CVE-2019-19447
Target
Linux Kernel ext4 FileSystem
| Linux Version | Availablity |
|---|---|
| 5.0.21 | True |
Bug Type
use-after-free
Abstract
umounting after some operations(with crafted image) can cause use-after-free in ext4_put_super function.
it can be not only local(mount ext4 image in local shell), but also remote(mount corrupted(with crafted ext4 image) USB or other storage)
Reproduce
gcc -o poc poc_2019_19447.c
mkdir mnt
mount poc_2019_19447.img ./mnt
cp poc ./mnt/
cd mnt
./poc
sync
cd ..
umount ./mntDetails
Debug view
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x7
RBX 0xffff88805c795500 —▸ 0xffffffff84a52220 (super_blocks) —▸ 0xffff88805e860000 —▸ 0xffff88805e860880 —▸ 0xffff88805e867700 ◂— ...
RCX 0x0
RDX 0xfb
RDI 0xffff888056ca499c ◂— 0x0
RSI 0x8
R8 0xffffed100bdc6061 ◂— 0
R9 0xffffed100bdc6061 ◂— 0
R10 0x228
R11 0xffffed100bdc6060 ◂— 0
R12 0xdffffc0000000000
R13 0xffff888056ca49e0 —▸ 0xffff88805c793d88 ◂— 0xffff888056ca49e0
R14 0xffff88805c793d88 —▸ 0xffff888056ca49e0 ◂— 0xffff88805c793d88
R15 0xffff88805c793b80 ◂— 0x20 /* ' ' */
RBP 0xffff88805866fd10 —▸ 0xffff88805866fd40 —▸ 0xffff88805866fd68 —▸ 0xffff88805866fd88 —▸ 0xffff88805866fe28 ◂— ...
RSP 0xffff88805866fcb0 —▸ 0xffff88805866fca8 —▸ 0xffffffff81b54009 (ext4_put_super+1081) ◂— mov rdx, r14 /* 0xb848f2894c */
RIP 0xffffffff81b54822 (ext4_put_super+3154) ◂— 0xfea8e9ffc406e9e8
──────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────
0xffffffff81b546c5 <ext4_put_super+2805> add eax, 3
0xffffffff81b546c8 <ext4_put_super+2808> cmp al, dl
0xffffffff81b546ca <ext4_put_super+2810> jl ext4_put_super+2820 <0xffffffff81b546d4>
0xffffffff81b546cc <ext4_put_super+2812> test dl, dl
0xffffffff81b546ce <ext4_put_super+2814> jne ext4_put_super+3154 <0xffffffff81b54822>
↓
► 0xffffffff81b54822 <ext4_put_super+3154> call __asan_report_load4_noabort <0xffffffff81794f10>
rdi: 0xffff888056ca499c ◂— 0x0
0xffffffff81b54827 <ext4_put_super+3159> jmp ext4_put_super+2820 <0xffffffff81b546d4>
0xffffffff81b5482c <ext4_put_super+3164> call __asan_report_load4_noabort <0xffffffff81794f10>
0xffffffff81b54831 <ext4_put_super+3169> jmp ext4_put_super+2858 <0xffffffff81b546fa>
0xffffffff81b54836 <ext4_put_super+3174> mov rdi, r14
0xffffffff81b54839 <ext4_put_super+3177> call __asan_report_load8_noabort <0xffffffff81794f30>
───────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
In file: /home/phantom/kernel/ubuntu-eoan/fs/ext4/super.c
932 le32_to_cpu(sbi->s_es->s_last_orphan));
933
934 printk(KERN_ERR "sb_info orphan list:\n");
935 list_for_each(l, &sbi->s_orphan) {
936 struct inode *inode = orphan_list_entry(l);
► 937 printk(KERN_ERR " "
938 "inode %s:%lu at %p: mode %o, nlink %d, next %d\n",
939 inode->i_sb->s_id, inode->i_ino, inode,
940 inode->i_mode, inode->i_nlink,
941 NEXT_ORPHAN(inode));
942 }
───────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0xffff88805866fcb0 —▸ 0xffff88805866fca8 —▸ 0xffffffff81b54009 (ext4_put_super+1081) ◂— mov rdx, r14 /* 0xb848f2894c */
01:0008│ 0xffff88805866fcb8 —▸ 0xffffffff818fe3cd (__sync_blockdev+93) ◂— pop rbx /* 0x7500023c80c35d5b */
02:0010│ 0xffff88805866fcc0 —▸ 0xffff88805c793be8 —▸ 0xffff888058c3b400 ◂— 0x400000001000
03:0018│ 0xffff88805866fcc8 —▸ 0xffff88805c793bf0 —▸ 0xffff88805b86b648 ◂— 0x0
04:0020│ 0xffff88805866fcd0 —▸ 0xffff88805c793bb0 ◂— 1
05:0028│ 0xffff88805866fcd8 —▸ 0xffff88805c7958a8 —▸ 0xffff88805c793b80 ◂— 0x20 /* ' ' */
06:0030│ 0xffff88805866fce0 —▸ 0xffff888056ca4a48 ◂— 0xd81a4
07:0038│ 0xffff88805866fce8 —▸ 0xffff88805c795500 —▸ 0xffffffff84a52220 (super_blocks) —▸ 0xffff88805e860000 —▸ 0xffff88805e860880 ◂— ...
─────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 ffffffff81b54822 ext4_put_super+3154
f 1 ffffffff81b54822 ext4_put_super+3154
f 2 ffffffff81825327 generic_shutdown_super+311
f 3 ffffffff81827704 kill_block_super+164
f 4 ffffffff818265f7 deactivate_locked_super+151
f 5 ffffffff8182763e deactivate_super+350
f 6 ffffffff8188da72 cleanup_mnt+674
f 7 ffffffff8188dc62 __cleanup_mnt+18
f 8 ffffffff81213f5c task_work_run+268
f 9 ffffffff8100844c exit_to_usermode_loop+444
f 10 ffffffff8100844c exit_to_usermode_loop+444
───────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> x/xg $25->i_mode
0x0 <fixed_percpu_data>: Cannot access memory at address 0x0
pwndbg> x/xg &$25->i_mode
0xffff888056ca499c: 0x0000000000000000
local variable inode is freed. (inode->i_mode occurs use-after-free)
Bug causes
fs/ext4/super.c:1022 (link)
static void dump_orphan_list(struct super_block *sb, struct ext4_sb_info *sbi)
{
struct list_head *l;
ext4_msg(sb, KERN_ERR, "sb orphan head is %d",
le32_to_cpu(sbi->s_es->s_last_orphan));
printk(KERN_ERR "sb_info orphan list:\n");
list_for_each(l, &sbi->s_orphan) {
struct inode *inode = orphan_list_entry(l);
printk(KERN_ERR " "
[1] "inode %s:%lu at %p: mode %o, nlink %d, next %d\n",
inode->i_sb->s_id, inode->i_ino, inode,
inode->i_mode, inode->i_nlink,
NEXT_ORPHAN(inode));
}
}local variable inode is already freed.
it occurs use-after-free in inode->i_mode[1].
KASAN logs
on exec poc
[ 70.514180] EXT4-fs (loop0): Inode 16 (00000000398b8d7e): orphan list check failed!
[ 70.515448] 00000000398b8d7e: 0002f30a 00000004 00000000 00000000 ................
[ 70.516068] 0000000031a80184: 00000001 00002602 00000005 00000005 .....&..........
[ 70.516410] 00000000b74037e1: 00000415 00000000 00000000 00000000 ................
[ 70.516764] 00000000e38e5d58: 00000000 00000000 00000000 00000000 ................
[ 70.516925] 000000001b41d036: 00000000 00000000 00000000 00000000 ................
[ 70.517453] 000000000e0c9cd1: 00080000 00000081 00000000 00000000 ................
[ 70.518007] 0000000090f825fb: 5e3a4441 ffff8880 00000000 00000000 AD:^............
[ 70.518741] 00000000dde5e99d: 5711a5f0 ffff8880 5711a5f0 ffff8880 ...W.......W....
[ 70.519063] 0000000066c4afe3: 5c5e0208 ffff8880 5c5e0208 ffff8880 ..^\......^\....
[ 70.520489] 00000000582fb0f0: 000026a2 00000000 00000000 00000000 .&..............
[ 70.521006] 00000000f2ccc187: 00000000 00000000 00000000 00000000 ................
[ 70.521475] 00000000c5600ccd: 5711a630 ffff8880 5711a630 ffff8880 0..W....0..W....
[ 70.521801] 000000008102adde: 00000000 00000000 00000000 00000000 ................
[ 70.522801] 0000000094c61296: 00000000 00000000 5711a658 ffff8880 ........X..W....
[ 70.523224] 000000001c750527: 5711a658 ffff8880 000d81a4 00000000 X..W............
[ 70.523720] 00000000f2d11ef7: 00000000 00001000 ffffffff ffffffff ................
[ 70.524032] 0000000075b985f1: ffffffff ffffffff 83f66b00 ffffffff .........k......
[ 70.524529] 000000007aa63ddb: 5ba29980 ffff8880 5711a7d8 ffff8880 ...[.......W....
[ 70.525093] 00000000d7d55bea: 00000000 00000000 00000010 00000000 ................
[ 70.525594] 0000000022c200c6: 00000001 00000000 000026a2 00000000 .........&......
[ 70.530151] 0000000083f74df1: 5b437ccf 00000000 00000000 00000000 .|C[............
[ 70.530437] 00000000d295a5ce: 5de00a4b 00000000 00000000 00000000 K..]............
[ 70.533894] 000000002151a88f: 5de00a4d 00000000 00000000 00000000 M..]............
[ 70.535197] 00000000489bb644: 00000000 000a0000 0000000c 00000000 ................
[ 70.535944] 0000000077b78e8d: 00000060 00000000 00000000 00000000 `...............
[ 70.536336] 000000005d682604: 00000000 00000000 00000000 00000000 ................
[ 70.536749] 00000000e44b8b5f: 5711a720 ffff8880 5711a720 ffff8880 ..W.... ..W....
[ 70.537225] 00000000ebfe0158: ffff1c92 00000000 00000000 00000000 ................
[ 70.537696] 0000000057913d6d: 00000000 00000000 00000000 00000000 ................
[ 70.538151] 000000004f35597b: 5711a750 ffff8880 5711a750 ffff8880 P..W....P..W....
[ 70.538513] 00000000aa1c2ea5: 00000000 00000000 00000000 00000000 ................
[ 70.539378] 00000000d626d83a: 5711a770 ffff8880 5711a770 ffff8880 p..W....p..W....
[ 70.540006] 000000001f8ec46f: 5711a780 ffff8880 5711a780 ffff8880 ...W.......W....
[ 70.540404] 00000000fa059804: 5711a790 ffff8880 5711a790 ffff8880 ...W.......W....
[ 70.540737] 00000000b4137f30: 00000000 00000000 00000000 00000000 ................
[ 70.541137] 000000001a0b7eb1: 00000003 00000000 00000000 00000000 ................
[ 70.541709] 000000000a0bfc9d: 00000000 00000000 83f66be0 ffffffff .........k......
[ 70.542431] 00000000722b027b: 00000000 00000000 5711a668 ffff8880 ........h..W....
[ 70.547118] 000000006819311e: 00000000 00000021 00000000 00000000 ....!...........
[ 70.553702] 0000000039ad89ec: 00100cca 00000000 00000000 00000000 ................
[ 70.553878] 00000000d70b18d2: 00000000 00000000 00000000 00000000 ................
[ 70.554071] 00000000830fd3a8: 00000000 00000000 00000000 00000000 ................
[ 70.554320] 0000000050b6025a: 5711a820 ffff8880 5711a820 ffff8880 ..W.... ..W....
[ 70.556063] 00000000ebe5db74: 00000000 00000000 00000000 00000000 ................
[ 70.557593] 000000001f87a59a: 00000002 00000000 83f699c0 ffffffff ................
[ 70.559632] 0000000021876c93: 00000010 00000000 00000000 00000000 ................
[ 70.560213] 000000007c60ff65: 5711a860 ffff8880 5711a860 ffff8880 `..W....`..W....
[ 70.560868] 00000000b1bd0065: 00000000 00000000 5711a878 ffff8880 ........x..W....
[ 70.561605] 0000000085c214ec: 5711a878 ffff8880 00000000 00000000 x..W............
[ 70.562170] 000000007c068c98: 709b874b 00000000 00000000 00000000 K..p............
[ 70.571184] 00000000a7404afe: 00000000 00000000 00000000 00000000 ................
[ 70.572391] 000000004e2bf3f0: 00000000 00000000 00000000 00000000 ................
[ 70.573505] 00000000540f7073: 00000000 00000000 00000000 00000000 ................
[ 70.575277] 0000000063397336: 5711a8d0 ffff8880 5711a8d0 ffff8880 ...W.......W....
[ 70.576702] 00000000de9c6f36: 00000000 00000000 00000000 00000000 ................
[ 70.577079] 00000000ce801087: 00000000 00000000 00000000 00000000 ................
[ 70.577924] 000000009d7ca9b2: 5711a900 ffff8880 5711a900 ffff8880 ...W.......W....
[ 70.579019] 0000000011d25d53: 00000000 00000000 00000000 ffffffff ................
[ 70.579676] 000000005397d68a: 00000000 00000000 00000000 00000000 ................
[ 70.580091] 000000007552ca24: 00000000 00000000 00000000 00000000 ................
[ 70.580538] 00000000736e80a0: 00000000 00000000 00000000 00000000 ................
[ 70.581013] 00000000c20fcf10: 5711a950 ffff8880 5711a950 ffff8880 P..W....P..W....
[ 70.581606] 0000000059bd8892: ffffffe0 0000000f 5711a968 ffff8880 ........h..W....
[ 70.581854] 000000002f550778: 5711a968 ffff8880 81af3590 ffffffff h..W.....5......
[ 70.582275] 00000000b172abd5: 00000000 00000000 0000001d 00000018 ................
[ 70.584187] 0000000097935071: 00000000 00000000 00000000 00000000 ................
[ 70.585094] 000000005b513948: 00000000 00000000 00000000 00000000 ................
[ 70.587113] CPU: 0 PID: 327 Comm: umount Not tainted 5.3.7 #1
[ 70.587848] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 70.587982] Call Trace:
[ 70.587982] dump_stack+0x7b/0xb5
[ 70.587982] ext4_destroy_inode+0xe0/0x110
[ 70.587982] destroy_inode+0xc5/0x1a0
[ 70.587982] evict+0x348/0x530
[ 70.587982] ? _raw_spin_lock+0x82/0xf0
[ 70.587982] dispose_list+0xe7/0x1d0
[ 70.587982] evict_inodes+0x2fa/0x400
[ 70.587982] ? dispose_list+0x1d0/0x1d0
[ 70.591535] ? __sync_blockdev+0x5d/0xb0
[ 70.591535] ? __sync_filesystem+0x9c/0xd0
[ 70.591535] generic_shutdown_super+0xb3/0x380
[ 70.591535] kill_block_super+0xa4/0x1f0
[ 70.591535] deactivate_locked_super+0x97/0xe0
[ 70.591535] deactivate_super+0x15e/0x180
[ 70.591535] ? destroy_unused_super+0xf0/0xf0
[ 70.591535] ? dput+0x5e/0x780
[ 70.591535] cleanup_mnt+0x2a2/0x400
[ 70.591535] __cleanup_mnt+0x12/0x20
[ 70.591535] task_work_run+0x10c/0x180
[ 70.594978] exit_to_usermode_loop+0x1bc/0x280
[ 70.594978] do_syscall_64+0x25b/0x2f0
[ 70.594978] ? prepare_exit_to_usermode+0xf1/0x1a0
[ 70.594978] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 70.594978] RIP: 0033:0x7f2018f8ed77
[ 70.594978] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[ 70.594978] RSP: 002b:00007ffecf2bf808 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 70.594978] RAX: 0000000000000000 RBX: 000055ae60680060 RCX: 00007f2018f8ed77
[ 70.594978] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055ae60686e30
[ 70.594978] RBP: 000055ae60686e30 R08: 000055ae60685080 R09: 0000000000000014
[ 70.594978] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f2019490e64
[ 70.594978] R13: 0000000000000000 R14: 000055ae60680240 R15: 00007ffecf2bfa90
cc[ 71.766132] EXT4-fs (loop0): sb orphan head is 16
[ 71.797307] sb_info orphan list:
on umount
[ 71.797689] ==================================================================
[ 71.799205] BUG: KASAN: use-after-free in ext4_put_super+0xc57/0xd30
[ 71.799205] Read of size 4 at addr ffff88805711a5bc by task umount/327
[ 71.799205]
[ 71.799205] CPU: 0 PID: 327 Comm: umount Not tainted 5.3.7 #1
[ 71.799205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 71.799205] Call Trace:
[ 71.799205] dump_stack+0x7b/0xb5
[ 71.799205] print_address_description+0x7c/0x3b0
[ 71.799205] ? ext4_put_super+0xc57/0xd30
[ 71.799205] __kasan_report+0x134/0x191
[ 71.799205] ? ext4_put_super+0xc57/0xd30
[ 71.799205] ? ext4_put_super+0xc57/0xd30
[ 71.799205] kasan_report+0x12/0x20
[ 71.799205] __asan_report_load4_noabort+0x14/0x20
[ 71.799205] ext4_put_super+0xc57/0xd30
[ 71.799205] ? __sync_blockdev+0x5d/0xb0
[ 71.799205] generic_shutdown_super+0x137/0x380
[ 71.799205] kill_block_super+0xa4/0x1f0
[ 71.799205] deactivate_locked_super+0x97/0xe0
[ 71.799205] deactivate_super+0x15e/0x180
[ 71.799205] ? destroy_unused_super+0xf0/0xf0
[ 71.799205] ? dput+0x5e/0x780
[ 71.799205] cleanup_mnt+0x2a2/0x400
[ 71.799205] __cleanup_mnt+0x12/0x20
[ 71.799205] task_work_run+0x10c/0x180
[ 71.799205] exit_to_usermode_loop+0x1bc/0x280
[ 71.799205] do_syscall_64+0x25b/0x2f0
[ 71.799205] ? prepare_exit_to_usermode+0xf1/0x1a0
[ 71.799205] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 71.799205] RIP: 0033:0x7f2018f8ed77
[ 71.799205] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[ 71.799205] RSP: 002b:00007ffecf2bf808 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 71.799205] RAX: 0000000000000000 RBX: 000055ae60680060 RCX: 00007f2018f8ed77
[ 71.799205] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055ae60686e30
[ 71.799205] RBP: 000055ae60686e30 R08: 000055ae60685080 R09: 0000000000000014
[ 71.799205] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f2019490e64
[ 71.799205] R13: 0000000000000000 R14: 000055ae60680240 R15: 00007ffecf2bfa90
[ 71.799205]
[ 71.799205] Allocated by task 324:
[ 71.799205] save_stack+0x21/0x90
[ 71.799205] __kasan_kmalloc+0xcc/0xe0
[ 71.799205] kasan_slab_alloc+0x14/0x20
[ 71.799205] kmem_cache_alloc+0xd3/0x260
[ 71.799205] ext4_alloc_inode+0x1d/0x700
[ 71.799205] alloc_inode+0x60/0x190
[ 71.799205] iget_locked+0x157/0x3f0
[ 71.799205] __ext4_iget+0x210/0x5620
[ 71.799205] ext4_lookup+0x2ad/0x6d0
[ 71.799205] __lookup_slow+0x1af/0x3a0
[ 71.799205] lookup_slow+0x56/0x80
[ 71.799205] walk_component+0x6a5/0xfa0
[ 71.799205] path_lookupat+0x18f/0x8c0
[ 71.799205] filename_lookup+0x183/0x3c0
[ 71.799205] user_path_at_empty+0x36/0x40
[ 71.799205] do_sys_truncate+0x8e/0x120
[ 71.799205] __x64_sys_truncate+0x54/0x80
[ 71.799205] do_syscall_64+0xa5/0x2f0
[ 71.799205] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 71.799205]
[ 71.799205] Freed by task 9:
[ 71.799205] save_stack+0x21/0x90
[ 71.799205] __kasan_slab_free+0x137/0x180
[ 71.799205] kasan_slab_free+0xe/0x10
[ 71.799205] kmem_cache_free+0xe3/0x2e0
[ 71.799205] ext4_free_in_core_inode+0x25/0x30
[ 71.799205] i_callback+0x44/0x70
[ 71.799205] rcu_core+0x414/0xe90
[ 71.799205] rcu_core_si+0xe/0x10
[ 71.799205] __do_softirq+0x1b2/0x605
[ 71.799205]
[ 71.799205] The buggy address belongs to the object at ffff88805711a580
[ 71.799205] which belongs to the cache ext4_inode_cache of size 1072
[ 71.799205] The buggy address is located 60 bytes inside of
[ 71.799205] 1072-byte region [ffff88805711a580, ffff88805711a9b0)
[ 71.799205] The buggy address belongs to the page:
[ 71.799205] page:ffffea00015c4600 refcount:1 mapcount:0 mapping:ffff88805c8c6600 index:0x0 compound_mapcount: 0
[ 71.799205] flags: 0xfffffc0010200(slab|head)
[ 71.799205] raw: 000fffffc0010200 dead000000000100 dead000000000122 ffff88805c8c6600
[ 71.799205] raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000
[ 71.799205] page dumped because: kasan: bad access detected
[ 71.799205]
[ 71.799205] Memory state around the buggy address:
[ 71.799205] ffff88805711a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 71.799205] ffff88805711a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 71.799205] >ffff88805711a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 71.799205] ^
[ 71.799205] ffff88805711a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 71.799205] ffff88805711a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 71.799205] ==================================================================
[ 71.799205] Disabling lock debugging due to kernel taint
[ 71.841308] inode loop0:16 at 000000003fa23361: mode 100644, nlink 1, next 0
[ 71.843393] ------------[ cut here ]------------
[ 71.843657] kernel BUG at fs/ext4/super.c:1028!
[ 71.844866] invalid opcode: 0000 [#1] SMP KASAN NOPTI
[ 71.845300] CPU: 0 PID: 327 Comm: umount Tainted: G B 5.3.7 #1
[ 71.845883] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 71.846901] RIP: 0010:ext4_put_super+0x958/0xd30
[ 71.846901] Code: 00 00 00 00 00 fc ff df 66 45 89 65 3a 48 c1 ea 03 80 3c 02 00 0f 85 1d 03 00 00 f6 43 50 01 0f 85 7b f8 ff ff e9 69 f8 ff ff <0f> 0b 49 8d 7f 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea
[ 71.846901] RSP: 0018:ffff888057bbfcb0 EFLAGS: 00000202
[ 71.846901] RAX: ffff88805711a600 RBX: ffff88805ba29980 RCX: ffffffff81b547bb
[ 71.846901] RDX: 1ffff1100b8bc041 RSI: 0000000000000008 RDI: ffff88805711a600
[ 71.846901] RBP: ffff888057bbfd10 R08: ffffed100bdc6061 R09: ffffed100bdc6061
[ 71.846901] R10: 0000000000000001 R11: ffffed100bdc6060 R12: dffffc0000000000
[ 71.846901] R13: ffff88805c5e0208 R14: ffff88805c5e0208 R15: ffff88805c5e0000
[ 71.846901] FS: 00007f20196ace40(0000) GS:ffff88805ee00000(0000) knlGS:0000000000000000
[ 71.846901] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 71.846901] CR2: 00007fb2b78a8020 CR3: 000000005b412000 CR4: 00000000000006f0
[ 71.846901] Call Trace:
[ 71.846901] ? __sync_blockdev+0x5d/0xb0
[ 71.846901] generic_shutdown_super+0x137/0x380
[ 71.846901] kill_block_super+0xa4/0x1f0
[ 71.846901] deactivate_locked_super+0x97/0xe0
[ 71.846901] deactivate_super+0x15e/0x180
[ 71.846901] ? destroy_unused_super+0xf0/0xf0
[ 71.846901] ? dput+0x5e/0x780
[ 71.846901] cleanup_mnt+0x2a2/0x400
[ 71.846901] __cleanup_mnt+0x12/0x20
[ 71.846901] task_work_run+0x10c/0x180
[ 71.846901] exit_to_usermode_loop+0x1bc/0x280
[ 71.846901] do_syscall_64+0x25b/0x2f0
[ 71.846901] ? prepare_exit_to_usermode+0xf1/0x1a0
[ 71.846901] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 71.846901] RIP: 0033:0x7f2018f8ed77
[ 71.846901] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[ 71.846901] RSP: 002b:00007ffecf2bf808 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 71.846901] RAX: 0000000000000000 RBX: 000055ae60680060 RCX: 00007f2018f8ed77
[ 71.846901] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055ae60686e30
[ 71.846901] RBP: 000055ae60686e30 R08: 000055ae60685080 R09: 0000000000000014
[ 71.846901] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f2019490e64
[ 71.846901] R13: 0000000000000000 R14: 000055ae60680240 R15: 00007ffecf2bfa90
[ 71.846901] Modules linked in:
[ 71.866012] ---[ end trace eaddedf1fbf9a8ba ]---
[ 71.866267] RIP: 0010:ext4_put_super+0x958/0xd30
[ 71.866423] Code: 00 00 00 00 00 fc ff df 66 45 89 65 3a 48 c1 ea 03 80 3c 02 00 0f 85 1d 03 00 00 f6 43 50 01 0f 85 7b f8 ff ff e9 69 f8 ff ff <0f> 0b 49 8d 7f 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea
[ 71.872138] RSP: 0018:ffff888057bbfcb0 EFLAGS: 00000202
[ 71.872528] RAX: ffff88805711a600 RBX: ffff88805ba29980 RCX: ffffffff81b547bb
[ 71.873012] RDX: 1ffff1100b8bc041 RSI: 0000000000000008 RDI: ffff88805711a600
[ 71.873189] RBP: ffff888057bbfd10 R08: ffffed100bdc6061 R09: ffffed100bdc6061
[ 71.873367] R10: 0000000000000001 R11: ffffed100bdc6060 R12: dffffc0000000000
[ 71.873718] R13: ffff88805c5e0208 R14: ffff88805c5e0208 R15: ffff88805c5e0000
[ 71.874570] FS: 00007f20196ace40(0000) GS:ffff88805ee00000(0000) knlGS:0000000000000000
[ 71.877602] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 71.877981] CR2: 00007fb2b78a8020 CR3: 000000005b412000 CR4: 00000000000006f0
./emount.sh: line 19: 327 Segmentation fault umount ./mnt
Conclusion
umount after some operations(with crafted image) can cause use-after-free in ext4_put_super function.
It can be used as malicious way.
Discoverer
Team bobfuzzer
Acknowledgments
This Project used ported version(to 5.0.21 and 5.3.14 linux kernel) of filesystem fuzzer 'JANUS' which developed by GeorgiaTech Systems Software & Security Lab(SSLab)
Thank you for the excellent fuzzer and paper below.