android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
eb339d43dd
android_kernel_xiaomi_sm8450/fs/ext4
History
Ye Bin c83ab50b6e BACKPORT: ext4: fix use-after-free in ext4_rename_dir_prepare 
commit 0be698ecbe4471fcad80e81ec6a05001421041b3 upstream.

We got issue as follows:
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
ext4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478
ext4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000
ext4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae
==================================================================
BUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220
Read of size 4 at addr ffff88810beee6ae by task rep/1895

CPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241
Call Trace:
 dump_stack+0xbe/0xf9
 print_address_description.constprop.0+0x1e/0x220
 kasan_report.cold+0x37/0x7f
 ext4_rename_dir_prepare+0x152/0x220
 ext4_rename+0xf44/0x1ad0
 ext4_rename2+0x11c/0x170
 vfs_rename+0xa84/0x1440
 do_renameat2+0x683/0x8f0
 __x64_sys_renameat+0x53/0x60
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f45a6fc41c9
RSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9
RDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005
RBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080
R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0
R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee
flags: 0x200000000000000()
raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                  ^
 ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Disabling lock debugging due to kernel taint
ext4_rename_dir_prepare: [2] parent_de->inode=3537895424
ext4_rename_dir_prepare: [3] dir=0xffff888124170140
ext4_rename_dir_prepare: [4] ino=2
ext4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872

Reason is first directory entry which 'rec_len' is 34478, then will get illegal
parent entry. Now, we do not check directory entry after read directory block
in 'ext4_get_first_dir_block'.
To solve this issue, check directory entry in 'ext4_get_first_dir_block'.

[ Trigger an ext4_error() instead of just warning if the directory is
  missing a '.' or '..' entry.   Also make sure we return an error code
  if the file system is corrupted.  -TYT ]

Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220414025223.4113128-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ta: Adapt patch to cope with the android specific changes introduced in
commit 705a3e5b18 ("ANDROID: ext4: Handle casefolding with encryption").
Pass zero value for lblk when calling ext4_check_dir_entry().]
Cc: Daniel Rosenberg <drosen@google.com>
Reported-and-tested-by: syzbot+a07b88e6427ec1c97aa5@syzkaller.appspotmail.com
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Change-Id: I9d4218ffa0ddae2aa75aa4755221ef7f856b04e9
2023-01-13 08:55:46 +00:00
..
acl.c ext4: main fast-commit commit path 2020-10-21 23:22:37 -04:00
acl.h
balloc.c ext4: shrink race window in ext4_should_retry_alloc() 2021-04-07 15:00:03 +02:00
bitmap.c
block_validity.c ext4: rename system_blks to s_system_blks inside ext4_sb_info 2020-10-18 10:36:59 -04:00
dir.c This is the 5.10.71 stable release 2021-10-06 17:33:06 +02:00
ext4_extents.h
ext4_jbd2.c ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits' 2022-01-27 10:54:28 +01:00
ext4_jbd2.h
ext4.h This is the 5.10.121 stable release 2022-07-23 16:10:22 +02:00
extents_status.c ext4: remove check for zero nr_to_scan in ext4_es_scan() 2021-07-14 16:55:41 +02:00
extents_status.h
extents.c ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0 2022-09-28 11:10:41 +02:00
fast_commit.c ext4: fix incorrect type issue during replay_del_range 2022-02-08 18:30:41 +01:00
fast_commit.h ext4: fix fast commit alignment issues 2021-06-10 13:39:26 +02:00
file.c Merge 5.10.36 into android12-5.10 2021-05-13 14:22:11 +02:00
fsmap.c Revert "treewide: Change list_sort to use const pointers" 2021-10-04 11:07:40 +02:00
fsmap.h
fsync.c ext4: make s_mount_flags modifications atomic 2020-11-06 23:01:05 -05:00
hash.c ANDROID: ext4: fix encrypt+casefold support 2020-11-11 18:43:09 +00:00
ialloc.c This is the 5.10.146 stable release 2022-09-29 17:06:30 +02:00
indirect.c ext4: use ext4_sb_bread() instead of sb_bread() 2020-10-18 10:37:14 -04:00
inline.c This is the 5.10.137 stable release 2022-08-29 16:53:14 +02:00
inode-test.c
inode.c This is the 5.10.137 stable release 2022-08-29 16:53:14 +02:00
ioctl.c This is the 5.10.94 stable release 2022-01-27 11:49:22 +01:00
Kconfig ext: EXT4_KUNIT_TESTS should depend on EXT4_FS instead of selecting it 2021-03-04 11:38:15 +01:00
Makefile ext4 / jbd2: add fast commit initialization 2020-10-21 23:22:26 -04:00
mballoc.c ext4: limit the number of retries after discarding preallocations blocks 2022-09-28 11:10:41 +02:00
mballoc.h ext4: limit the length of per-inode prealloc list 2020-08-19 12:04:36 -04:00
migrate.c ext4: recover csum seed of tmp_inode after migrating to extents 2022-08-21 15:16:03 +02:00
mmp.c ext4: fix possible UAF when remounting r/o a mmp-protected file system 2021-11-02 19:48:18 +01:00
move_extent.c ext4: use common helpers in all places reading metadata buffers 2020-10-18 10:37:14 -04:00
namei.c BACKPORT: ext4: fix use-after-free in ext4_rename_dir_prepare 2023-01-13 08:55:46 +00:00
page-io.c ext4: fix symlink file size not match to file content 2022-04-27 13:53:56 +02:00
readpage.c Linux 5.9-rc2 2020-08-24 10:01:23 +02:00
resize.c ext4: avoid resizing to a partial cluster size 2022-08-25 11:38:18 +02:00
super.c This is the 5.10.121 stable release 2022-07-23 16:10:22 +02:00
symlink.c ext4: report correct st_size for encrypted symlinks 2021-09-08 08:48:59 +02:00
sysfs.c ext4: shrink race window in ext4_should_retry_alloc() 2021-04-07 15:00:03 +02:00
truncate.h
verity.c BACKPORT: ext4,f2fs: fix readahead of verity data 2022-11-15 01:01:46 +00:00
xattr_hurd.c
xattr_security.c
xattr_trusted.c
xattr_user.c
xattr.c ext4: fix use-after-free in ext4_xattr_set_entry 2022-08-21 15:16:23 +02:00
xattr.h ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h 2022-08-21 15:16:23 +02:00