|
Message-ID: <CADCqBhCB1q4Q+_0zuMG6M=BqizH4dmPwhkyKeOb_Pvd1uzbUGA@mail.gmail.com> Date: Wed, 19 Apr 2023 11:57:31 +0800 From: Kyle Zeng <yzeng56@....edu> To: oss-security@...ts.openwall.com Cc: Fish Wang <fishw@....edu>, Akshay Ajayan <aajayan@....edu> Subject: CVE-2023-2124: OOB access in the Linux kernel's XFS subsystem Hi there, We recently found a slab OOB access bug in the Linux kernel's XFS subsystem. It can cause denial-of-service and potentially privilege escalation. The root cause of the bug is a missing metadata validation when mounting a user-supplied XFS disk image. More specifically, in a corner case where there is a dirty log with a buffer log item for an AGF and the on-disk buffer appears to be newer, XFS will discard the old dirty log and directly use the newer on-disk buffer without validating its content. This can lead to malformed metadata flow into the kernel and cause catastrophic results. More details can be found in the patch mentioned below. The patch for this bug can be found here: https://lore.kernel.org/linux-xfs/20230412214034.GL3223426@dread.disaster.area/T/#m1ebbcd1ad061d2d33bef6f0534a2b014744d152d It has been merged into linux-next, 22ed903eee23 ("xfs: verify buffer contents when we skip log replay") and will be merged into the main tree soon. Notice that we are aware of two different crashes this bug can lead to (the one we found because of invalid `agi_level`, and the one discussed in the patch: invalid refcountbt), it is possible that this bug can be exploitable to achieve LPE. A crash log is attached to the email. Best, Kyle Zeng Akshay Ajayan Fish Wang ================================================= root@pwn:~# mount 2 test [ 11.652439] loop0: detected capacity change from 0 to 32768 [ 11.702972] XFS (loop0): Mounting V5 Filesystem 58c42324-ea61-4f93-a670-9fa85a561ec4 [ 11.704748] XFS (loop0): null uuid in log - IRIX style log [ 11.705545] XFS (loop0): Torn write (CRC failure) detected at log block 0x9. Truncating head block from 0x10. [ 11.759259] XFS (loop0): Starting recovery (logdev: internal) [ 11.760440] XFS (loop0): Metadata corruption detected at xfs_btree_lookup_get_block+0x259/0x2d0, xfs_inobt block 0x18 [ 11.760950] XFS (loop0): Unmount and run xfs_repair [ 11.761195] general protection fault, probably for non-canonical address 0x6043be0fbf88a15d: 0000 [#1] PREEMPT SMP NOPTI [ 11.761740] CPU: 2 PID: 510 Comm: mount Not tainted 6.3.0-rc6 #9 [ 11.762018] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 11.762433] RIP: 0010:xfs_trans_brelse+0x1c/0x1b0 [ 11.762668] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 f4 53 48 89 fb e8 e7 b3 4c ff 48 85 db <4d> 8b ac 24 e0 00 00 00 0f 84 5b 01 00 00 e8 d1 b3 4c ff 66 90 e8 [ 11.763497] RSP: 0018:ffffa91541c07ab0 EFLAGS: 00010246 [ 11.763746] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff939e5529 [ 11.764071] RDX: ffff8d01062b3f80 RSI: 0000000000000000 RDI: 0000000000000000 [ 11.764398] RBP: ffffa91541c07ac8 R08: ffff8d01062b3f80 R09: 0000000000000000 [ 11.764725] R10: 000000006f6c2820 R11: 0000000020534658 R12: 6043be0fbf88a07d [ 11.765049] R13: 00000000ffffff8b R14: 6043be0fbf88a07d R15: ffff8d0101db2000 [ 11.765375] FS: 00007f06d7a5ee40(0000) GS:ffff8d013ed00000(0000) knlGS:0000000000000000 [ 11.765742] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 11.766009] CR2: 000000000070bdb4 CR3: 0000000006396006 CR4: 0000000000770ee0 [ 11.766336] PKRU: 55555554 [ 11.766467] Call Trace: [ 11.766590] <TASK> [ 11.766706] xfs_btree_del_cursor+0x45/0x120 [ 11.766918] xfs_imap_lookup+0x190/0x2d0 [ 11.767111] ? kmem_cache_alloc+0x17e/0x330 [ 11.767319] xfs_imap+0x35a/0x4c0 [ 11.767486] xfs_iget+0x4c7/0x10f0 [ 11.767662] xfs_mountfs+0x776/0xe00 [ 11.767837] xfs_fs_fill_super+0x9ee/0xdc0 [ 11.768037] get_tree_bdev+0x22b/0x350 [ 11.768217] ? __pfx_xfs_fs_fill_super+0x10/0x10 [ 11.768439] xfs_fs_get_tree+0x22/0x30 [ 11.768621] vfs_get_tree+0x35/0x130 [ 11.768797] path_mount+0xc64/0x1110 [ 11.768973] __x64_sys_mount+0x19a/0x1f0 [ 11.769164] do_syscall_64+0x59/0x90 [ 11.769348] ? syscall_exit_to_user_mode+0x30/0x60 [ 11.769576] ? do_syscall_64+0x69/0x90 [ 11.769757] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 11.769998] RIP: 0033:0x7f06d6ce948a [ 11.770168] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d de f9 2a 00 f7 d8 64 89 01 48 [ 11.770999] RSP: 002b:00007fffdcf3fae8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 11.771345] RAX: ffffffffffffffda RBX: 0000559716172060 RCX: 00007f06d6ce948a [ 11.771674] RDX: 0000559716174740 RSI: 0000559716173f40 RDI: 000055971617b2a0 [ 11.772000] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000020 [ 11.772352] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 000055971617b2a0 [ 11.772696] R13: 0000559716174740 R14: 0000000000000000 R15: 00000000ffffffff [ 11.773022] </TASK> [ 11.773130] Modules linked in: [ 11.773303] ---[ end trace 0000000000000000 ]--- [ 11.773601] RIP: 0010:xfs_trans_brelse+0x1c/0x1b0 [ 11.773825] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 f4 53 48 89 fb e8 e7 b3 4c ff 48 85 db <4d> 8b ac 24 e0 00 00 00 0f 84 5b 01 00 00 e8 d1 b3 4c ff 66 90 e8 [ 11.774693] RSP: 0018:ffffa91541c07ab0 EFLAGS: 00010246 [ 11.774977] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff939e5529 [ 11.775313] RDX: ffff8d01062b3f80 RSI: 0000000000000000 RDI: 0000000000000000 [ 11.775654] RBP: ffffa91541c07ac8 R08: ffff8d01062b3f80 R09: 0000000000000000 [ 11.775979] R10: 000000006f6c2820 R11: 0000000020534658 R12: 6043be0fbf88a07d [ 11.776307] R13: 00000000ffffff8b R14: 6043be0fbf88a07d R15: ffff8d0101db2000 [ 11.776636] FS: 00007f06d7a5ee40(0000) GS:ffff8d013ed00000(0000) knlGS:0000000000000000 [ 11.777003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 11.777269] CR2: 000000000070bdb4 CR3: 0000000006396006 CR4: 0000000000770ee0 [ 11.777595] PKRU: 55555554 ============
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.