Received: by 2002:a05:7412:85a1:b0:e2:908c:2ebd with SMTP id n33csp48881rdh; Mon, 30 Oct 2023 13:24:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFy9mTqo+6VM5zUL8isCc9Dx4PSe4qEsD3Gd9rPPfY+Ah6daZOgvUtk0d+auW2gVC9ptsTx X-Received: by 2002:a05:6a20:a103:b0:13a:6bca:7a84 with SMTP id q3-20020a056a20a10300b0013a6bca7a84mr12801365pzk.44.1698697497577; Mon, 30 Oct 2023 13:24:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698697497; cv=none; d=google.com; s=arc-20160816; b=Hlh7kUr8FdpGXCh3hxzpYBqfIapugo9iymSr/cR4UtfMgh7P2jMuiyXO8+F26ZuJ5g kv/csMC0nI7BlYQ5XjZXH5UWX+6vdF4idg4UvgRMBS/GDtR+9XXeqUKMptIWx7ba3fNi jWnEqct4Uha+OSde6Jhewqr1BJ2DZdJLeq3a3xX7snOoQ2OJEOIfhYkQTWMGzTe8mnmO o9n615PGtUM8nsOgVA9tSSDORBucocAT6Jcitnj98S6ZJ3BMWmH6tEylEd24VGN16lj4 +CtNlywU0BDCC9qpFoTx7pBseV800YAeVpH67m34HQOPAwBZydyU20ok4ecVH38hj2wB VNRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=9G2mKXMEqqv2aQXl/0v87cxAtrD9HzlWmH3Q/fvFqJg=; fh=Rn5MMhLLjKZ628iWJvaMxB+CsGzZ7rgsdGKQABcaKUc=; b=kaJJhbuMZCtVcP53/NBhQpKlGZ3zHGrwoPuldYlqJIF2rQ632OroytsbK6ZcuEqlpw ypcmpEWqZAeOl8ME965eO/rFqMkzSwLqH24JJXvkElkMSQnm7dQMcwvaBPWKXdSVXYB/ A9PEvXEHwx7v2aDlEkE9U37tlQSXstIKTrSAxk3wtG3St8housFIRcFaVURFxvOcupZ4 QXinELUmqZAjm9sS1Xvwz6JMmaZklI0CuDHu8884nHy4MRQsoJYL2PNaqB6Qz6ZO1COe I0V9kBt7ijgGxAkW6rnaQC+JfN2TlYido85Q8XrKzo2nSY0vrN8TLJX9hbdEhk91kVhr IxIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b="EM/FpojG"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id r188-20020a632bc5000000b005aba9cdf091si1788967pgr.579.2023.10.30.13.24.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Oct 2023 13:24:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b="EM/FpojG"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id CD3738041EAE; Mon, 30 Oct 2023 13:24:54 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229837AbjJ3UYp (ORCPT + 99 others); Mon, 30 Oct 2023 16:24:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35308 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229763AbjJ3UYo (ORCPT ); Mon, 30 Oct 2023 16:24:44 -0400 Received: from madras.collabora.co.uk (madras.collabora.co.uk [46.235.227.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7616DAB for ; Mon, 30 Oct 2023 13:24:41 -0700 (PDT) Received: from shreeya.shreeya (unknown [IPv6:2405:201:0:21ea:b346:60fd:ff70:bb1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: shreeya) by madras.collabora.co.uk (Postfix) with ESMTPSA id D70C06607393; Mon, 30 Oct 2023 20:24:38 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1698697480; bh=xHjjpWNrK+9sCsdLHaP5uOtD1MVhITgGMsNsB8PH8oE=; h=From:To:Cc:Subject:Date:From; b=EM/FpojG55w+GvA082yamXzZOyMMbEa8S81I6+U9trLh7eN5Hh9jDSIey9sFqQVex fdN+doqZ+++VXUR3dW/QbJVP26OTbsvSB4mhZibin514kExl3IgQi4KsTY8sx4z5wJ 0Z/pXgiSwlONGBIdrS0cLLvh/IhMeoNR5qJ8QfM2BeZ+GoDuJcYqbrdQPXMgZvpU6G Aw12bKt5J/ci4tkIgLzfB6zdtwaj/eg9O8egC4ApxkR2s9EOcWOM5DuUO/1yQ35Kip N2GzlFeoWLpjLZW7hI3MSfasNJhSEvx2Cf24fQByEP2Nl0SKmNdUOH3+1GbapDxJGF WOZZFLODZAFxQ== From: Shreeya Patel To: jack@suse.com Cc: linux-kernel@vger.kernel.org, kernel@collabora.com, groeck@google.com, zsm@google.com, Shreeya Patel , syzbot+82df44ede2faca24c729@syzkaller.appspotmail.com Subject: [PATCH] fs: udf: super.c: Fix a use-after-free issue in udf_finalize_lvid Date: Tue, 31 Oct 2023 01:54:18 +0530 Message-Id: <20231030202418.847494-1-shreeya.patel@collabora.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Mon, 30 Oct 2023 13:24:55 -0700 (PDT) Add some error handling cases in udf_sb_lvidiu() and redefine the descCRCLength in order to avoid use-after-free issue in udf_finalize_lvid. Following use-after-free issue was reported by syzbot :- https://syzkaller.appspot.com/bug?extid=46073c22edd7f242c028 BUG: KASAN: use-after-free in crc_itu_t+0x97/0xc8 lib/crc-itu-t.c:60 Read of size 1 at addr ffff88816fba0000 by task syz-executor.0/32133 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x13c/0x462 mm/kasan/report.c:395 kasan_report+0xa9/0xd5 mm/kasan/report.c:495 crc_itu_t+0x97/0xc8 lib/crc-itu-t.c:60 udf_finalize_lvid+0x111/0x23b fs/udf/super.c:2022 udf_sync_fs+0xba/0x123 fs/udf/super.c:2378 sync_filesystem+0xe8/0x216 fs/sync.c:56 generic_shutdown_super+0x6b/0x334 fs/super.c:474 kill_block_super+0x79/0xd6 fs/super.c:1459 deactivate_locked_super+0xa0/0x101 fs/super.c:332 cleanup_mnt+0x2de/0x361 fs/namespace.c:1192 task_work_run+0x22b/0x2d4 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0xc4/0xd3 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb4/0x115 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0xae/0x278 kernel/entry/common.c:297 do_syscall_64+0x5d/0x93 arch/x86/entry/common.c:99 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7e8195fb6e17 Fixes: ebbd5e99f60a ("udf: factor out LVID finalization for reuse") Reported-by: syzbot+82df44ede2faca24c729@syzkaller.appspotmail.com Signed-off-by: Shreeya Patel --- fs/udf/super.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/udf/super.c b/fs/udf/super.c index 928a04d9d9e0..ca8f10eaa748 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -114,6 +114,10 @@ struct logicalVolIntegrityDescImpUse *udf_sb_lvidiu(struct super_block *sb) partnum = le32_to_cpu(lvid->numOfPartitions); /* The offset is to skip freeSpaceTable and sizeTable arrays */ offset = partnum * 2 * sizeof(uint32_t); + if (sb->s_blocksize < sizeof(*lvid) || (sb->s_blocksize - sizeof(*lvid)) < + (offset + sizeof(struct logicalVolIntegrityDescImpUse))) + return NULL; + return (struct logicalVolIntegrityDescImpUse *) (((uint8_t *)(lvid + 1)) + offset); } @@ -2337,6 +2341,8 @@ static int udf_sync_fs(struct super_block *sb, int wait) struct logicalVolIntegrityDesc *lvid; lvid = (struct logicalVolIntegrityDesc *)bh->b_data; + if ((le16_to_cpu(lvid->descTag.descCRCLength) + sizeof(struct tag)) > sb->s_blocksize) + lvid->descTag.descCRCLength = cpu_to_le16(sb->s_blocksize - sizeof(struct tag)); udf_finalize_lvid(lvid); /* -- 2.39.2