diff --git a/patches.suse/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch b/patches.suse/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch new file mode 100644 index 0000000..4ae1ed4 --- /dev/null +++ b/patches.suse/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch @@ -0,0 +1,112 @@ +From 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 Mon Sep 17 00:00:00 2001 +From: ChenXiaoSong +Date: Thu, 7 Jul 2022 18:53:29 +0800 +Subject: [PATCH] ntfs: fix use-after-free in ntfs_ucsncmp() +Git-commit: 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 +Patch-mainline: v5.19 +References: bsc#1221713 + +Syzkaller reported use-after-free bug as follows: + +================================================================== +Bug: KASAN: use-after-free in ntfs_ucsncmp+0x123/0x130 +Read of size 2 at addr ffff8880751acee8 by task a.out/879 + +Cpu: 7 PID: 879 Comm: a.out Not tainted 5.19.0-rc4-next-20220630-00001-gcc5218c8bd2c-dirty #7 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + + dump_stack_lvl+0x1c0/0x2b0 + print_address_description.constprop.0.cold+0xd4/0x484 + print_report.cold+0x55/0x232 + kasan_report+0xbf/0xf0 + ntfs_ucsncmp+0x123/0x130 + ntfs_are_names_equal.cold+0x2b/0x41 + ntfs_attr_find+0x43b/0xb90 + ntfs_attr_lookup+0x16d/0x1e0 + ntfs_read_locked_attr_inode+0x4aa/0x2360 + ntfs_attr_iget+0x1af/0x220 + ntfs_read_locked_inode+0x246c/0x5120 + ntfs_iget+0x132/0x180 + load_system_files+0x1cc6/0x3480 + ntfs_fill_super+0xa66/0x1cf0 + mount_bdev+0x38d/0x460 + legacy_get_tree+0x10d/0x220 + vfs_get_tree+0x93/0x300 + do_new_mount+0x2da/0x6d0 + path_mount+0x496/0x19d0 + __x64_sys_mount+0x284/0x300 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 +Rip: 0033:0x7f3f2118d9ea +Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48 +Rsp: 002b:00007ffc269deac8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +Rax: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3f2118d9ea +Rdx: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc269dec00 +Rbp: 00007ffc269dec80 R08: 00007ffc269deb00 R09: 00007ffc269dec44 +R10: 0000000000000000 R11: 0000000000000202 R12: 000055f81ab1d220 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The buggy address belongs to the physical page: +page:0000000085430378 refcount:1 mapcount:1 mapping:0000000000000000 index:0x555c6a81d pfn:0x751ac +memcg:ffff888101f7e180 +anon flags: 0xfffffc00a0014(uptodate|lru|mappedtodisk|swapbacked|node=0|zone=1|lastcpupid=0x1fffff) +Raw: 000fffffc00a0014 ffffea0001bf2988 ffffea0001de2448 ffff88801712e201 +Raw: 0000000555c6a81d 0000000000000000 0000000100000000 ffff888101f7e180 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880751acd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8880751ace00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8880751ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ^ + ffff8880751acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8880751acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +================================================================== + +The reason is that struct ATTR_RECORD->name_offset is 6485, end address of +name string is out of bounds. + +Fix this by adding sanity check on end address of attribute name string. + +[akpm@linux-foundation.org: coding-style cleanups] +[chenxiaosong2@huawei.com: cleanup suggested by Hawkins Jiawei] + Link: https://lkml.kernel.org/r/20220709064511.3304299-1-chenxiaosong2@huawei.com +Link: https://lkml.kernel.org/r/20220707105329.4020708-1-chenxiaosong2@huawei.com +Signed-off-by: ChenXiaoSong +Signed-off-by: Hawkins Jiawei +Cc: Anton Altaparmakov +Cc: ChenXiaoSong +Cc: Yongqiang Liu +Cc: Zhang Yi +Cc: Zhang Xiaoxu +Signed-off-by: Andrew Morton +Acked-by: Anthony Iliopoulos + +--- + fs/ntfs/attrib.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c +index 4de597a83b88..52615e6090e1 100644 +--- a/fs/ntfs/attrib.c ++++ b/fs/ntfs/attrib.c +@@ -592,8 +592,12 @@ static int ntfs_attr_find(const ATTR_TYPE type, const ntfschar *name, + a = (ATTR_RECORD*)((u8*)ctx->attr + + le32_to_cpu(ctx->attr->length)); + for (;; a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))) { +- if ((u8*)a < (u8*)ctx->mrec || (u8*)a > (u8*)ctx->mrec + +- le32_to_cpu(ctx->mrec->bytes_allocated)) ++ u8 *mrec_end = (u8 *)ctx->mrec + ++ le32_to_cpu(ctx->mrec->bytes_allocated); ++ u8 *name_end = (u8 *)a + le16_to_cpu(a->name_offset) + ++ a->name_length * sizeof(ntfschar); ++ if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end || ++ name_end > mrec_end) + break; + ctx->attr = a; + if (unlikely(le32_to_cpu(a->type) > le32_to_cpu(type) || +-- +2.44.0 + diff --git a/series.conf b/series.conf index 3e2adbc..353c972 100644 --- a/series.conf +++ b/series.conf @@ -30338,6 +30338,7 @@ patches.suse/lkdtm-disable-return-thunks-in-rodata-c.patch patches.suse/sched-deadline-Fix-BUG_ON-condition-for-deboosted-ta.patch patches.suse/perf-x86-intel-lbr-Fix-unchecked-MSR-access-error-on-HSW.patch + patches.suse/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch patches.suse/fs-sendfile-handles-O_NONBLOCK-of-out_fd.patch patches.suse/asm-generic-remove-a-broken-and-needless-ifdef-condi.patch patches.suse/watch_queue-Fix-missing-rcu-annotation.patch