Message ID | 1591326067-29972-1-git-send-email-yangyingliang@huawei.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | hfs: fix null-ptr-deref in hfs_find_init() | expand |
Hi Yang, > On Jun 5, 2020, at 6:01 AM, Yang Yingliang <yangyingliang@huawei.com> wrote: > > There is a null-ptr-deref in hfs_find_init(): > > [ 107.092729] hfs: continuing without an alternate MDB > [ 107.097632] general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KASAN PTI > [ 107.104679] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] > [ 107.109100] CPU: 0 PID: 379 Comm: hfs_inject Not tainted 5.7.0-rc7-00001-g24627f5f2973 #897 > [ 107.114142] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 > [ 107.121095] RIP: 0010:hfs_find_init+0x72/0x170 > [ 107.123609] Code: c1 ea 03 80 3c 02 00 0f 85 e6 00 00 00 4c 8d 65 40 48 c7 43 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a5 00 00 00 8b 45 40 be c0 0c > [ 107.134660] RSP: 0018:ffff88810291f3f8 EFLAGS: 00010202 > [ 107.137897] RAX: dffffc0000000000 RBX: ffff88810291f468 RCX: 1ffff110175cdf05 > [ 107.141874] RDX: 0000000000000008 RSI: ffff88810291f468 RDI: ffff88810291f480 > [ 107.145844] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020381013 > [ 107.149431] R10: ffff88810291f500 R11: ffffed1020381012 R12: 0000000000000040 > [ 107.152315] R13: 0000000000000000 R14: ffff888101c0814a R15: ffff88810291f468 > [ 107.155464] FS: 00000000009ea880(0000) GS:ffff88810c600000(0000) knlGS:0000000000000000 > [ 107.159795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 107.162987] CR2: 00005605a19dd284 CR3: 0000000103a0c006 CR4: 0000000000020ef0 > [ 107.166665] Call Trace: > [ 107.167969] ? find_held_lock+0x33/0x1c0 > [ 107.169972] hfs_ext_read_extent+0x16b/0xb00 > [ 107.172092] ? create_page_buffers+0x14e/0x1b0 > [ 107.174303] ? hfs_free_extents+0x280/0x280 > [ 107.176437] ? lock_downgrade+0x730/0x730 > [ 107.178272] hfs_get_block+0x496/0x8a0 > [ 107.179972] block_read_full_page+0x241/0x8d0 > [ 107.181971] ? hfs_extend_file+0xae0/0xae0 > [ 107.183814] ? end_buffer_async_read_io+0x10/0x10 > [ 107.185954] ? add_to_page_cache_lru+0x13f/0x1f0 > [ 107.188006] ? add_to_page_cache_locked+0x10/0x10 > [ 107.190175] do_read_cache_page+0xc6a/0x1180 > [ 107.192096] ? generic_file_read_iter+0x4c0/0x4c0 > [ 107.194234] ? hfs_btree_open+0x408/0x1000 > [ 107.196068] ? lock_downgrade+0x730/0x730 > [ 107.197926] ? wake_bit_function+0x180/0x180 > [ 107.199845] ? lockdep_init_map_waits+0x267/0x7c0 > [ 107.201895] hfs_btree_open+0x455/0x1000 > [ 107.203479] hfs_mdb_get+0x122c/0x1ae8 > [ 107.205065] ? hfs_mdb_put+0x350/0x350 > [ 107.206590] ? queue_work_node+0x260/0x260 > [ 107.208309] ? rcu_read_lock_sched_held+0xa1/0xd0 > [ 107.210227] ? lockdep_init_map_waits+0x267/0x7c0 > [ 107.212144] ? lockdep_init_map_waits+0x267/0x7c0 > [ 107.213979] hfs_fill_super+0x9ba/0x1280 > [ 107.215444] ? bdev_name.isra.9+0xf1/0x2b0 > [ 107.217028] ? hfs_remount+0x190/0x190 > [ 107.218428] ? pointer+0x5da/0x710 > [ 107.219745] ? file_dentry_name+0xf0/0xf0 > [ 107.221262] ? mount_bdev+0xd1/0x330 > [ 107.222592] ? vsnprintf+0x7bd/0x1250 > [ 107.224007] ? pointer+0x710/0x710 > [ 107.225332] ? down_write+0xe5/0x160 > [ 107.226698] ? hfs_remount+0x190/0x190 > [ 107.228120] ? snprintf+0x91/0xc0 > [ 107.229388] ? vsprintf+0x10/0x10 > [ 107.230628] ? sget+0x3af/0x4a0 > [ 107.231848] ? hfs_remount+0x190/0x190 > [ 107.233300] mount_bdev+0x26e/0x330 > [ 107.234611] ? hfs_statfs+0x540/0x540 > [ 107.236015] legacy_get_tree+0x101/0x1f0 > [ 107.237431] ? security_capable+0x58/0x90 > [ 107.238832] vfs_get_tree+0x89/0x2d0 > [ 107.240082] ? ns_capable_common+0x5c/0xd0 > [ 107.241521] do_mount+0xd8a/0x1720 > [ 107.242727] ? lock_downgrade+0x730/0x730 > [ 107.244116] ? copy_mount_string+0x20/0x20 > [ 107.245557] ? _copy_from_user+0xbe/0x100 > [ 107.246967] ? memdup_user+0x47/0x70 > [ 107.248212] __x64_sys_mount+0x162/0x1b0 > [ 107.249537] do_syscall_64+0xa5/0x4f0 > [ 107.250742] entry_SYSCALL_64_after_hwframe+0x49/0xb3 > [ 107.252369] RIP: 0033:0x44e8ea > [ 107.253360] Code: 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 > [ 107.259240] RSP: 002b:00007ffd910e4c28 EFLAGS: 00000207 ORIG_RAX: 00000000000000a5 > [ 107.261668] RAX: ffffffffffffffda RBX: 0000000000400400 RCX: 000000000044e8ea > [ 107.263920] RDX: 000000000049321e RSI: 0000000000493222 RDI: 00007ffd910e4d00 > [ 107.266177] RBP: 00007ffd910e5d10 R08: 0000000000000000 R09: 000000000000000a > [ 107.268451] R10: 0000000000000001 R11: 0000000000000207 R12: 0000000000401c40 > [ 107.270721] R13: 0000000000000000 R14: 00000000006ba018 R15: 0000000000000000 > [ 107.273025] Modules linked in: > [ 107.274029] Dumping ftrace buffer: > [ 107.275121] (ftrace buffer empty) > [ 107.276370] ---[ end trace c5e0b9d684f3570e ]--- > > We need check tree in hfs_find_init(). > > https://lore.kernel.org/linux-fsdevel/20180419024358.GA5215@bombadil.infradead.org/ > https://marc.info/?l=linux-fsdevel&m=152406881024567&w=2 > References: CVE-2018-12928 > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > fs/hfs/bfind.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c > index 4af318f..aafa6bd 100644 > --- a/fs/hfs/bfind.c > +++ b/fs/hfs/bfind.c > @@ -16,6 +16,8 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) > { > void *ptr; > > + if (!tree) > + return -EINVAL; Looks good. But we have the same issue in HFS+ driver. Could you prepare the patch for HFS+ too? By the way, what is the reason for extents tree pointer to be NULL? Do we have the empty file in this use-case? Thanks, Viacheslav Dubeyko. > fd->tree = tree; > fd->bnode = NULL; > ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); > -- > 1.8.3 >
Hi, On 2020/6/9 16:06, Viacheslav Dubeyko wrote: > Hi Yang, > >> On Jun 5, 2020, at 6:01 AM, Yang Yingliang <yangyingliang@huawei.com> wrote: >> >> There is a null-ptr-deref in hfs_find_init(): >> >> [ 107.092729] hfs: continuing without an alternate MDB >> [ 107.097632] general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KASAN PTI >> [ 107.104679] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] >> [ 107.109100] CPU: 0 PID: 379 Comm: hfs_inject Not tainted 5.7.0-rc7-00001-g24627f5f2973 #897 >> [ 107.114142] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 >> [ 107.121095] RIP: 0010:hfs_find_init+0x72/0x170 >> [ 107.123609] Code: c1 ea 03 80 3c 02 00 0f 85 e6 00 00 00 4c 8d 65 40 48 c7 43 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a5 00 00 00 8b 45 40 be c0 0c >> [ 107.134660] RSP: 0018:ffff88810291f3f8 EFLAGS: 00010202 >> [ 107.137897] RAX: dffffc0000000000 RBX: ffff88810291f468 RCX: 1ffff110175cdf05 >> [ 107.141874] RDX: 0000000000000008 RSI: ffff88810291f468 RDI: ffff88810291f480 >> [ 107.145844] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020381013 >> [ 107.149431] R10: ffff88810291f500 R11: ffffed1020381012 R12: 0000000000000040 >> [ 107.152315] R13: 0000000000000000 R14: ffff888101c0814a R15: ffff88810291f468 >> [ 107.155464] FS: 00000000009ea880(0000) GS:ffff88810c600000(0000) knlGS:0000000000000000 >> [ 107.159795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> [ 107.162987] CR2: 00005605a19dd284 CR3: 0000000103a0c006 CR4: 0000000000020ef0 >> [ 107.166665] Call Trace: >> [ 107.167969] ? find_held_lock+0x33/0x1c0 >> [ 107.169972] hfs_ext_read_extent+0x16b/0xb00 >> [ 107.172092] ? create_page_buffers+0x14e/0x1b0 >> [ 107.174303] ? hfs_free_extents+0x280/0x280 >> [ 107.176437] ? lock_downgrade+0x730/0x730 >> [ 107.178272] hfs_get_block+0x496/0x8a0 >> [ 107.179972] block_read_full_page+0x241/0x8d0 >> [ 107.181971] ? hfs_extend_file+0xae0/0xae0 >> [ 107.183814] ? end_buffer_async_read_io+0x10/0x10 >> [ 107.185954] ? add_to_page_cache_lru+0x13f/0x1f0 >> [ 107.188006] ? add_to_page_cache_locked+0x10/0x10 >> [ 107.190175] do_read_cache_page+0xc6a/0x1180 >> [ 107.192096] ? generic_file_read_iter+0x4c0/0x4c0 >> [ 107.194234] ? hfs_btree_open+0x408/0x1000 >> [ 107.196068] ? lock_downgrade+0x730/0x730 >> [ 107.197926] ? wake_bit_function+0x180/0x180 >> [ 107.199845] ? lockdep_init_map_waits+0x267/0x7c0 >> [ 107.201895] hfs_btree_open+0x455/0x1000 >> [ 107.203479] hfs_mdb_get+0x122c/0x1ae8 >> [ 107.205065] ? hfs_mdb_put+0x350/0x350 >> [ 107.206590] ? queue_work_node+0x260/0x260 >> [ 107.208309] ? rcu_read_lock_sched_held+0xa1/0xd0 >> [ 107.210227] ? lockdep_init_map_waits+0x267/0x7c0 >> [ 107.212144] ? lockdep_init_map_waits+0x267/0x7c0 >> [ 107.213979] hfs_fill_super+0x9ba/0x1280 >> [ 107.215444] ? bdev_name.isra.9+0xf1/0x2b0 >> [ 107.217028] ? hfs_remount+0x190/0x190 >> [ 107.218428] ? pointer+0x5da/0x710 >> [ 107.219745] ? file_dentry_name+0xf0/0xf0 >> [ 107.221262] ? mount_bdev+0xd1/0x330 >> [ 107.222592] ? vsnprintf+0x7bd/0x1250 >> [ 107.224007] ? pointer+0x710/0x710 >> [ 107.225332] ? down_write+0xe5/0x160 >> [ 107.226698] ? hfs_remount+0x190/0x190 >> [ 107.228120] ? snprintf+0x91/0xc0 >> [ 107.229388] ? vsprintf+0x10/0x10 >> [ 107.230628] ? sget+0x3af/0x4a0 >> [ 107.231848] ? hfs_remount+0x190/0x190 >> [ 107.233300] mount_bdev+0x26e/0x330 >> [ 107.234611] ? hfs_statfs+0x540/0x540 >> [ 107.236015] legacy_get_tree+0x101/0x1f0 >> [ 107.237431] ? security_capable+0x58/0x90 >> [ 107.238832] vfs_get_tree+0x89/0x2d0 >> [ 107.240082] ? ns_capable_common+0x5c/0xd0 >> [ 107.241521] do_mount+0xd8a/0x1720 >> [ 107.242727] ? lock_downgrade+0x730/0x730 >> [ 107.244116] ? copy_mount_string+0x20/0x20 >> [ 107.245557] ? _copy_from_user+0xbe/0x100 >> [ 107.246967] ? memdup_user+0x47/0x70 >> [ 107.248212] __x64_sys_mount+0x162/0x1b0 >> [ 107.249537] do_syscall_64+0xa5/0x4f0 >> [ 107.250742] entry_SYSCALL_64_after_hwframe+0x49/0xb3 >> [ 107.252369] RIP: 0033:0x44e8ea >> [ 107.253360] Code: 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 >> [ 107.259240] RSP: 002b:00007ffd910e4c28 EFLAGS: 00000207 ORIG_RAX: 00000000000000a5 >> [ 107.261668] RAX: ffffffffffffffda RBX: 0000000000400400 RCX: 000000000044e8ea >> [ 107.263920] RDX: 000000000049321e RSI: 0000000000493222 RDI: 00007ffd910e4d00 >> [ 107.266177] RBP: 00007ffd910e5d10 R08: 0000000000000000 R09: 000000000000000a >> [ 107.268451] R10: 0000000000000001 R11: 0000000000000207 R12: 0000000000401c40 >> [ 107.270721] R13: 0000000000000000 R14: 00000000006ba018 R15: 0000000000000000 >> [ 107.273025] Modules linked in: >> [ 107.274029] Dumping ftrace buffer: >> [ 107.275121] (ftrace buffer empty) >> [ 107.276370] ---[ end trace c5e0b9d684f3570e ]--- >> >> We need check tree in hfs_find_init(). >> >> https://lore.kernel.org/linux-fsdevel/20180419024358.GA5215@bombadil.infradead.org/ >> https://marc.info/?l=linux-fsdevel&m=152406881024567&w=2 >> References: CVE-2018-12928 >> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >> --- >> fs/hfs/bfind.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c >> index 4af318f..aafa6bd 100644 >> --- a/fs/hfs/bfind.c >> +++ b/fs/hfs/bfind.c >> @@ -16,6 +16,8 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) >> { >> void *ptr; >> >> + if (!tree) >> + return -EINVAL; > Looks good. But we have the same issue in HFS+ driver. Could you prepare the patch for HFS+ too? OK, I will send a patch for HFS+. > > By the way, what is the reason for extents tree pointer to be NULL? Do we have the empty file in this use-case? The reproducer is came from https://marc.info/?l=linux-fsdevel&m=152406881024567&w=2 . And it's triggered by mounting a crafted hfs file which has a lot of zero data at the end. Thanks, Yang > > Thanks, > Viacheslav Dubeyko. > >> fd->tree = tree; >> fd->bnode = NULL; >> ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); >> -- >> 1.8.3 >> > .
Hi Yang, On Wed, 2020-06-10 at 20:54 +0800, Yang Yingliang wrote: > Hi, > On 2020/6/9 16:06, Viacheslav Dubeyko wrote: > > Hi Yang, > > > > > On Jun 5, 2020, at 6:01 AM, Yang Yingliang < > > > yangyingliang@huawei.com> wrote: > > > > > > There is a null-ptr-deref in hfs_find_init(): > > > > > > [ 107.092729] hfs: continuing without an alternate MDB > > > [ 107.097632] general protection fault, probably for non- > > > canonical address 0xdffffc0000000008: 0000 [#1] SMP KASAN PTI > > > [ 107.104679] KASAN: null-ptr-deref in range > > > [0x0000000000000040-0x0000000000000047] > > > [ 107.109100] CPU: 0 PID: 379 Comm: hfs_inject Not tainted > > > 5.7.0-rc7-00001-g24627f5f2973 #897 > > > [ 107.114142] Hardware name: QEMU Standard PC (i440FX + PIIX, > > > 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org > > > 04/01/2014 > > > [ 107.121095] RIP: 0010:hfs_find_init+0x72/0x170 > > > [ 107.123609] Code: c1 ea 03 80 3c 02 00 0f 85 e6 00 00 00 4c 8d > > > 65 40 48 c7 43 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 > > > e2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a5 00 00 00 > > > 8b 45 40 be c0 0c > > > [ 107.134660] RSP: 0018:ffff88810291f3f8 EFLAGS: 00010202 > > > [ 107.137897] RAX: dffffc0000000000 RBX: ffff88810291f468 RCX: > > > 1ffff110175cdf05 > > > [ 107.141874] RDX: 0000000000000008 RSI: ffff88810291f468 RDI: > > > ffff88810291f480 > > > [ 107.145844] RBP: 0000000000000000 R08: 0000000000000000 R09: > > > ffffed1020381013 > > > [ 107.149431] R10: ffff88810291f500 R11: ffffed1020381012 R12: > > > 0000000000000040 > > > [ 107.152315] R13: 0000000000000000 R14: ffff888101c0814a R15: > > > ffff88810291f468 > > > [ 107.155464] FS: 00000000009ea880(0000) > > > GS:ffff88810c600000(0000) knlGS:0000000000000000 > > > [ 107.159795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > [ 107.162987] CR2: 00005605a19dd284 CR3: 0000000103a0c006 CR4: > > > 0000000000020ef0 > > > [ 107.166665] Call Trace: > > > [ 107.167969] ? find_held_lock+0x33/0x1c0 > > > [ 107.169972] hfs_ext_read_extent+0x16b/0xb00 > > > [ 107.172092] ? create_page_buffers+0x14e/0x1b0 > > > [ 107.174303] ? hfs_free_extents+0x280/0x280 > > > [ 107.176437] ? lock_downgrade+0x730/0x730 > > > [ 107.178272] hfs_get_block+0x496/0x8a0 > > > [ 107.179972] block_read_full_page+0x241/0x8d0 > > > [ 107.181971] ? hfs_extend_file+0xae0/0xae0 > > > [ 107.183814] ? end_buffer_async_read_io+0x10/0x10 > > > [ 107.185954] ? add_to_page_cache_lru+0x13f/0x1f0 > > > [ 107.188006] ? add_to_page_cache_locked+0x10/0x10 > > > [ 107.190175] do_read_cache_page+0xc6a/0x1180 > > > [ 107.192096] ? generic_file_read_iter+0x4c0/0x4c0 > > > [ 107.194234] ? hfs_btree_open+0x408/0x1000 > > > [ 107.196068] ? lock_downgrade+0x730/0x730 > > > [ 107.197926] ? wake_bit_function+0x180/0x180 > > > [ 107.199845] ? lockdep_init_map_waits+0x267/0x7c0 > > > [ 107.201895] hfs_btree_open+0x455/0x1000 > > > [ 107.203479] hfs_mdb_get+0x122c/0x1ae8 > > > [ 107.205065] ? hfs_mdb_put+0x350/0x350 > > > [ 107.206590] ? queue_work_node+0x260/0x260 > > > [ 107.208309] ? rcu_read_lock_sched_held+0xa1/0xd0 > > > [ 107.210227] ? lockdep_init_map_waits+0x267/0x7c0 > > > [ 107.212144] ? lockdep_init_map_waits+0x267/0x7c0 > > > [ 107.213979] hfs_fill_super+0x9ba/0x1280 > > > [ 107.215444] ? bdev_name.isra.9+0xf1/0x2b0 > > > [ 107.217028] ? hfs_remount+0x190/0x190 > > > [ 107.218428] ? pointer+0x5da/0x710 > > > [ 107.219745] ? file_dentry_name+0xf0/0xf0 > > > [ 107.221262] ? mount_bdev+0xd1/0x330 > > > [ 107.222592] ? vsnprintf+0x7bd/0x1250 > > > [ 107.224007] ? pointer+0x710/0x710 > > > [ 107.225332] ? down_write+0xe5/0x160 > > > [ 107.226698] ? hfs_remount+0x190/0x190 > > > [ 107.228120] ? snprintf+0x91/0xc0 > > > [ 107.229388] ? vsprintf+0x10/0x10 > > > [ 107.230628] ? sget+0x3af/0x4a0 > > > [ 107.231848] ? hfs_remount+0x190/0x190 > > > [ 107.233300] mount_bdev+0x26e/0x330 > > > [ 107.234611] ? hfs_statfs+0x540/0x540 > > > [ 107.236015] legacy_get_tree+0x101/0x1f0 > > > [ 107.237431] ? security_capable+0x58/0x90 > > > [ 107.238832] vfs_get_tree+0x89/0x2d0 > > > [ 107.240082] ? ns_capable_common+0x5c/0xd0 > > > [ 107.241521] do_mount+0xd8a/0x1720 > > > [ 107.242727] ? lock_downgrade+0x730/0x730 > > > [ 107.244116] ? copy_mount_string+0x20/0x20 > > > [ 107.245557] ? _copy_from_user+0xbe/0x100 > > > [ 107.246967] ? memdup_user+0x47/0x70 > > > [ 107.248212] __x64_sys_mount+0x162/0x1b0 > > > [ 107.249537] do_syscall_64+0xa5/0x4f0 > > > [ 107.250742] entry_SYSCALL_64_after_hwframe+0x49/0xb3 > > > [ 107.252369] RIP: 0033:0x44e8ea > > > [ 107.253360] Code: 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 > > > ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 > > > 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff > > > f7 d8 64 89 01 48 > > > [ 107.259240] RSP: 002b:00007ffd910e4c28 EFLAGS: 00000207 > > > ORIG_RAX: 00000000000000a5 > > > [ 107.261668] RAX: ffffffffffffffda RBX: 0000000000400400 RCX: > > > 000000000044e8ea > > > [ 107.263920] RDX: 000000000049321e RSI: 0000000000493222 RDI: > > > 00007ffd910e4d00 > > > [ 107.266177] RBP: 00007ffd910e5d10 R08: 0000000000000000 R09: > > > 000000000000000a > > > [ 107.268451] R10: 0000000000000001 R11: 0000000000000207 R12: > > > 0000000000401c40 > > > [ 107.270721] R13: 0000000000000000 R14: 00000000006ba018 R15: > > > 0000000000000000 > > > [ 107.273025] Modules linked in: > > > [ 107.274029] Dumping ftrace buffer: > > > [ 107.275121] (ftrace buffer empty) > > > [ 107.276370] ---[ end trace c5e0b9d684f3570e ]--- > > > > > > We need check tree in hfs_find_init(). > > > > > > https://lore.kernel.org/linux-fsdevel/20180419024358.GA5215@bombadil.infradead.org/ > > > https://marc.info/?l=linux-fsdevel&m=152406881024567&w=2 > > > References: CVE-2018-12928 > > > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > > > --- > > > fs/hfs/bfind.c | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c > > > index 4af318f..aafa6bd 100644 > > > --- a/fs/hfs/bfind.c > > > +++ b/fs/hfs/bfind.c > > > @@ -16,6 +16,8 @@ int hfs_find_init(struct hfs_btree *tree, > > > struct hfs_find_data *fd) > > > { > > > void *ptr; > > > > > > + if (!tree) > > > + return -EINVAL; > > > > Looks good. But we have the same issue in HFS+ driver. Could you > > prepare the patch for HFS+ too? > > OK, I will send a patch for HFS+. > > > > By the way, what is the reason for extents tree pointer to be NULL? > > Do we have the empty file in this use-case? > > The reproducer is came from > https://marc.info/?l=linux-fsdevel&m=152406881024567&w=2 . > > And it's triggered by mounting a crafted hfs file which has a lot of > zero data at the end. > I like the fix, but the issue has more complex nature, as far as I can see. The hfs_ext_read_extent() is trying to access the HFS_SB(inode- >i_sb)->ext_tree [1]. However, hfs_fill_super() calls the hfs_mdb_get() that is trying to create Extents Tree. It means that hfs_btree_open() is trying to access HFS_SB(inode->i_sb)->ext_tree before the real initialization. Because, namely hfs_btree_open() returns the created tree object [2]. Did I miss something here? Frankly speaking, I am slightly confused how it worked before. Maybe, some patch broke the initial logic? [1] https://elixir.bootlin.com/linux/latest/source/fs/hfs/extent.c#L200 [2] https://elixir.bootlin.com/linux/latest/source/fs/hfs/mdb.c#L193 Thanks, Viacheslav Dubeyko. > > Thanks, > > Yang > > > > > Thanks, > > Viacheslav Dubeyko. > > > > > fd->tree = tree; > > > fd->bnode = NULL; > > > ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); > > > -- > > > 1.8.3 > > > > > > > . > >
diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c index 4af318f..aafa6bd 100644 --- a/fs/hfs/bfind.c +++ b/fs/hfs/bfind.c @@ -16,6 +16,8 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) { void *ptr; + if (!tree) + return -EINVAL; fd->tree = tree; fd->bnode = NULL; ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
There is a null-ptr-deref in hfs_find_init(): [ 107.092729] hfs: continuing without an alternate MDB [ 107.097632] general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KASAN PTI [ 107.104679] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] [ 107.109100] CPU: 0 PID: 379 Comm: hfs_inject Not tainted 5.7.0-rc7-00001-g24627f5f2973 #897 [ 107.114142] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 107.121095] RIP: 0010:hfs_find_init+0x72/0x170 [ 107.123609] Code: c1 ea 03 80 3c 02 00 0f 85 e6 00 00 00 4c 8d 65 40 48 c7 43 18 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e a5 00 00 00 8b 45 40 be c0 0c [ 107.134660] RSP: 0018:ffff88810291f3f8 EFLAGS: 00010202 [ 107.137897] RAX: dffffc0000000000 RBX: ffff88810291f468 RCX: 1ffff110175cdf05 [ 107.141874] RDX: 0000000000000008 RSI: ffff88810291f468 RDI: ffff88810291f480 [ 107.145844] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020381013 [ 107.149431] R10: ffff88810291f500 R11: ffffed1020381012 R12: 0000000000000040 [ 107.152315] R13: 0000000000000000 R14: ffff888101c0814a R15: ffff88810291f468 [ 107.155464] FS: 00000000009ea880(0000) GS:ffff88810c600000(0000) knlGS:0000000000000000 [ 107.159795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 107.162987] CR2: 00005605a19dd284 CR3: 0000000103a0c006 CR4: 0000000000020ef0 [ 107.166665] Call Trace: [ 107.167969] ? find_held_lock+0x33/0x1c0 [ 107.169972] hfs_ext_read_extent+0x16b/0xb00 [ 107.172092] ? create_page_buffers+0x14e/0x1b0 [ 107.174303] ? hfs_free_extents+0x280/0x280 [ 107.176437] ? lock_downgrade+0x730/0x730 [ 107.178272] hfs_get_block+0x496/0x8a0 [ 107.179972] block_read_full_page+0x241/0x8d0 [ 107.181971] ? hfs_extend_file+0xae0/0xae0 [ 107.183814] ? end_buffer_async_read_io+0x10/0x10 [ 107.185954] ? add_to_page_cache_lru+0x13f/0x1f0 [ 107.188006] ? add_to_page_cache_locked+0x10/0x10 [ 107.190175] do_read_cache_page+0xc6a/0x1180 [ 107.192096] ? generic_file_read_iter+0x4c0/0x4c0 [ 107.194234] ? hfs_btree_open+0x408/0x1000 [ 107.196068] ? lock_downgrade+0x730/0x730 [ 107.197926] ? wake_bit_function+0x180/0x180 [ 107.199845] ? lockdep_init_map_waits+0x267/0x7c0 [ 107.201895] hfs_btree_open+0x455/0x1000 [ 107.203479] hfs_mdb_get+0x122c/0x1ae8 [ 107.205065] ? hfs_mdb_put+0x350/0x350 [ 107.206590] ? queue_work_node+0x260/0x260 [ 107.208309] ? rcu_read_lock_sched_held+0xa1/0xd0 [ 107.210227] ? lockdep_init_map_waits+0x267/0x7c0 [ 107.212144] ? lockdep_init_map_waits+0x267/0x7c0 [ 107.213979] hfs_fill_super+0x9ba/0x1280 [ 107.215444] ? bdev_name.isra.9+0xf1/0x2b0 [ 107.217028] ? hfs_remount+0x190/0x190 [ 107.218428] ? pointer+0x5da/0x710 [ 107.219745] ? file_dentry_name+0xf0/0xf0 [ 107.221262] ? mount_bdev+0xd1/0x330 [ 107.222592] ? vsnprintf+0x7bd/0x1250 [ 107.224007] ? pointer+0x710/0x710 [ 107.225332] ? down_write+0xe5/0x160 [ 107.226698] ? hfs_remount+0x190/0x190 [ 107.228120] ? snprintf+0x91/0xc0 [ 107.229388] ? vsprintf+0x10/0x10 [ 107.230628] ? sget+0x3af/0x4a0 [ 107.231848] ? hfs_remount+0x190/0x190 [ 107.233300] mount_bdev+0x26e/0x330 [ 107.234611] ? hfs_statfs+0x540/0x540 [ 107.236015] legacy_get_tree+0x101/0x1f0 [ 107.237431] ? security_capable+0x58/0x90 [ 107.238832] vfs_get_tree+0x89/0x2d0 [ 107.240082] ? ns_capable_common+0x5c/0xd0 [ 107.241521] do_mount+0xd8a/0x1720 [ 107.242727] ? lock_downgrade+0x730/0x730 [ 107.244116] ? copy_mount_string+0x20/0x20 [ 107.245557] ? _copy_from_user+0xbe/0x100 [ 107.246967] ? memdup_user+0x47/0x70 [ 107.248212] __x64_sys_mount+0x162/0x1b0 [ 107.249537] do_syscall_64+0xa5/0x4f0 [ 107.250742] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 107.252369] RIP: 0033:0x44e8ea [ 107.253360] Code: 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 107.259240] RSP: 002b:00007ffd910e4c28 EFLAGS: 00000207 ORIG_RAX: 00000000000000a5 [ 107.261668] RAX: ffffffffffffffda RBX: 0000000000400400 RCX: 000000000044e8ea [ 107.263920] RDX: 000000000049321e RSI: 0000000000493222 RDI: 00007ffd910e4d00 [ 107.266177] RBP: 00007ffd910e5d10 R08: 0000000000000000 R09: 000000000000000a [ 107.268451] R10: 0000000000000001 R11: 0000000000000207 R12: 0000000000401c40 [ 107.270721] R13: 0000000000000000 R14: 00000000006ba018 R15: 0000000000000000 [ 107.273025] Modules linked in: [ 107.274029] Dumping ftrace buffer: [ 107.275121] (ftrace buffer empty) [ 107.276370] ---[ end trace c5e0b9d684f3570e ]--- We need check tree in hfs_find_init(). https://lore.kernel.org/linux-fsdevel/20180419024358.GA5215@bombadil.infradead.org/ https://marc.info/?l=linux-fsdevel&m=152406881024567&w=2 References: CVE-2018-12928 Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- fs/hfs/bfind.c | 2 ++ 1 file changed, 2 insertions(+)