/slub.c:2004 ___slab_alloc+0xc62/0x1080 mm/slub.c:3005 __slab_alloc.isra.0+0x4d/0xa0 mm/slub.c:3092 slab_alloc_node mm/slub.c:3183 [inline] slab_alloc mm/slub.c:3225 [inline] __kmalloc+0x3a9/0x4c0 mm/slub.c:4410 kmalloc include/linux/slab.h:586 [inline] tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254 tomoyo_mount_acl+0x2cd/0x840 security/tomoyo/mount.c:141 tomoyo_mount_permission+0x151/0x3f0 security/tomoyo/mount.c:237 security_sb_mount+0x66/0xc0 security/security.c:976 path_mount+0x12f/0x1cb0 fs/namespace.c:3312 do_mount+0xf3/0x110 fs/namespace.c:3383 __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x18f/0x230 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1356 [inline] free_pcp_prepare+0x51f/0xd00 mm/page_alloc.c:1406 free_unref_page_prepare mm/page_alloc.c:3328 [inline] free_unref_page+0x19/0x5b0 mm/page_alloc.c:3423 do_slab_free mm/slub.c:3498 [inline] ___cache_free+0x12c/0x140 mm/slub.c:3517 qlink_free mm/kasan/quarantine.c:157 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x13d/0x180 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook+0x4d/0x4f0 mm/slab.h:749 slab_alloc_node mm/slub.c:3217 [inline] slab_alloc mm/slub.c:3225 [inline] __kmalloc+0x184/0x4c0 mm/slub.c:4410 kmalloc include/linux/slab.h:586 [inline] tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x219/0x420 security/tomoyo/file.c:822 security_inode_getattr+0xcf/0x140 security/security.c:1350 vfs_getattr+0x22/0x60 fs/stat.c:157 vfs_fstat+0x49/0x90 fs/stat.c:182 __do_sys_newfstat+0x81/0x100 fs/stat.c:435 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Memory state around the buggy address: ffff888045662780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888045662800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888045662880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^ ffff888045662900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ffff888045662980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc =*=*=*=*=*=*=*=*= PATCH =*=*=*=*=*=*=*=*= The patch has been merged into the Linux kernel mainline and can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f26967b9f7a830e228bb13fb41bd516ddd9d789d =*=*=*=*=*=*=*=*= CREDIT =*=*=*=*=*=*=*=*= Zhixin Li (Zero-one Security) <sundaywind2004 () gmail com> Thanks
Attachment:
repro.c
Description:
Current thread:
- CVE-2022-1973: Linux Kernel: fs/ntfs3: invalid free in log_replay Gerald Lee (Jun 07)