Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp6084153iob; Tue, 10 May 2022 09:58:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJysunPHd1AjuDSEPOiU4rL33iDZfHKRNeSGkvR5fo2e2AG4IpTLmmskT/mUyB3B/30SbSVC X-Received: by 2002:a17:903:41ce:b0:15e:ae15:2910 with SMTP id u14-20020a17090341ce00b0015eae152910mr21945270ple.21.1652201922383; Tue, 10 May 2022 09:58:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652201922; cv=none; d=google.com; s=arc-20160816; b=Z89XhnELMt0FWTqIoStdgWy+bRPY0Q+YcHU71zJDQMfuPMvP8DReeACjP3fYWJzOFt 61O0H2TmSO51eZNHmuz3tlzJxJ3qk1VmEC9WYHmB8zGLtrxTKtWNJiZjE8Ykajn5oNgR NAKIQB67rfOfVBxU/DOmtRhVj0aLk8Lv/ZY+HuaC2Zdc4NOceMaGmpMa9SW2Jdv89tMW DeJ3/sZLM4dDoq6UV6xPlfGxm4AqWE2vVzUGvPfYvFNIdYqJF4uY5hShFW3rA5x3mBKd CoPZqcwf+CCpsynAC4sBhceaALde3kEpgwzQN3eDGJJ1Mluv95JSsQZL3cPnkM3yk5Xf NnWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=o3MNMfYAzBmcTCGWbN4PU5xoySsicFXm7oS2gQCk3PM=; b=MvKEjCqte+xxpwhJywO2rHIm7V2ND3VF3LlOUs97+WLmPXv9dS80T76QIutHFfwfDA tfKDuTbv/zvguN8xa5wF5BHeMDKL0R2Zrg+YJLOx6r50m1wSJS6Y7kggHSI6IRfz+LGo SlyFBa/QVCGAdmaRr81xFHquU3YMWRdqkaviuWOIuDs7CoDVG/qAPdOpPpHdeF8G0Sjo vmiWZyj2A1L9O0AFgWtWkXrIYlB40y7/YI8vKGQwX18JYXBmvMSm1hixUKDQoAx2RtaF Uh9E3dJ6DfKIdvkLfbQB4QIG8d6D3Jlkdw+wfGEX/q2KJwIU8Ka6T0isQtQSE14qVYja PWNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=1dFLSVWL; dkim=neutral (no key) header.i=@suse.cz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b127-20020a62cf85000000b0050e0b4a4721si17502193pfg.277.2022.05.10.09.58.24; Tue, 10 May 2022 09:58:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=1dFLSVWL; dkim=neutral (no key) header.i=@suse.cz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240991AbiEJLcm (ORCPT + 99 others); Tue, 10 May 2022 07:32:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47592 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238682AbiEJLck (ORCPT ); Tue, 10 May 2022 07:32:40 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 606F524DC00; Tue, 10 May 2022 04:28:43 -0700 (PDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id F13281F8B5; Tue, 10 May 2022 11:28:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1652182121; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=o3MNMfYAzBmcTCGWbN4PU5xoySsicFXm7oS2gQCk3PM=; b=1dFLSVWLYnS0PIpslKIMUpWl8LjaxLlNBHKDubjTk6onQXqgZH5a0/Z5GeUA3bHMl8xojF d9I2UmLnaMPoeviFv4q5kPwkzmfxbbIfOpRLTioqMuHT+8nuHt6Jhrv8iNqwa5qzA89XAj Lg9iWgj57Z6kYOgecr0iyuShQgkv9lc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1652182121; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=o3MNMfYAzBmcTCGWbN4PU5xoySsicFXm7oS2gQCk3PM=; b=kkU6z+n9RITqF8SMik6rIWdkljq8WB0PgIdPVNvAnPTw2Fs3gxyM+0MeKmAS3lsuTGxcti p/8yZNfoWEFHk2AA== Received: from quack3.suse.cz (unknown [10.163.28.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id DFDB72C141; Tue, 10 May 2022 11:28:41 +0000 (UTC) Received: by quack3.suse.cz (Postfix, from userid 1000) id 8BAB1A062A; Tue, 10 May 2022 13:28:38 +0200 (CEST) Date: Tue, 10 May 2022 13:28:38 +0200 From: Jan Kara To: butt3rflyh4ck Cc: jack@suse.com, LKML , linux-fsdevel@vger.kernel.org Subject: Re: A slab-out-of-bounds Write when invoke udf_write_fi via ioctl Message-ID: <20220510112838.zfx2sxyoh4ewmjxr@quack3.lan> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue 10-05-22 15:14:42, butt3rflyh4ck wrote: > Hi, if mounts a malicious udf image, there is a slab out of bounds > write bug when a user invokes udf_write_fi via ioctl. > I have reproduced it in the latest kernel. > > ##smaple analyse > the function call chains: > do_sys_open > --->do_sys_openat2 > --->do_filp_open > --->path_openat > --->open_last_lookups > --->lookup_open > --->udf_add_nondir > --->udf_add_entry > > There would traverse to get a `fi` in the function udf_add_entry. > ``` > if (dinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { [1] > block = dinfo->i_location.logicalBlockNum; > fi = (struct fileIdentDesc *) > (dinfo->i_data + fibh->soffset - > udf_ext0_offset(dir) + > dinfo->i_lenEAttr); > [2] > } else { > block = eloc.logicalBlockNum + > ((elen - 1) >> > dir->i_sb->s_blocksize_bits); > fi = (struct fileIdentDesc *) > (fibh->sbh->b_data + fibh->soffset); > } > ``` > [1] if dinfo->i_alloc_type is ICBTAG_FLAG_AD_IN_ICB, [2] it would > calculate an offset as `fi`, > through the debugger, the `fi` is as below: > ``` > p/x *(struct fileIdentDesc*)fi > $24 = { > descTag = { > tagIdent = 0x2f70, > descVersion = 0xea55, > tagChecksum = 0xcd, > reserved = 0x66, > tagSerialNum = 0x511f, > descCRC = 0x5a9c, > descCRCLength = 0x5142, > tagLocation = 0x373ce06a > }, > fileVersionNum = 0x3139, > fileCharacteristics = 0xf6, > lengthFileIdent = 0x7e, > icb = { > extLength = 0x6059792, > extLocation = { > logicalBlockNum = 0x73886466, > partitionReferenceNum = 0x7cc6 > }, > impUse = {0x3c, 0xcc, 0x4a, 0xed, 0xdc, 0xfb} > }, > lengthOfImpUse = 0x1a6a, > impUse = 0xffff888019ca716a > } > ``` > These data are wrong and all data are part of udf image mounted. > Then next it would invoke function udf_write_fi to write fileident into `fi`. > ``` > if (fileident) { > if (adinicb || (offset + lfi < 0)) { > memcpy(udf_get_fi_ident(sfi), fileident, lfi); [3] > } else if (offset >= 0) { > memcpy(fibh->ebh->b_data + offset, fileident, lfi); > } else { > memcpy(udf_get_fi_ident(sfi), fileident, -offset); > memcpy(fibh->ebh->b_data, fileident - offset, > lfi + offset); > } > } > ``` > The fileident was controlled by user. `sfi` is `fi`, the memcpy > function is called to copy the data, so an out-of-bounds write occurs Thanks for report and the analysis. This is indeed a serious bug. I'll send a fix shortly. Honza -- Jan Kara SUSE Labs, CR