KASAN: null-ptr-deref Read in hfs_find_init

From: Ubisectech Sirius
Date: Tue Jan 09 2024 - 01:24:16 EST


Dear concerned.

Greetings!

We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7.0-g0dd3ee311255. Attached to the email were a POC file of the issue and a configuration my Linux kernel.

 

Stack dump:

[  191.738375][ T8033] ==================================================================

[ 191.739640][ T8033] BUG: KASAN: null-ptr-deref in hfs_find_init (fs/hfs/bfind.c:21)

[  191.740705][ T8033] Read of size 4 at addr 0000000000000040 by task poc/8033

[  191.741826][ T8033]

[  191.742206][ T8033] CPU: 0 PID: 8033 Comm: poc Not tainted 6.7.0-g0dd3ee311255 #6

[  191.743443][ T8033] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014

[  191.744820][ T8033] Call Trace:

[  191.745330][ T8033]  <TASK>

[ 191.745779][ T8033] dump_stack_lvl (lib/dump_stack.c:107)

[ 191.746508][ T8033] ? hfs_find_init (fs/hfs/bfind.c:21)

[ 191.747250][ T8033] kasan_report (mm/kasan/report.c:590)

[ 191.747945][ T8033] ? hfs_find_init (fs/hfs/bfind.c:21)

[ 191.748714][ T8033] hfs_find_init (fs/hfs/bfind.c:21)

[ 191.749426][ T8033] hfs_ext_read_extent (fs/hfs/extent.c:201)

[ 191.750221][ T8033] ? hfs_free_extents (fs/hfs/extent.c:192)

[ 191.750999][ T8033] ? lock_downgrade (kernel/locking/lockdep.c:5762)

[ 191.751799][ T8033] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:113)

[ 191.752614][ T8033] ? spin_bug (kernel/locking/spinlock_debug.c:113)

[ 191.753284][ T8033] ? folio_flags.constprop.0 (./include/linux/page-flags.h:316)

[ 191.754148][ T8033] hfs_get_block (fs/hfs/extent.c:367)

[ 191.754885][ T8033] block_read_full_folio (fs/buffer.c:2400 (discriminator 3))

[ 191.755744][ T8033] ? hfs_extend_file (fs/hfs/extent.c:338)

[ 191.756541][ T8033] ? decrypt_bh (fs/buffer.c:2363)

[ 191.757246][ T8033] ? folio_flags (./include/linux/page-flags.h:315)

[ 191.757956][ T8033] ? preempt_count_sub (kernel/sched/core.c:5865)

[ 191.758721][ T8033] ? hfs_bmap (fs/hfs/inode.c:38)

[ 191.759375][ T8033] filemap_read_folio (mm/filemap.c:2323)

[ 191.760194][ T8033] ? __folio_lock_killable (mm/filemap.c:2308)

[ 191.761077][ T8033] ? __filemap_get_folio (mm/filemap.c:1948)

[ 191.761895][ T8033] do_read_cache_folio (mm/filemap.c:3701)

[ 191.762665][ T8033] ? hfs_bmap (fs/hfs/inode.c:38)

[ 191.763318][ T8033] read_cache_page (mm/filemap.c:3767 mm/filemap.c:3775)

[ 191.764085][ T8033] hfs_btree_open (fs/hfs/btree.c:79)

[ 191.764846][ T8033] hfs_mdb_get (fs/hfs/mdb.c:199)

[ 191.765534][ T8033] ? hfs_mdb_put (fs/hfs/mdb.c:74)

[ 191.766237][ T8033] ? lockdep_init_map_type (kernel/locking/lockdep.c:4903)

[ 191.767104][ T8033] ? lockdep_init_map_type (kernel/locking/lockdep.c:4903)

[ 191.767942][ T8033] hfs_fill_super (fs/hfs/super.c:407)

[ 191.768668][ T8033] ? hfs_remount (fs/hfs/super.c:379)

[ 191.769392][ T8033] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4993)

[ 191.770338][ T8033] ? pointer (lib/vsprintf.c:2755)

[ 191.771040][ T8033] ? preempt_count_sub (kernel/sched/core.c:5865)

[ 191.771871][ T8033] ? __down_write_common (./arch/x86/include/asm/preempt.h:104 kernel/locking/rwsem.c:1309)

[ 191.772739][ T8033] ? up_write (kernel/locking/rwsem.c:1301)

[ 191.773454][ T8033] ? lock_sync (kernel/locking/lockdep.c:5722)

[ 191.774144][ T8033] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:113)

[ 191.775034][ T8033] ? mount_bdev (fs/super.c:1651)

[ 191.775780][ T8033] mount_bdev (fs/super.c:1651)

[ 191.776466][ T8033] ? hfs_remount (fs/hfs/super.c:379)

[ 191.777215][ T8033] ? sget (fs/super.c:1620)

[ 191.777886][ T8033] ? selinux_sb_eat_lsm_opts (security/selinux/hooks.c:2633)

[ 191.778798][ T8033] ? hfs_statfs (fs/hfs/super.c:455)

[ 191.779570][ T8033] legacy_get_tree (fs/fs_context.c:664)

[ 191.780333][ T8033] vfs_get_tree (fs/super.c:1772)

[ 191.781085][ T8033] path_mount (fs/namespace.c:3338 fs/namespace.c:3664)

[ 191.781792][ T8033] ? putname (fs/namei.c:275)

[ 191.782462][ T8033] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4423)

[ 191.783283][ T8033] ? finish_automount (fs/namespace.c:3591)

[ 191.784087][ T8033] ? lock_release (kernel/locking/lockdep.c:5459 kernel/locking/lockdep.c:5774)

[ 191.784813][ T8033] ? putname (fs/namei.c:275)

[ 191.785462][ T8033] __x64_sys_mount (fs/namespace.c:3678 fs/namespace.c:3886 fs/namespace.c:3863 fs/namespace.c:3863)

[ 191.786259][ T8033] ? copy_mnt_ns (fs/namespace.c:3863)

[ 191.787008][ T8033] ? syscall_enter_from_user_mode (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 kernel/entry/common.c:111)

[ 191.787915][ T8033] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)

[ 191.788628][ T8033] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)

[  191.789535][ T8033] RIP: 0033:0x7fe79c66862a

[ 191.790198][ T8033] Code: 48 8b 0d 69 18 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 36 18 0d 00 f7 d8 64 89 01 48

All code

========

   0:   48 8b 0d 69 18 0d 00    mov    0xd1869(%rip),%rcx        # 0xd1870

   7:   f7 d8                   neg    %eax

   9:   64 89 01                mov    %eax,%fs:(%rcx)

   c:   48 83 c8 ff             or     $0xffffffffffffffff,%rax

  10:   c3                      ret

  11:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)

  18:   00 00 00

  1b:   0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)

  20:   49 89 ca                mov    %rcx,%r10

  23:   b8 a5 00 00 00          mov    $0xa5,%eax

  28:   0f 05                   syscall

  2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax         <-- trapping instruction

  30:   73 01                   jae    0x33

  32:   c3                      ret

  33:   48 8b 0d 36 18 0d 00    mov    0xd1836(%rip),%rcx        # 0xd1870

  3a:   f7 d8                   neg    %eax

  3c:   64 89 01                mov    %eax,%fs:(%rcx)

  3f:   48                      rex.W

 

Code starting with the faulting instruction

===========================================

   0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax

   6:   73 01                   jae    0x9

   8:   c3                      ret

   9:   48 8b 0d 36 18 0d 00    mov    0xd1836(%rip),%rcx        # 0xd1846

  10:   f7 d8                   neg    %eax

  12:   64 89 01                mov    %eax,%fs:(%rcx)

  15:   48                      rex.W

[  191.793168][ T8033] RSP: 002b:00007ffc3233e668 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5

[  191.794462][ T8033] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe79c66862a

[  191.795715][ T8033] RDX: 0000000020000040 RSI: 0000000020000140 RDI: 00007ffc3233e7a0

[  191.796999][ T8033] RBP: 00007ffc3233e830 R08: 00007ffc3233e6a0 R09: 0000000000000000

[  191.798223][ T8033] R10: 0000000002810880 R11: 0000000000000202 R12: 0000558b4a72f250

[  191.799492][ T8033] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

[  191.800747][ T8033]  </TASK>

[  191.801242][ T8033] ==================================================================

 

 

Thank you for taking the time to read this email and we look forward to working with you further.

 





                                                                                         Ubisectech Sirius Team
                                                                                       Webwww.ubisectech.com
                                                                                  Email: bugreport@xxxxxxxxxxxxxx
                                                                                                         

Attachment: poc.c
Description: Binary data

Attachment: .config
Description: Binary data