2024-05-09 03:08:41

by Ubisectech Sirius

[permalink] [raw]
Subject: KASAN: slab-use-after-free Read in journal_replay_entry_early

Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.

Stack dump:

bcachefs (loop0): recovering from clean shutdown, journal seq 10
bcachefs (loop0): Version downgrade required:
==================================================================
BUG: KASAN: slab-use-after-free in journal_replay_entry_early+0xab0/0xf70 fs/bcachefs/recovery.c:221
Read of size 1 at addr ffff88801737201c by task syz-executor278/8073

CPU: 0 PID: 8073 Comm: syz-executor278 Not tainted 6.7.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc1/0x5e0 mm/kasan/report.c:475
kasan_report+0xbe/0xf0 mm/kasan/report.c:588
journal_replay_entry_early+0xab0/0xf70 fs/bcachefs/recovery.c:221
journal_replay_early fs/bcachefs/recovery.c:327 [inline]
bch2_fs_recovery+0x18d8/0x52d0 fs/bcachefs/recovery.c:873
bch2_fs_start+0x365/0x5e0 fs/bcachefs/super.c:978
bch2_fs_open+0x1ac9/0x3890 fs/bcachefs/super.c:1968
bch2_mount+0x538/0x13c0 fs/bcachefs/fs.c:1863
legacy_get_tree+0x109/0x220 fs/fs_context.c:662
vfs_get_tree+0x93/0x380 fs/super.c:1771
do_new_mount fs/namespace.c:3337 [inline]
path_mount+0x679/0x1e40 fs/namespace.c:3664
do_mount fs/namespace.c:3677 [inline]
__do_sys_mount fs/namespace.c:3886 [inline]
__se_sys_mount fs/namespace.c:3863 [inline]
__x64_sys_mount+0x287/0x310 fs/namespace.c:3863
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fc416fa94ae
Code: 48 c7 c0 ff ff ff ff eb aa e8 de 07 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd3ecf6078 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000555556e45378 RCX: 00007fc416fa94ae
RDX: 0000000020000440 RSI: 0000000020000300 RDI: 00007ffd3ecf6090
RBP: 00007ffd3ecf6090 R08: 00007ffd3ecf60d0 R09: 00000000000119ee
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000000000
R13: 00007ffd3ecf60d0 R14: 0000000000000003 R15: 0000000000000000
</TASK>

Allocated by task 8060:
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
____kasan_kmalloc mm/kasan/common.c:333 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc+0x5d/0xd0 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
tomoyo_realpath_from_path+0xc3/0x600 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x233/0x420 security/tomoyo/file.c:822
security_inode_getattr+0xd6/0x150 security/security.c:2153
vfs_getattr fs/stat.c:173 [inline]
vfs_fstat+0x4a/0xc0 fs/stat.c:198
__do_sys_newfstat+0x7a/0xf0 fs/stat.c:473
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77

Freed by task 8060:
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x162/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x95/0x1d0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0xc0/0x180 mm/slub.c:3822
tomoyo_realpath_from_path+0x193/0x600 security/tomoyo/realpath.c:286
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x233/0x420 security/tomoyo/file.c:822
security_inode_getattr+0xd6/0x150 security/security.c:2153
vfs_getattr fs/stat.c:173 [inline]
vfs_fstat+0x4a/0xc0 fs/stat.c:198
__do_sys_newfstat+0x7a/0xf0 fs/stat.c:473
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77

The buggy address belongs to the object at ffff888017372000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 28 bytes inside of
freed 4096-byte region [ffff888017372000, ffff888017373000)

The buggy address belongs to the physical page:
page:ffffea00005cdc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17370
head:ffffea00005cdc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888014842140 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 3759497451, free_ts 0
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2dd/0x350 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0xd38/0x2fa0 mm/page_alloc.c:3312
__alloc_pages+0x21d/0x21f0 mm/page_alloc.c:4568
alloc_pages_mpol+0x245/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:1870 [inline]
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x28f/0x3d0 mm/slub.c:2070
___slab_alloc+0xac4/0x1480 mm/slub.c:3223
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3322
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x132/0x330 mm/slub.c:3517
kmalloc_trace+0x26/0x60 mm/slab_common.c:1098
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
kobject_uevent_env+0x236/0x16e0 lib/kobject_uevent.c:524
device_add+0x10de/0x1a60 drivers/base/core.c:3606
tick_init_sysfs kernel/time/clockevents.c:758 [inline]
clockevents_init_sysfs+0x13f/0x2d0 kernel/time/clockevents.c:774
do_one_initcall+0x105/0x660 init/main.c:1236
do_initcall_level init/main.c:1298 [inline]
do_initcalls init/main.c:1314 [inline]
do_basic_setup init/main.c:1333 [inline]
kernel_init_freeable+0x66f/0xbb0 init/main.c:1551
kernel_init+0x1e/0x2c0 init/main.c:1441
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
page_owner free stack trace missing

Memory state around the buggy address:
ffff888017371f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888017371f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888017372000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888017372080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888017372100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Thank you for taking the time to read this email and we look forward to working with you further.













Attachments:
poc.c (331.75 kB)