f2fs: CVE-2018-13099

f2fs: fix to do sanity check with reserved blkaddr of inline inode References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=7fb2b50ee59689578d5a712633d1e6755fc98933 Change-Id: I98429a8a2f47bed9486b5ab8e8419bfc0cbb5a5a Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-01-25 16:01:29 +0100
committer: Andreas Wellving <Andreas.Wellving@enea.com> 2019-02-01 15:51:05 +0100
commit: 4a9ae2e9795b8bf7c43af3d4e64f32ced1f68499 (patch)
tree: efcaa9d33eb9940b2533b4439fe727af6ac95db1 /patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
parent: f20d5edb3bdc1e451da309998a2ad4664e744220 (diff)
download: enea-kernel-cache-4a9ae2e9795b8bf7c43af3d4e64f32ced1f68499.tar.gz
1 files changed, 159 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch b/patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
new file mode 100644
index 0000000..c3a750d
--- /dev/null
+++ b/patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
@@ -0,0 +1,159 @@
+From 4dbe38dc386910c668c75ae616b99b823b59f3eb Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Sat, 30 Jun 2018 18:13:40 +0800
+Subject: [PATCH] f2fs: fix to do sanity check with reserved blkaddr of inline
+ inode
+As Wen Xu reported in bugzilla, after image was injected with random data
+by fuzzing, inline inode would contain invalid reserved blkaddr, then
+during inline conversion, we will encounter illegal memory accessing
+reported by KASAN, the root cause of this is when writing out converted
+inline page, we will use invalid reserved blkaddr to update sit bitmap,
+result in accessing memory beyond sit bitmap boundary.
+In order to fix this issue, let's do sanity check with reserved block
+address of inline inode to avoid above condition.
+https://bugzilla.kernel.org/show_bug.cgi?id=200179
+[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
+[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741
+[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
+[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+[ 1428.846860] Call Trace:
+[ 1428.846868]  dump_stack+0x71/0xab
+[ 1428.846875]  print_address_description+0x6b/0x290
+[ 1428.846881]  kasan_report+0x28e/0x390
+[ 1428.846888]  ? update_sit_entry+0x80/0x7f0
+[ 1428.846898]  update_sit_entry+0x80/0x7f0
+[ 1428.846906]  f2fs_allocate_data_block+0x6db/0xc70
+[ 1428.846914]  ? f2fs_get_node_info+0x14f/0x590
+[ 1428.846920]  do_write_page+0xc8/0x150
+[ 1428.846928]  f2fs_outplace_write_data+0xfe/0x210
+[ 1428.846935]  ? f2fs_do_write_node_page+0x170/0x170
+[ 1428.846941]  ? radix_tree_tag_clear+0xff/0x130
+[ 1428.846946]  ? __mod_node_page_state+0x22/0xa0
+[ 1428.846951]  ? inc_zone_page_state+0x54/0x100
+[ 1428.846956]  ? __test_set_page_writeback+0x336/0x5d0
+[ 1428.846964]  f2fs_convert_inline_page+0x407/0x6d0
+[ 1428.846971]  ? f2fs_read_inline_data+0x3b0/0x3b0
+[ 1428.846978]  ? __get_node_page+0x335/0x6b0
+[ 1428.846987]  f2fs_convert_inline_inode+0x41b/0x500
+[ 1428.846994]  ? f2fs_convert_inline_page+0x6d0/0x6d0
+[ 1428.847000]  ? kasan_unpoison_shadow+0x31/0x40
+[ 1428.847005]  ? kasan_kmalloc+0xa6/0xd0
+[ 1428.847024]  f2fs_file_mmap+0x79/0xc0
+[ 1428.847029]  mmap_region+0x58b/0x880
+[ 1428.847037]  ? arch_get_unmapped_area+0x370/0x370
+[ 1428.847042]  do_mmap+0x55b/0x7a0
+[ 1428.847048]  vm_mmap_pgoff+0x16f/0x1c0
+[ 1428.847055]  ? vma_is_stack_for_current+0x50/0x50
+[ 1428.847062]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
+[ 1428.847068]  ? do_sys_open+0x206/0x2a0
+[ 1428.847073]  ? __fget+0xb4/0x100
+[ 1428.847079]  ksys_mmap_pgoff+0x278/0x360
+[ 1428.847085]  ? find_mergeable_anon_vma+0x50/0x50
+[ 1428.847091]  do_syscall_64+0x73/0x160
+[ 1428.847098]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1428.847102] RIP: 0033:0x7fb1430766ba
+[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
+[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
+[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
+[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
+[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
+[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
+[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
+[ 1428.847252] Allocated by task 2683:
+[ 1428.847372]  kasan_kmalloc+0xa6/0xd0
+[ 1428.847380]  kmem_cache_alloc+0xc8/0x1e0
+[ 1428.847385]  getname_flags+0x73/0x2b0
+[ 1428.847390]  user_path_at_empty+0x1d/0x40
+[ 1428.847395]  vfs_statx+0xc1/0x150
+[ 1428.847401]  __do_sys_newlstat+0x7e/0xd0
+[ 1428.847405]  do_syscall_64+0x73/0x160
+[ 1428.847411]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1428.847466] Freed by task 2683:
+[ 1428.847566]  __kasan_slab_free+0x137/0x190
+[ 1428.847571]  kmem_cache_free+0x85/0x1e0
+[ 1428.847575]  filename_lookup+0x191/0x280
+[ 1428.847580]  vfs_statx+0xc1/0x150
+[ 1428.847585]  __do_sys_newlstat+0x7e/0xd0
+[ 1428.847590]  do_syscall_64+0x73/0x160
+[ 1428.847596]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1428.847648] The buggy address belongs to the object at ffff880194483300
+                which belongs to the cache names_cache of size 4096
+[ 1428.847946] The buggy address is located 576 bytes inside of
+                4096-byte region [ffff880194483300, ffff880194484300)
+[ 1428.848234] The buggy address belongs to the page:
+[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
+[ 1428.848606] flags: 0x17fff8000008100(slab|head)
+[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
+[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
+[ 1428.849122] page dumped because: kasan: bad access detected
+[ 1428.849305] Memory state around the buggy address:
+[ 1428.849436]  ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1428.849620]  ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1428.849985]                                            ^
+[ 1428.850120]  ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1428.850303]  ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1428.850498] ==================================================================
+CVE: CVE-2018-13099
+Upstream-Status: Backport
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/f2fs/inline.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
+index 9a245d2..2bcb2d3 100644
+--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
+@@ -130,6 +130,16 @@ int f2fs_convert_inline_page(struct dnode_of_data *dn, struct page *page)
+        if (err)
+                return err;
+ 
+       if (unlikely(dn->data_blkaddr != NEW_ADDR)) {
+               f2fs_put_dnode(dn);
+               set_sbi_flag(fio.sbi, SBI_NEED_FSCK);
+               f2fs_msg(fio.sbi->sb, KERN_WARNING,
+                       "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
+                       "run fsck to fix.",
+                       __func__, dn->inode->i_ino, dn->data_blkaddr);
+               return -EINVAL;
+       }
+
+        f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page));
+ 
+        f2fs_do_read_inline_data(page, dn->inode_page);
+@@ -363,6 +373,17 @@ static int f2fs_move_inline_dirents(struct inode *dir, struct page *ipage,
+        if (err)
+                goto out;
+ 
+       if (unlikely(dn.data_blkaddr != NEW_ADDR)) {
+               f2fs_put_dnode(&dn);
+               set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK);
+               f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING,
+                       "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
+                       "run fsck to fix.",
+                       __func__, dir->i_ino, dn.data_blkaddr);
+               err = -EINVAL;
+               goto out;
+       }
+
+        f2fs_wait_on_page_writeback(page, DATA, true);
+ 
+        dentry_blk = page_address(page);
+--
author	Andreas Wellving <andreas.wellving@enea.com>	2019-01-25 16:01:29 +0100
committer	Andreas Wellving <Andreas.Wellving@enea.com>	2019-02-01 15:51:05 +0100
commit	4a9ae2e9795b8bf7c43af3d4e64f32ced1f68499 (patch)
tree	efcaa9d33eb9940b2533b4439fe727af6ac95db1 /patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
parent	f20d5edb3bdc1e451da309998a2ad4664e744220 (diff)
download	enea-kernel-cache-4a9ae2e9795b8bf7c43af3d4e64f32ced1f68499.tar.gz

diff --git a/patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch b/patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch new file mode 100644 index 0000000..c3a750d --- /dev/null +++ b/patches/cve/CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
@@ -0,0 +1,159 @@
	1	From 4dbe38dc386910c668c75ae616b99b823b59f3eb Mon Sep 17 00:00:00 2001
	2	From: Chao Yu <yuchao0@huawei.com>
	3	Date: Sat, 30 Jun 2018 18:13:40 +0800
	4	Subject: [PATCH] f2fs: fix to do sanity check with reserved blkaddr of inline
	5	inode
	6
	7	As Wen Xu reported in bugzilla, after image was injected with random data
	8	by fuzzing, inline inode would contain invalid reserved blkaddr, then
	9	during inline conversion, we will encounter illegal memory accessing
	10	reported by KASAN, the root cause of this is when writing out converted
	11	inline page, we will use invalid reserved blkaddr to update sit bitmap,
	12	result in accessing memory beyond sit bitmap boundary.
	13
	14	In order to fix this issue, let's do sanity check with reserved block
	15	address of inline inode to avoid above condition.
	16
	17	https://bugzilla.kernel.org/show_bug.cgi?id=200179
	18
	19	[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
	20	[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741
	21
	22	[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1
	23	[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
	24	[ 1428.846860] Call Trace:
	25	[ 1428.846868] dump_stack+0x71/0xab
	26	[ 1428.846875] print_address_description+0x6b/0x290
	27	[ 1428.846881] kasan_report+0x28e/0x390
	28	[ 1428.846888] ? update_sit_entry+0x80/0x7f0
	29	[ 1428.846898] update_sit_entry+0x80/0x7f0
	30	[ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70
	31	[ 1428.846914] ? f2fs_get_node_info+0x14f/0x590
	32	[ 1428.846920] do_write_page+0xc8/0x150
	33	[ 1428.846928] f2fs_outplace_write_data+0xfe/0x210
	34	[ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170
	35	[ 1428.846941] ? radix_tree_tag_clear+0xff/0x130
	36	[ 1428.846946] ? __mod_node_page_state+0x22/0xa0
	37	[ 1428.846951] ? inc_zone_page_state+0x54/0x100
	38	[ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0
	39	[ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0
	40	[ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0
	41	[ 1428.846978] ? __get_node_page+0x335/0x6b0
	42	[ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500
	43	[ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0
	44	[ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40
	45	[ 1428.847005] ? kasan_kmalloc+0xa6/0xd0
	46	[ 1428.847024] f2fs_file_mmap+0x79/0xc0
	47	[ 1428.847029] mmap_region+0x58b/0x880
	48	[ 1428.847037] ? arch_get_unmapped_area+0x370/0x370
	49	[ 1428.847042] do_mmap+0x55b/0x7a0
	50	[ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0
	51	[ 1428.847055] ? vma_is_stack_for_current+0x50/0x50
	52	[ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
	53	[ 1428.847068] ? do_sys_open+0x206/0x2a0
	54	[ 1428.847073] ? __fget+0xb4/0x100
	55	[ 1428.847079] ksys_mmap_pgoff+0x278/0x360
	56	[ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50
	57	[ 1428.847091] do_syscall_64+0x73/0x160
	58	[ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9
	59	[ 1428.847102] RIP: 0033:0x7fb1430766ba
	60	[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
	61	[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
	62	[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
	63	[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
	64	[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
	65	[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
	66	[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
	67
	68	[ 1428.847252] Allocated by task 2683:
	69	[ 1428.847372] kasan_kmalloc+0xa6/0xd0
	70	[ 1428.847380] kmem_cache_alloc+0xc8/0x1e0
	71	[ 1428.847385] getname_flags+0x73/0x2b0
	72	[ 1428.847390] user_path_at_empty+0x1d/0x40
	73	[ 1428.847395] vfs_statx+0xc1/0x150
	74	[ 1428.847401] __do_sys_newlstat+0x7e/0xd0
	75	[ 1428.847405] do_syscall_64+0x73/0x160
	76	[ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9
	77
	78	[ 1428.847466] Freed by task 2683:
	79	[ 1428.847566] __kasan_slab_free+0x137/0x190
	80	[ 1428.847571] kmem_cache_free+0x85/0x1e0
	81	[ 1428.847575] filename_lookup+0x191/0x280
	82	[ 1428.847580] vfs_statx+0xc1/0x150
	83	[ 1428.847585] __do_sys_newlstat+0x7e/0xd0
	84	[ 1428.847590] do_syscall_64+0x73/0x160
	85	[ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9
	86
	87	[ 1428.847648] The buggy address belongs to the object at ffff880194483300
	88	which belongs to the cache names_cache of size 4096
	89	[ 1428.847946] The buggy address is located 576 bytes inside of
	90	4096-byte region [ffff880194483300, ffff880194484300)
	91	[ 1428.848234] The buggy address belongs to the page:
	92	[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
	93	[ 1428.848606] flags: 0x17fff8000008100(slab\|head)
	94	[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
	95	[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
	96	[ 1428.849122] page dumped because: kasan: bad access detected
	97
	98	[ 1428.849305] Memory state around the buggy address:
	99	[ 1428.849436] ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	100	[ 1428.849620] ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	101	[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	102	[ 1428.849985] ^
	103	[ 1428.850120] ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	104	[ 1428.850303] ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	105	[ 1428.850498] ==================================================================
	106
	107	CVE: CVE-2018-13099
	108	Upstream-Status: Backport
	109
	110	Reported-by: Wen Xu <wen.xu@gatech.edu>
	111	Signed-off-by: Chao Yu <yuchao0@huawei.com>
	112	Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
	113	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	114	---
	115	fs/f2fs/inline.c \| 21 +++++++++++++++++++++
	116	1 file changed, 21 insertions(+)
	117
	118	diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
	119	index 9a245d2..2bcb2d3 100644
	120	--- a/fs/f2fs/inline.c
	121	+++ b/fs/f2fs/inline.c
	122	@@ -130,6 +130,16 @@ int f2fs_convert_inline_page(struct dnode_of_data dn, struct page page)
	123	if (err)
	124	return err;
	125
	126	+ if (unlikely(dn->data_blkaddr != NEW_ADDR)) {
	127	+ f2fs_put_dnode(dn);
	128	+ set_sbi_flag(fio.sbi, SBI_NEED_FSCK);
	129	+ f2fs_msg(fio.sbi->sb, KERN_WARNING,
	130	+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
	131	+ "run fsck to fix.",
	132	+ __func__, dn->inode->i_ino, dn->data_blkaddr);
	133	+ return -EINVAL;
	134	+ }
	135	+
	136	f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page));
	137
	138	f2fs_do_read_inline_data(page, dn->inode_page);
	139	@@ -363,6 +373,17 @@ static int f2fs_move_inline_dirents(struct inode dir, struct page ipage,
	140	if (err)
	141	goto out;
	142
	143	+ if (unlikely(dn.data_blkaddr != NEW_ADDR)) {
	144	+ f2fs_put_dnode(&dn);
	145	+ set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK);
	146	+ f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING,
	147	+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
	148	+ "run fsck to fix.",
	149	+ __func__, dir->i_ino, dn.data_blkaddr);
	150	+ err = -EINVAL;
	151	+ goto out;
	152	+ }
	153	+
	154	f2fs_wait_on_page_writeback(page, DATA, true);
	155
	156	dentry_blk = page_address(page);
	157	--
	158
	159