cve/published/2021/CVE-2021-47656.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47656: jffs2: fix use-after-free in jffs2_clear_xattr_subsystem

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 jffs2: fix use-after-free in jffs2_clear_xattr_subsystem

 When we mount a jffs2 image, assume that the first few blocks of
 the image are normal and contain at least one xattr-related inode,
 but the next block is abnormal. As a result, an error is returned
 in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then
 called in jffs2_build_filesystem() and then again in
 jffs2_do_fill_super().

 Finally we can observe the following report:
  ==================================================================
  BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac
  Read of size 8 at addr ffff8881243384e0 by task mount/719

  Call Trace:
   dump_stack+0x115/0x16b
   jffs2_clear_xattr_subsystem+0x95/0x6ac
   jffs2_do_fill_super+0x84f/0xc30
   jffs2_fill_super+0x2ea/0x4c0
   mtd_get_sb+0x254/0x400
   mtd_get_sb_by_nr+0x4f/0xd0
   get_tree_mtd+0x498/0x840
   jffs2_get_tree+0x25/0x30
   vfs_get_tree+0x8d/0x2e0
   path_mount+0x50f/0x1e50
   do_mount+0x107/0x130
   __se_sys_mount+0x1c5/0x2f0
   __x64_sys_mount+0xc7/0x160
   do_syscall_64+0x45/0x70
   entry_SYSCALL_64_after_hwframe+0x44/0xa9

  Allocated by task 719:
   kasan_save_stack+0x23/0x60
   __kasan_kmalloc.constprop.0+0x10b/0x120
   kasan_slab_alloc+0x12/0x20
   kmem_cache_alloc+0x1c0/0x870
   jffs2_alloc_xattr_ref+0x2f/0xa0
   jffs2_scan_medium.cold+0x3713/0x4794
   jffs2_do_mount_fs.cold+0xa7/0x2253
   jffs2_do_fill_super+0x383/0xc30
   jffs2_fill_super+0x2ea/0x4c0
  [...]

  Freed by task 719:
   kmem_cache_free+0xcc/0x7b0
   jffs2_free_xattr_ref+0x78/0x98
   jffs2_clear_xattr_subsystem+0xa1/0x6ac
   jffs2_do_mount_fs.cold+0x5e6/0x2253
   jffs2_do_fill_super+0x383/0xc30
   jffs2_fill_super+0x2ea/0x4c0
  [...]

  The buggy address belongs to the object at ffff8881243384b8
   which belongs to the cache jffs2_xattr_ref of size 48
  The buggy address is located 40 bytes inside of
   48-byte region [ffff8881243384b8, ffff8881243384e8)
  [...]
  ==================================================================

 The triggering of the BUG is shown in the following stack:
 -----------------------------------------------------------
 jffs2_fill_super
   jffs2_do_fill_super
     jffs2_do_mount_fs
       jffs2_build_filesystem
         jffs2_scan_medium
           jffs2_scan_eraseblock        <--- ERROR
         jffs2_clear_xattr_subsystem    <--- free
     jffs2_clear_xattr_subsystem        <--- free again
 -----------------------------------------------------------

 An error is returned in jffs2_do_mount_fs(). If the error is returned
 by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to
 be executed. If the error is returned by jffs2_build_filesystem(), the
 jffs2_clear_xattr_subsystem() also does not need to be executed again.
 So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'
 to fix this UAF problem.

 The Linux kernel CVE team has assigned CVE-2021-47656 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 4.9.311 with commit 9150cb625b46f68d524f4cfd491f1aafc23e10a9
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 4.14.276 with commit 3bd2454162ec6bbb5503233c804fce6e4b6dcec5
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 4.19.238 with commit c3b07c875fa8f906f932976460fd14798596f101
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.4.189 with commit 30bf7244acf32f19cb722c39f7bc1c2a9f300422
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.10.110 with commit 7bb7428dd73991bf4b3a7a61b493ca50046c2b13
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.15.33 with commit 7a75740206af5f17e9f3efa384211cba70213da1
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.16.19 with commit 22327bd7988f21de3a53c1373f3b81542bfe1f44
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.17.2 with commit 8c0f024f29e055840a5a89fe23b96ae3f921afed
 	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.18 with commit 4c7c44ee1650677fbe89d86edbad9497b7679b5c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47656
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/jffs2/fs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9150cb625b46f68d524f4cfd491f1aafc23e10a9
 	https://git.kernel.org/stable/c/3bd2454162ec6bbb5503233c804fce6e4b6dcec5
 	https://git.kernel.org/stable/c/c3b07c875fa8f906f932976460fd14798596f101
 	https://git.kernel.org/stable/c/30bf7244acf32f19cb722c39f7bc1c2a9f300422
 	https://git.kernel.org/stable/c/7bb7428dd73991bf4b3a7a61b493ca50046c2b13
 	https://git.kernel.org/stable/c/7a75740206af5f17e9f3efa384211cba70213da1
 	https://git.kernel.org/stable/c/22327bd7988f21de3a53c1373f3b81542bfe1f44
 	https://git.kernel.org/stable/c/8c0f024f29e055840a5a89fe23b96ae3f921afed
 	https://git.kernel.org/stable/c/4c7c44ee1650677fbe89d86edbad9497b7679b5c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47656: jffs2: fix use-after-free in jffs2_clear_xattr_subsystem

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	jffs2: fix use-after-free in jffs2_clear_xattr_subsystem

	When we mount a jffs2 image, assume that the first few blocks of
	the image are normal and contain at least one xattr-related inode,
	but the next block is abnormal. As a result, an error is returned
	in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then
	called in jffs2_build_filesystem() and then again in
	jffs2_do_fill_super().

	Finally we can observe the following report:
	==================================================================
	BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac
	Read of size 8 at addr ffff8881243384e0 by task mount/719

	Call Trace:
	dump_stack+0x115/0x16b
	jffs2_clear_xattr_subsystem+0x95/0x6ac
	jffs2_do_fill_super+0x84f/0xc30
	jffs2_fill_super+0x2ea/0x4c0
	mtd_get_sb+0x254/0x400
	mtd_get_sb_by_nr+0x4f/0xd0
	get_tree_mtd+0x498/0x840
	jffs2_get_tree+0x25/0x30
	vfs_get_tree+0x8d/0x2e0
	path_mount+0x50f/0x1e50
	do_mount+0x107/0x130
	__se_sys_mount+0x1c5/0x2f0
	__x64_sys_mount+0xc7/0x160
	do_syscall_64+0x45/0x70
	entry_SYSCALL_64_after_hwframe+0x44/0xa9

	Allocated by task 719:
	kasan_save_stack+0x23/0x60
	__kasan_kmalloc.constprop.0+0x10b/0x120
	kasan_slab_alloc+0x12/0x20
	kmem_cache_alloc+0x1c0/0x870
	jffs2_alloc_xattr_ref+0x2f/0xa0
	jffs2_scan_medium.cold+0x3713/0x4794
	jffs2_do_mount_fs.cold+0xa7/0x2253
	jffs2_do_fill_super+0x383/0xc30
	jffs2_fill_super+0x2ea/0x4c0
	[...]

	Freed by task 719:
	kmem_cache_free+0xcc/0x7b0
	jffs2_free_xattr_ref+0x78/0x98
	jffs2_clear_xattr_subsystem+0xa1/0x6ac
	jffs2_do_mount_fs.cold+0x5e6/0x2253
	jffs2_do_fill_super+0x383/0xc30
	jffs2_fill_super+0x2ea/0x4c0
	[...]

	The buggy address belongs to the object at ffff8881243384b8
	which belongs to the cache jffs2_xattr_ref of size 48
	The buggy address is located 40 bytes inside of
	48-byte region [ffff8881243384b8, ffff8881243384e8)
	[...]
	==================================================================

	The triggering of the BUG is shown in the following stack:
	-----------------------------------------------------------
	jffs2_fill_super
	jffs2_do_fill_super
	jffs2_do_mount_fs
	jffs2_build_filesystem
	jffs2_scan_medium
	jffs2_scan_eraseblock <--- ERROR
	jffs2_clear_xattr_subsystem <--- free
	jffs2_clear_xattr_subsystem <--- free again
	-----------------------------------------------------------

	An error is returned in jffs2_do_mount_fs(). If the error is returned
	by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to
	be executed. If the error is returned by jffs2_build_filesystem(), the
	jffs2_clear_xattr_subsystem() also does not need to be executed again.
	So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'
	to fix this UAF problem.

	The Linux kernel CVE team has assigned CVE-2021-47656 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 4.9.311 with commit 9150cb625b46f68d524f4cfd491f1aafc23e10a9
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 4.14.276 with commit 3bd2454162ec6bbb5503233c804fce6e4b6dcec5
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 4.19.238 with commit c3b07c875fa8f906f932976460fd14798596f101
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.4.189 with commit 30bf7244acf32f19cb722c39f7bc1c2a9f300422
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.10.110 with commit 7bb7428dd73991bf4b3a7a61b493ca50046c2b13
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.15.33 with commit 7a75740206af5f17e9f3efa384211cba70213da1
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.16.19 with commit 22327bd7988f21de3a53c1373f3b81542bfe1f44
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.17.2 with commit 8c0f024f29e055840a5a89fe23b96ae3f921afed
	Issue introduced in 2.6.18 with commit aa98d7cf59b5b0764d3502662053489585faf2fe and fixed in 5.18 with commit 4c7c44ee1650677fbe89d86edbad9497b7679b5c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47656
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/jffs2/fs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9150cb625b46f68d524f4cfd491f1aafc23e10a9
	https://git.kernel.org/stable/c/3bd2454162ec6bbb5503233c804fce6e4b6dcec5
	https://git.kernel.org/stable/c/c3b07c875fa8f906f932976460fd14798596f101
	https://git.kernel.org/stable/c/30bf7244acf32f19cb722c39f7bc1c2a9f300422
	https://git.kernel.org/stable/c/7bb7428dd73991bf4b3a7a61b493ca50046c2b13
	https://git.kernel.org/stable/c/7a75740206af5f17e9f3efa384211cba70213da1
	https://git.kernel.org/stable/c/22327bd7988f21de3a53c1373f3b81542bfe1f44
	https://git.kernel.org/stable/c/8c0f024f29e055840a5a89fe23b96ae3f921afed
	https://git.kernel.org/stable/c/4c7c44ee1650677fbe89d86edbad9497b7679b5c