cve/published/2022/CVE-2022-49763.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49763: ntfs: fix use-after-free in ntfs_attr_find()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ntfs: fix use-after-free in ntfs_attr_find()

 Patch series "ntfs: fix bugs about Attribute", v2.

 This patchset fixes three bugs relative to Attribute in record:

 Patch 1 adds a sanity check to ensure that, attrs_offset field in first
 mft record loading from disk is within bounds.

 Patch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid
 dereferencing ATTR_RECORD before checking this ATTR_RECORD is within
 bounds.

 Patch 3 adds an overflow checking to avoid possible forever loop in
 ntfs_attr_find().

 Without patch 1 and patch 2, the kernel triggersa KASAN use-after-free
 detection as reported by Syzkaller.

 Although one of patch 1 or patch 2 can fix this, we still need both of
 them.  Because patch 1 fixes the root cause, and patch 2 not only fixes
 the direct cause, but also fixes the potential out-of-bounds bug.


 This patch (of 3):

 Syzkaller reported use-after-free read as follows:
 ==================================================================
 BUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597
 Read of size 2 at addr ffff88807e352009 by task syz-executor153/3607

 [...]
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
  print_address_description mm/kasan/report.c:317 [inline]
  print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
  kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
  ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597
  ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193
  ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845
  ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854
  mount_bdev+0x34d/0x410 fs/super.c:1400
  legacy_get_tree+0x105/0x220 fs/fs_context.c:610
  vfs_get_tree+0x89/0x2f0 fs/super.c:1530
  do_new_mount fs/namespace.c:3040 [inline]
  path_mount+0x1326/0x1e20 fs/namespace.c:3370
  do_mount fs/namespace.c:3383 [inline]
  __do_sys_mount fs/namespace.c:3591 [inline]
  __se_sys_mount fs/namespace.c:3568 [inline]
  __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
  [...]
  </TASK>

 The buggy address belongs to the physical page:
 page:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350
 head:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0
 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
 raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140
 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected
 Memory state around the buggy address:
  ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 >ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                       ^
  ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

 Kernel will loads $MFT/$DATA's first mft record in
 ntfs_read_inode_mount().

 Yet the problem is that after loading, kernel doesn't check whether
 attrs_offset field is a valid value.

 To be more specific, if attrs_offset field is larger than bytes_allocated
 field, then it may trigger the out-of-bounds read bug(reported as
 use-after-free bug) in ntfs_attr_find(), when kernel tries to access the
 corresponding mft record's attribute.

 This patch solves it by adding the sanity check between attrs_offset field
 and bytes_allocated field, after loading the first mft record.

 The Linux kernel CVE team has assigned CVE-2022-49763 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.9.334 with commit 79f3ac7dcd12c05b7539239a4c6fa229a50d786c
 	Fixed in 4.14.300 with commit fb2004bafd1932e08d21ca604ee5844f2b7f212d
 	Fixed in 4.19.267 with commit d0006d739738a658a9c29b438444259d9f71dfa0
 	Fixed in 5.4.225 with commit 266bd5306286316758e6246ea0345133427b0f62
 	Fixed in 5.10.156 with commit b825bfbbaafbe8da2037e3a778ad660c59f9e054
 	Fixed in 5.15.80 with commit 5330c423b86263ac7883fef0260b9e2229cb531e
 	Fixed in 6.0.10 with commit 4863f815463034f588a035cfd99cdca97a4f1069
 	Fixed in 6.1 with commit d85a1bec8e8d552ab13163ca1874dcd82f3d1550

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49763
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ntfs/inode.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/79f3ac7dcd12c05b7539239a4c6fa229a50d786c
 	https://git.kernel.org/stable/c/fb2004bafd1932e08d21ca604ee5844f2b7f212d
 	https://git.kernel.org/stable/c/d0006d739738a658a9c29b438444259d9f71dfa0
 	https://git.kernel.org/stable/c/266bd5306286316758e6246ea0345133427b0f62
 	https://git.kernel.org/stable/c/b825bfbbaafbe8da2037e3a778ad660c59f9e054
 	https://git.kernel.org/stable/c/5330c423b86263ac7883fef0260b9e2229cb531e
 	https://git.kernel.org/stable/c/4863f815463034f588a035cfd99cdca97a4f1069
 	https://git.kernel.org/stable/c/d85a1bec8e8d552ab13163ca1874dcd82f3d1550
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49763: ntfs: fix use-after-free in ntfs_attr_find()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ntfs: fix use-after-free in ntfs_attr_find()

	Patch series "ntfs: fix bugs about Attribute", v2.

	This patchset fixes three bugs relative to Attribute in record:

	Patch 1 adds a sanity check to ensure that, attrs_offset field in first
	mft record loading from disk is within bounds.

	Patch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid
	dereferencing ATTR_RECORD before checking this ATTR_RECORD is within
	bounds.

	Patch 3 adds an overflow checking to avoid possible forever loop in
	ntfs_attr_find().

	Without patch 1 and patch 2, the kernel triggersa KASAN use-after-free
	detection as reported by Syzkaller.

	Although one of patch 1 or patch 2 can fix this, we still need both of
	them. Because patch 1 fixes the root cause, and patch 2 not only fixes
	the direct cause, but also fixes the potential out-of-bounds bug.


	This patch (of 3):

	Syzkaller reported use-after-free read as follows:
	==================================================================
	BUG: KASAN: use-after-free in ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597
	Read of size 2 at addr ffff88807e352009 by task syz-executor153/3607

	[...]
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
	print_address_description mm/kasan/report.c:317 [inline]
	print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
	kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
	ntfs_attr_find+0xc02/0xce0 fs/ntfs/attrib.c:597
	ntfs_attr_lookup+0x1056/0x2070 fs/ntfs/attrib.c:1193
	ntfs_read_inode_mount+0x89a/0x2580 fs/ntfs/inode.c:1845
	ntfs_fill_super+0x1799/0x9320 fs/ntfs/super.c:2854
	mount_bdev+0x34d/0x410 fs/super.c:1400
	legacy_get_tree+0x105/0x220 fs/fs_context.c:610
	vfs_get_tree+0x89/0x2f0 fs/super.c:1530
	do_new_mount fs/namespace.c:3040 [inline]
	path_mount+0x1326/0x1e20 fs/namespace.c:3370
	do_mount fs/namespace.c:3383 [inline]
	__do_sys_mount fs/namespace.c:3591 [inline]
	__se_sys_mount fs/namespace.c:3568 [inline]
	__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x63/0xcd
	[...]
	</TASK>

	The buggy address belongs to the physical page:
	page:ffffea0001f8d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e350
	head:ffffea0001f8d400 order:3 compound_mapcount:0 compound_pincount:0
	flags: 0xfff00000010200(slab\|head\|node=0\|zone=1\|lastcpupid=0x7ff)
	raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842140
	raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
	page dumped because: kasan: bad access detected
	Memory state around the buggy address:
	ffff88807e351f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	ffff88807e351f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	>ffff88807e352000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	^
	ffff88807e352080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	ffff88807e352100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	==================================================================

	Kernel will loads $MFT/$DATA's first mft record in
	ntfs_read_inode_mount().

	Yet the problem is that after loading, kernel doesn't check whether
	attrs_offset field is a valid value.

	To be more specific, if attrs_offset field is larger than bytes_allocated
	field, then it may trigger the out-of-bounds read bug(reported as
	use-after-free bug) in ntfs_attr_find(), when kernel tries to access the
	corresponding mft record's attribute.

	This patch solves it by adding the sanity check between attrs_offset field
	and bytes_allocated field, after loading the first mft record.

	The Linux kernel CVE team has assigned CVE-2022-49763 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.9.334 with commit 79f3ac7dcd12c05b7539239a4c6fa229a50d786c
	Fixed in 4.14.300 with commit fb2004bafd1932e08d21ca604ee5844f2b7f212d
	Fixed in 4.19.267 with commit d0006d739738a658a9c29b438444259d9f71dfa0
	Fixed in 5.4.225 with commit 266bd5306286316758e6246ea0345133427b0f62
	Fixed in 5.10.156 with commit b825bfbbaafbe8da2037e3a778ad660c59f9e054
	Fixed in 5.15.80 with commit 5330c423b86263ac7883fef0260b9e2229cb531e
	Fixed in 6.0.10 with commit 4863f815463034f588a035cfd99cdca97a4f1069
	Fixed in 6.1 with commit d85a1bec8e8d552ab13163ca1874dcd82f3d1550

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49763
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ntfs/inode.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/79f3ac7dcd12c05b7539239a4c6fa229a50d786c
	https://git.kernel.org/stable/c/fb2004bafd1932e08d21ca604ee5844f2b7f212d
	https://git.kernel.org/stable/c/d0006d739738a658a9c29b438444259d9f71dfa0
	https://git.kernel.org/stable/c/266bd5306286316758e6246ea0345133427b0f62
	https://git.kernel.org/stable/c/b825bfbbaafbe8da2037e3a778ad660c59f9e054
	https://git.kernel.org/stable/c/5330c423b86263ac7883fef0260b9e2229cb531e
	https://git.kernel.org/stable/c/4863f815463034f588a035cfd99cdca97a4f1069
	https://git.kernel.org/stable/c/d85a1bec8e8d552ab13163ca1874dcd82f3d1550