CVE-2019-19927
Target
Linux kernel f2fs FileSystem (Tested on 11/13/2019, used source with git clone git://kernel.ubuntu.com/ubuntu/linux.git, emulated on VMWare 15 WorkStation with VMWare tools)
| Linux Version | Availablity |
|---|---|
| 5.0.0-rc7 | True |
Bug Type
out of bounds read
Abstract
Some operation(with crafted f2fs filesystem image) can cause out of bounds read in ttm_put_pages
It may needs reboot(after run poc binary, not umount), or more tries to reproduce this vulnerability.
Same image and binary in CVE-2018-14616, but that was Null-Deref vulnerability and patched. This is Revoked vulnerability or other related slab-out-of-bounds read vulnerability in linux kernel vmwgfx or ttm module.
Reproduce
gcc -o poc poc_2019_19927.c
mkdir mnt
mount poc_2019_19927.img ./mnt
cp poc ./mnt
cd mnt
./poc
cd ..
sync
umount mntDetails
Bug causes
/* Put all pages in pages list to correct pool to wait for reuse */
static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
enum ttm_caching_state cstate)
{
struct ttm_page_pool *pool = ttm_get_pool(flags, false, cstate);
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
struct ttm_page_pool *huge = ttm_get_pool(flags, true, cstate);
#endif
unsigned long irq_flags;
unsigned i;
if (pool == NULL) {
/* No pool for this memory type so free the pages */
i = 0;
while (i < npages) {
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
struct page *p = pages[i];
#endif
unsigned order = 0, j;
if (!pages[i]) {
++i;
continue;
}
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
if (!(flags & TTM_PAGE_FLAG_DMA32)) {
for (j = 0; j < HPAGE_PMD_NR; ++j)
[1] if (p++ != pages[i + j]) // CRASH HERE
break;
if (j == HPAGE_PMD_NR)
order = HPAGE_PMD_ORDER;
}
#endifIn line [1], pages[i+j] occurs out-of-bounds read.
KASAN logs
[ 12.920937] ==================================================================
[ 12.920954] BUG: KASAN: slab-out-of-bounds in ttm_put_pages+0x8bf/0x9c0 [ttm]
[ 12.920958] Read of size 8 at addr ffff888032301fa8 by task Xorg/891
[ 12.920964] CPU: 2 PID: 891 Comm: Xorg Not tainted 5.0.0-rc7-custom #1
[ 12.920966] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
[ 12.920968] Call Trace:
[ 12.920974] dump_stack+0xd6/0x165
[ 12.920977] ? show_regs_print_info+0xb/0xb
[ 12.920981] ? printk+0x9c/0xc3
[ 12.920984] ? kmsg_dump_rewind_nolock+0x64/0x64
[ 12.920994] ? ttm_put_pages+0x8bf/0x9c0 [ttm]
[ 12.920998] print_address_description+0x78/0x290
[ 12.921007] ? ttm_put_pages+0x8bf/0x9c0 [ttm]
[ 12.921016] ? ttm_put_pages+0x8bf/0x9c0 [ttm]
[ 12.921019] kasan_report+0x149/0x18c
[ 12.921028] ? ttm_put_pages+0x8bf/0x9c0 [ttm]
[ 12.921032] __asan_load8+0x54/0x90
[ 12.921041] ttm_put_pages+0x8bf/0x9c0 [ttm]
[ 12.921051] ? ttm_pool_shrink_scan+0x170/0x170 [ttm]
[ 12.921055] ? kasan_check_write+0x14/0x20
[ 12.921059] ? iomem_map_sanity_check+0xd0/0x120
[ 12.921062] ? kasan_check_read+0x11/0x20
[ 12.921064] ? _raw_spin_lock+0x90/0xe0
[ 12.921067] ? _raw_write_lock_irq+0xf0/0xf0
[ 12.921076] ? ttm_mem_reg_ioremap+0x147/0x1c0 [ttm]
[ 12.921085] ? ttm_mem_global_free_zone+0x77/0xb0 [ttm]
[ 12.921096] ttm_pool_unpopulate_helper+0xd9/0x100 [ttm]
[ 12.921105] ttm_pool_unpopulate+0x21/0x30 [ttm]
[ 12.921123] vmw_ttm_unpopulate+0x70/0xe0 [vmwgfx]
[ 12.921132] ttm_tt_unpopulate.part.10+0xbc/0xd0 [ttm]
[ 12.921142] ttm_tt_destroy.part.11+0x8d/0x90 [ttm]
[ 12.921151] ttm_tt_destroy+0x13/0x20 [ttm]
[ 12.921160] ttm_bo_move_memcpy+0x90e/0x960 [ttm]
[ 12.921170] ? ttm_bo_kunmap+0x150/0x150 [ttm]
[ 12.921174] ? __mutex_lock_slowpath+0x20/0x20
[ 12.921184] ? ttm_mem_io_free_vm+0x196/0x1e0 [ttm]
[ 12.921187] ? kasan_check_write+0x14/0x20
[ 12.921190] ? mutex_unlock+0x22/0x40
[ 12.921202] ttm_bo_handle_move_mem+0xc90/0xcb0 [ttm]
[ 12.921204] ? _raw_write_lock_irq+0xf0/0xf0
[ 12.921214] ? ttm_bo_man_get_node+0xef/0x160 [ttm]
[ 12.921224] ? ttm_bo_add_move_fence.isra.18+0x31/0xc0 [ttm]
[ 12.921254] ? ttm_bo_mem_space+0x2a7/0x670 [ttm]
[ 12.921273] ttm_bo_validate+0x2a7/0x2e0 [ttm]
[ 12.921285] ? ttm_bo_evict_mm+0x70/0x70 [ttm]
[ 12.921288] ? _raw_write_lock_irq+0xf0/0xf0
[ 12.921299] ? ttm_eu_fence_buffer_objects+0x1c0/0x1c0 [ttm]
[ 12.921318] vmw_validation_bo_validate_single+0x116/0x160 [vmwgfx]
[ 12.921335] ? vmw_validation_res_reserve+0x2c0/0x2c0 [vmwgfx]
[ 12.921353] ? vmw_validation_res_reserve+0x210/0x2c0 [vmwgfx]
[ 12.921370] vmw_validation_bo_validate+0x178/0x1d0 [vmwgfx]
[ 12.921387] ? vmw_validation_bo_validate_single+0x160/0x160 [vmwgfx]
[ 12.921402] ? vmw_cmd_wait_query+0x220/0x220 [vmwgfx]
[ 12.921406] ? vzalloc+0x75/0x80
[ 12.921439] ? drm_ht_create+0x76/0xa0 [drm]
[ 12.921455] vmw_execbuf_process+0xf8a/0x1ec0 [vmwgfx]
[ 12.921490] ? vmw_cmd_wait_query+0x220/0x220 [vmwgfx]
[ 12.921511] ? __vmw_execbuf_release_pinned_bo+0x560/0x560 [vmwgfx]
[ 12.921516] ? unlock_page+0x86/0xf0
[ 12.921518] ? wake_up_page_bit+0x330/0x330
[ 12.921522] ? kasan_check_write+0x14/0x20
[ 12.921525] ? do_wp_page+0x51e/0x10a0
[ 12.921529] ? finish_mkwrite_fault+0x280/0x280
[ 12.921532] ? switch_mm_irqs_off+0x494/0xa80
[ 12.921538] ? __switch_to_asm+0x34/0x70
[ 12.921540] ? __switch_to_asm+0x34/0x70
[ 12.921543] ? __switch_to_asm+0x34/0x70
[ 12.921545] ? __switch_to_asm+0x34/0x70
[ 12.921548] ? __switch_to_asm+0x40/0x70
[ 12.921550] ? __switch_to_asm+0x34/0x70
[ 12.921552] ? __switch_to_asm+0x40/0x70
[ 12.921554] ? __switch_to_asm+0x34/0x70
[ 12.921556] ? __switch_to_asm+0x34/0x70
[ 12.921558] ? __switch_to_asm+0x40/0x70
[ 12.921561] ? __switch_to_asm+0x34/0x70
[ 12.921563] ? __switch_to_asm+0x40/0x70
[ 12.921566] ? _raw_spin_lock+0x90/0xe0
[ 12.921584] ? _raw_write_lock_irq+0xf0/0xf0
[ 12.921587] ? __schedule+0x529/0xe90
[ 12.921589] ? __account_cfs_rq_runtime+0x2f0/0x2f0
[ 12.921604] ? __ttm_read_lock+0x47/0x90 [vmwgfx]
[ 12.921651] ? ttm_read_lock+0x91/0x1a0 [vmwgfx]
[ 12.921668] ? ttm_read_unlock+0x50/0x50 [vmwgfx]
[ 12.921672] ? avc_has_extended_perms+0x4b6/0xa40
[ 12.921676] ? trace_event_raw_event_sched_process_exec+0x270/0x270
[ 12.921693] vmw_execbuf_ioctl+0x241/0x350 [vmwgfx]
[ 12.921710] ? vmw_execbuf_release_pinned_bo+0x50/0x50 [vmwgfx]
[ 12.921713] ? __rwsem_mark_wake+0x50c/0x5e0
[ 12.921717] ? kasan_check_read+0x11/0x20
[ 12.921720] ? __fget+0x2b1/0x350
[ 12.921737] vmw_generic_ioctl+0x3c2/0x440 [vmwgfx]
[ 12.921781] ? drm_ioctl_kernel+0x1d0/0x1d0 [drm]
[ 12.921795] ? vmw_probe+0x20/0x20 [vmwgfx]
[ 12.921798] ? rcu_cleanup_dead_rnp+0xa0/0xa0
[ 12.921801] ? kasan_check_read+0x11/0x20
[ 12.921815] vmw_unlocked_ioctl+0x15/0x20 [vmwgfx]
[ 12.921818] do_vfs_ioctl+0x150/0xad0
[ 12.921821] ? ioctl_preallocate+0x1b0/0x1b0
[ 12.921824] ? selinux_capable+0x30/0x30
[ 12.921827] ? handle_mm_fault+0x29b/0x4a0
[ 12.921831] ksys_ioctl+0x75/0x80
[ 12.921833] __x64_sys_ioctl+0x43/0x50
[ 12.921837] do_syscall_64+0x133/0x300
[ 12.921839] ? syscall_return_slowpath+0x200/0x200
[ 12.921842] ? do_page_fault+0x9a/0x270
[ 12.921844] ? __do_page_fault+0x600/0x600
[ 12.921847] ? prepare_exit_to_usermode+0xf8/0x170
[ 12.921849] ? perf_trace_sys_enter+0x500/0x500
[ 12.921852] ? calculate_sigpending+0x48/0x70
[ 12.921856] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 12.921858] RIP: 0033:0x7fe155b495d7
[ 12.921861] Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48
[ 12.921863] RSP: 002b:00007ffd864c2a28 EFLAGS: 00003246 ORIG_RAX: 0000000000000010
[ 12.921865] RAX: ffffffffffffffda RBX: 00007ffd864c2bb8 RCX: 00007fe155b495d7
[ 12.921867] RDX: 00007ffd864c2aa0 RSI: 000000004020644c RDI: 000000000000000f
[ 12.921868] RBP: 00007ffd864c2aa0 R08: 0000000000000c80 R09: 0000000000000005
[ 12.921870] R10: 0000000000000039 R11: 0000000000003246 R12: 000000004020644c
[ 12.921871] R13: 000000000000000f R14: 000000000000004c R15: 0000000000000001
[ 12.921877] Allocated by task 891:
[ 12.921881] save_stack+0x43/0xd0
[ 12.921883] __kasan_kmalloc.constprop.8+0xa7/0xd0
[ 12.921885] kasan_kmalloc+0x9/0x10
[ 12.921887] __kmalloc_node+0x121/0x2f0
[ 12.921890] kvmalloc_node+0x31/0x80
[ 12.921897] ttm_tt_init+0xcb/0x130 [ttm]
[ 12.921910] vmw_ttm_tt_create+0xa8/0xe0 [vmwgfx]
[ 12.921917] ttm_tt_create+0xa3/0x110 [ttm]
[ 12.921925] ttm_bo_validate+0x28e/0x2e0 [ttm]
[ 12.921932] ttm_bo_init_reserved+0x8e5/0xa30 [ttm]
[ 12.921961] ttm_bo_init+0x138/0x210 [ttm]
[ 12.921978] vmw_bo_init+0x1b2/0x260 [vmwgfx]
[ 12.921995] vmw_user_bo_alloc+0x112/0x220 [vmwgfx]
[ 12.922012] vmw_bo_alloc_ioctl+0x117/0x280 [vmwgfx]
[ 12.922069] drm_ioctl_kernel+0x176/0x1d0 [drm]
[ 12.922119] drm_ioctl+0x58d/0x680 [drm]
[ 12.922135] vmw_generic_ioctl+0x2ed/0x440 [vmwgfx]
[ 12.922150] vmw_unlocked_ioctl+0x15/0x20 [vmwgfx]
[ 12.922153] do_vfs_ioctl+0x150/0xad0
[ 12.922155] ksys_ioctl+0x75/0x80
[ 12.922158] __x64_sys_ioctl+0x43/0x50
[ 12.922160] do_syscall_64+0x133/0x300
[ 12.922163] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 12.922166] Freed by task 442:
[ 12.922170] save_stack+0x43/0xd0
[ 12.922173] __kasan_slab_free+0x135/0x190
[ 12.922175] kasan_slab_free+0xe/0x10
[ 12.922178] kfree+0x98/0x1d0
[ 12.922180] kvfree+0x2a/0x40
[ 12.922183] single_release+0x3f/0x60
[ 12.922185] __fput+0x21a/0x510
[ 12.922187] ____fput+0xe/0x10
[ 12.922206] task_work_run+0x14a/0x1a0
[ 12.922208] exit_to_usermode_loop+0x227/0x240
[ 12.922210] do_syscall_64+0x2d8/0x300
[ 12.922212] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 12.922215] The buggy address belongs to the object at ffff888032301100
which belongs to the cache kmalloc-4k of size 4096
[ 12.922219] The buggy address is located 3752 bytes inside of
4096-byte region [ffff888032301100, ffff888032302100)
[ 12.922220] The buggy address belongs to the page:
[ 12.922244] page:ffffea0000c8c000 count:1 mapcount:0 mapping:ffff88805a80e840 index:0x0 compound_mapcount: 0
[ 12.922248] flags: 0xfffffc0010200(slab|head)
[ 12.922252] raw: 000fffffc0010200 0000000000000000 0000000100000001 ffff88805a80e840
[ 12.922255] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 12.922256] page dumped because: kasan: bad access detected
[ 12.922258] Memory state around the buggy address:
[ 12.922262] ffff888032301e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 12.922265] ffff888032301f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 12.922268] >ffff888032301f80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 12.922270] ^
[ 12.922273] ffff888032302000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 12.922276] ffff888032302080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 12.922277] ==================================================================
[ 12.922279] Disabling lock debugging due to kernel taint
[ 19.433253] rfkill: input handler disabled
[ 297.595233] e1000: ens33 NIC Link is Down
[ 299.600641] e1000: ens33 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[ 307.977897] F2FS-fs (loop16): Mounted with checkpoint version = 2
[ 308.140640] F2FS-fs (loop16): access invalid blkaddr:1024
[ 308.140719] WARNING: CPU: 0 PID: 4602 at fs/f2fs/checkpoint.c:160 f2fs_is_valid_blkaddr+0x262/0x350 [f2fs]
[ 308.140720] Modules linked in: f2fs crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_ens1371 snd_ac97_codec gameport aesni_intel ac97_bus vmw_vsock_vmci_transport vsock snd_pcm vmw_balloon aes_x86_64 crypto_simd cryptd glue_helper intel_rapl_perf snd_seq_midi snd_seq_midi_event joydev input_leds snd_rawmidi serio_raw snd_seq snd_seq_device vmwgfx snd_timer ttm drm_kms_helper snd drm soundcore fb_sys_fops syscopyarea vmw_vmci sysfillrect sysimgblt mac_hid sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 hid_generic psmouse mptspi mptscsih ahci mptbase e1000 i2c_piix4 scsi_transport_spi libahci pata_acpi usbhid hid
[ 308.140791] CPU: 0 PID: 4602 Comm: pool Tainted: G B 5.0.0-rc7-custom #1
[ 308.140793] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
[ 308.140816] RIP: 0010:f2fs_is_valid_blkaddr+0x262/0x350 [f2fs]
[ 308.140820] Code: 0f 85 3f fe ff ff 48 89 df 88 45 d4 e8 17 0f 81 e0 48 8b 3b 44 89 e9 48 c7 c2 40 e3 d5 a0 48 c7 c6 e0 e1 d5 a0 e8 fe dd fe ff <0f> 0b 0f b6 45 d4 e9 10 fe ff ff 48 83 c4 08 b8 01 00 00 00 5b 41
[ 308.140821] RSP: 0018:ffff88804f2bf1f0 EFLAGS: 00010282
[ 308.140826] RAX: 0000000000000000 RBX: ffff88805297c400 RCX: 0000000000000000
[ 308.140827] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffed1009e57df0
[ 308.140829] RBP: ffff88804f2bf220 R08: ffffed100b5c7341 R09: ffffed100b5c7341
[ 308.140831] R10: 0000000000000001 R11: ffffed100b5c7340 R12: 0000000000000006
[ 308.140832] R13: 0000000000000400 R14: ffff88804ca2b900 R15: 0000000000000200
[ 308.140835] FS: 00007f97763a0700(0000) GS:ffff88805ae00000(0000) knlGS:0000000000000000
[ 308.140836] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 308.140838] CR2: 00007f9779a15b04 CR3: 0000000058018006 CR4: 00000000003606f0
[ 308.140868] Call Trace:
[ 308.140892] f2fs_iget+0xe93/0x1ea0 [f2fs]
[ 308.140915] ? f2fs_inode_chksum_set+0x70/0x70 [f2fs]
[ 308.140937] ? f2fs_find_target_dentry+0x280/0x280 [f2fs]
[ 308.140961] ? __d_alloc+0x5c0/0x5c0
[ 308.140972] ? kasan_check_read+0x11/0x20
[ 308.140977] ? read_word_at_a_time+0x12/0x20
[ 308.140980] ? __d_lookup_rcu+0x2ee/0x4d0
[ 308.140983] ? d_alloc_parallel+0x5a1/0xbb0
[ 308.140986] ? memset+0x31/0x40
[ 308.140990] ? fscrypt_setup_filename+0x21e/0x4e0
[ 308.141012] ? f2fs_find_entry+0x112/0x120 [f2fs]
[ 308.141032] ? __f2fs_find_entry+0x830/0x830 [f2fs]
[ 308.141054] f2fs_lookup+0x48e/0x800 [f2fs]
[ 308.141076] ? __recover_dot_dentries+0x610/0x610 [f2fs]
[ 308.141086] ? lockref_put_or_lock+0x210/0x210
[ 308.141089] ? d_alloc_cursor+0x60/0x60
[ 308.141098] ? selinux_inode_permission+0x234/0x380
[ 308.141101] ? selinux_secmark_enabled.part.13+0xb0/0xb0
[ 308.141111] ? rcu_cleanup_dead_rnp+0xa0/0xa0
[ 308.141114] ? legitimize_path.isra.28+0x61/0xa0
[ 308.141118] __lookup_slow+0x13a/0x250
[ 308.141120] ? vfs_rmdir+0x1e0/0x1e0
[ 308.141123] ? try_lookup_one_len+0x160/0x160
[ 308.141126] lookup_slow+0x44/0x60
[ 308.141129] walk_component+0x4b4/0x7d0
[ 308.141131] ? walk_component+0x7d0/0x7d0
[ 308.141134] ? pick_link+0x400/0x400
[ 308.141143] ? __save_stack_trace+0x92/0x100
[ 308.141147] path_lookupat+0x126/0x630
[ 308.141150] ? user_path_at_empty+0x23/0x40
[ 308.141153] ? vfs_statx+0xc3/0x150
[ 308.141155] ? __do_sys_newlstat+0x85/0xe0
[ 308.141158] ? __x64_sys_newlstat+0x31/0x40
[ 308.141160] ? path_parentat+0xa0/0xa0
[ 308.141163] ? kasan_check_read+0x11/0x20
[ 308.141172] ? __virt_addr_valid+0xaf/0x100
[ 308.141177] ? __check_object_size+0x282/0x380
[ 308.141180] ? usercopy_abort+0x80/0x80
[ 308.141183] filename_lookup+0x173/0x2e0
[ 308.141186] ? filename_parentat+0x300/0x300
[ 308.141192] ? digsig_verify+0xbb0/0xbb0
[ 308.141195] ? kasan_slab_alloc+0x11/0x20
[ 308.141199] user_path_at_empty+0x36/0x40
[ 308.141201] ? user_path_at_empty+0x36/0x40
[ 308.141204] vfs_statx+0xc3/0x150
[ 308.141207] ? vfs_statx_fd+0x80/0x80
[ 308.141210] ? kasan_check_write+0x14/0x20
[ 308.141214] __do_sys_newlstat+0x85/0xe0
[ 308.141217] ? __ia32_sys_newstat+0x40/0x40
[ 308.141219] ? kasan_check_write+0x14/0x20
[ 308.141221] ? fput+0x1d/0xc0
[ 308.141228] ? exit_to_usermode_loop+0xf3/0x240
[ 308.141231] ? trace_event_raw_event_sys_exit+0x170/0x170
[ 308.141235] __x64_sys_newlstat+0x31/0x40
[ 308.141239] do_syscall_64+0x133/0x300
[ 308.141242] ? syscall_return_slowpath+0x200/0x200
[ 308.141245] ? do_page_fault+0x9a/0x270
[ 308.141248] ? __do_page_fault+0x600/0x600
[ 308.141251] ? prepare_exit_to_usermode+0xf8/0x170
[ 308.141254] ? perf_trace_sys_enter+0x500/0x500
[ 308.141260] ? calculate_sigpending+0x48/0x70
[ 308.141273] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 308.141275] RIP: 0033:0x7f9778a00815
[ 308.141278] Code: 79 b6 2d 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 41 b6 2d 00 f7 d8 64 89
[ 308.141280] RSP: 002b:00007f977639fac8 EFLAGS: 00000246 ORIG_RAX: 0000000000000006
[ 308.141282] RAX: ffffffffffffffda RBX: 00007f97600013b0 RCX: 00007f9778a00815
[ 308.141284] RDX: 00007f977639fb30 RSI: 00007f977639fb30 RDI: 00007f976801b800
[ 308.141286] RBP: 00007f9768003550 R08: 0000000000100006 R09: 00007f977639fcb0
[ 308.141287] R10: 0000000000000020 R11: 0000000000000246 R12: 00007f976801b800
[ 308.141289] R13: 00007f977639fcb0 R14: 00007f976801b800 R15: 00007f976801f1b0
[ 308.141292] ---[ end trace 3020c56b82c76c66 ]---
[ 311.931175] F2FS-fs (loop16): access invalid blkaddr:1024
[ 311.931214] WARNING: CPU: 1 PID: 4610 at fs/f2fs/checkpoint.c:160 f2fs_is_valid_blkaddr+0x262/0x350 [f2fs]
[ 311.931215] Modules linked in: f2fs crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_ens1371 snd_ac97_codec gameport aesni_intel ac97_bus vmw_vsock_vmci_transport vsock snd_pcm vmw_balloon aes_x86_64 crypto_simd cryptd glue_helper intel_rapl_perf snd_seq_midi snd_seq_midi_event joydev input_leds snd_rawmidi serio_raw snd_seq snd_seq_device vmwgfx snd_timer ttm drm_kms_helper snd drm soundcore fb_sys_fops syscopyarea vmw_vmci sysfillrect sysimgblt mac_hid sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 hid_generic psmouse mptspi mptscsih ahci mptbase e1000 i2c_piix4 scsi_transport_spi libahci pata_acpi usbhid hid
[ 311.931251] CPU: 1 PID: 4610 Comm: poc Tainted: G B W 5.0.0-rc7-custom #1
[ 311.931253] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
[ 311.931271] RIP: 0010:f2fs_is_valid_blkaddr+0x262/0x350 [f2fs]
[ 311.931273] Code: 0f 85 3f fe ff ff 48 89 df 88 45 d4 e8 17 0f 81 e0 48 8b 3b 44 89 e9 48 c7 c2 40 e3 d5 a0 48 c7 c6 e0 e1 d5 a0 e8 fe dd fe ff <0f> 0b 0f b6 45 d4 e9 10 fe ff ff 48 83 c4 08 b8 01 00 00 00 5b 41
[ 311.931275] RSP: 0018:ffff888032fdf2e0 EFLAGS: 00010286
[ 311.931277] RAX: 0000000000000000 RBX: ffff88805297c400 RCX: 0000000000000000
[ 311.931278] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffed10065fbe10
[ 311.931279] RBP: ffff888032fdf310 R08: ffffed100b5d7341 R09: ffffed100b5d7341
[ 311.931281] R10: 0000000000000001 R11: ffffed100b5d7340 R12: 0000000000000006
[ 311.931282] R13: 0000000000000400 R14: ffff88804ca2b900 R15: 0000000000000200
[ 311.931284] FS: 00007f62eb5de500(0000) GS:ffff88805ae80000(0000) knlGS:0000000000000000
[ 311.931285] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 311.931287] CR2: 000055a1b55b0008 CR3: 0000000058038005 CR4: 00000000003606e0
[ 311.931313] Call Trace:
[ 311.931332] f2fs_iget+0xe93/0x1ea0 [f2fs]
[ 311.931351] ? f2fs_inode_chksum_set+0x70/0x70 [f2fs]
[ 311.931355] ? page_fault+0x1e/0x30
[ 311.931372] ? f2fs_find_target_dentry+0x280/0x280 [f2fs]
[ 311.931375] ? __d_alloc+0x5c0/0x5c0
[ 311.931378] ? kasan_check_read+0x11/0x20
[ 311.931380] ? read_word_at_a_time+0x12/0x20
[ 311.931382] ? __d_lookup_rcu+0x2ee/0x4d0
[ 311.931389] ? ftrace_ops_trampoline+0x11c/0x1a0
[ 311.931391] ? d_alloc_parallel+0x5a1/0xbb0
[ 311.931394] ? memset+0x31/0x40
[ 311.931397] ? fscrypt_setup_filename+0x21e/0x4e0
[ 311.931414] ? f2fs_find_entry+0x112/0x120 [f2fs]
[ 311.931450] ? __f2fs_find_entry+0x830/0x830 [f2fs]
[ 311.931471] f2fs_lookup+0x48e/0x800 [f2fs]
[ 311.931491] ? __recover_dot_dentries+0x610/0x610 [f2fs]
[ 311.931496] ? lockref_put_or_lock+0x210/0x210
[ 311.931499] ? __do_page_fault+0x35b/0x600
[ 311.931502] ? d_alloc_cursor+0x60/0x60
[ 311.931506] ? selinux_inode_permission+0x234/0x380
[ 311.931508] ? selinux_secmark_enabled.part.13+0xb0/0xb0
[ 311.931512] ? rcu_cleanup_dead_rnp+0xa0/0xa0
[ 311.931514] ? legitimize_path.isra.28+0x61/0xa0
[ 311.931517] __lookup_slow+0x13a/0x250
[ 311.931520] ? vfs_rmdir+0x1e0/0x1e0
[ 311.931522] ? try_lookup_one_len+0x160/0x160
[ 311.931539] lookup_slow+0x44/0x60
[ 311.931541] walk_component+0x4b4/0x7d0
[ 311.931543] ? walk_component+0x7d0/0x7d0
[ 311.931545] ? pick_link+0x400/0x400
[ 311.931548] ? __save_stack_trace+0x92/0x100
[ 311.931551] ? depot_save_stack+0x2e5/0x480
[ 311.931554] path_lookupat+0x126/0x630
[ 311.931556] ? getname_flags+0x6f/0x2b0
[ 311.931558] ? user_path_at_empty+0x23/0x40
[ 311.931561] ? path_listxattr+0xa4/0x130
[ 311.931564] ? __x64_sys_listxattr+0x48/0x50
[ 311.931566] ? path_parentat+0xa0/0xa0
[ 311.931569] ? __virt_addr_valid+0xaf/0x100
[ 311.931572] ? __check_object_size+0x282/0x380
[ 311.931574] ? usercopy_abort+0x80/0x80
[ 311.931577] filename_lookup+0x173/0x2e0
[ 311.931579] ? filename_parentat+0x300/0x300
[ 311.931595] ? digsig_verify+0xbb0/0xbb0
[ 311.931597] ? kasan_slab_alloc+0x11/0x20
[ 311.931600] user_path_at_empty+0x36/0x40
[ 311.931602] ? user_path_at_empty+0x36/0x40
[ 311.931603] path_listxattr+0xa4/0x130
[ 311.931605] ? listxattr+0xe0/0xe0
[ 311.931608] ? vmacache_update+0x73/0x90
[ 311.931610] __x64_sys_listxattr+0x48/0x50
[ 311.931613] do_syscall_64+0x133/0x300
[ 311.931615] ? syscall_return_slowpath+0x200/0x200
[ 311.931617] ? do_page_fault+0x9a/0x270
[ 311.931619] ? __do_page_fault+0x600/0x600
[ 311.931621] ? prepare_exit_to_usermode+0xf8/0x170
[ 311.931623] ? perf_trace_sys_enter+0x500/0x500
[ 311.931625] ? calculate_sigpending+0x48/0x70
[ 311.931628] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 311.931630] RIP: 0033:0x7f62eb0f9907
[ 311.931632] Code: f0 ff ff 73 01 c3 48 8b 0d 7e b5 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 51 b5 2c 00 f7 d8 64 89 01 48
[ 311.931633] RSP: 002b:00007ffebd5cee18 EFLAGS: 00000283 ORIG_RAX: 00000000000000c2
[ 311.931635] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f62eb0f9907
[ 311.931636] RDX: 0000000000000071 RSI: 00007ffebd5cee40 RDI: 000055a1b55b02d0
[ 311.931637] RBP: 00007ffebd5ceec0 R08: 00007ffebd5d0319 R09: 0000000000000000
[ 311.931638] R10: 000055a1b55b0010 R11: 0000000000000283 R12: 000055a1b53ae650
[ 311.931639] R13: 00007ffebd5cefc0 R14: 0000000000000000 R15: 0000000000000000
[ 311.931641] ---[ end trace 3020c56b82c76c67 ]---
Conclusion
Some operation(with crafted f2fs filesystem image) can cause out of bounds read in ttm_put_pages function.
Discoverer
Team bobfuzzer
Acknowledgments
This Project used ported version(to 5.0.21 and 5.3.14 linux kernel) of filesystem fuzzer 'JANUS' which developed by GeorgiaTech Systems Software & Security Lab(SSLab)
Thank you for the excellent fuzzer and paper below.