xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bb0e3c7b6574cd4862988b23ee6fe5ceb1650b96
android_kernel_xiaomi_sm8450/fs/ext4
History
Ye Bin c83ab50b6e BACKPORT: ext4: fix use-after-free in ext4_rename_dir_prepare 
commit 0be698ecbe4471fcad80e81ec6a05001421041b3 upstream.

We got issue as follows:
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
ext4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478
ext4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000
ext4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae
==================================================================
BUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220
Read of size 4 at addr ffff88810beee6ae by task rep/1895

CPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241
Call Trace:
 dump_stack+0xbe/0xf9
 print_address_description.constprop.0+0x1e/0x220
 kasan_report.cold+0x37/0x7f
 ext4_rename_dir_prepare+0x152/0x220
 ext4_rename+0xf44/0x1ad0
 ext4_rename2+0x11c/0x170
 vfs_rename+0xa84/0x1440
 do_renameat2+0x683/0x8f0
 __x64_sys_renameat+0x53/0x60
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f45a6fc41c9
RSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9
RDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005
RBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080
R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0
R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee
flags: 0x200000000000000()
raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                  ^
 ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Disabling lock debugging due to kernel taint
ext4_rename_dir_prepare: [2] parent_de->inode=3537895424
ext4_rename_dir_prepare: [3] dir=0xffff888124170140
ext4_rename_dir_prepare: [4] ino=2
ext4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872

Reason is first directory entry which 'rec_len' is 34478, then will get illegal
parent entry. Now, we do not check directory entry after read directory block
in 'ext4_get_first_dir_block'.
To solve this issue, check directory entry in 'ext4_get_first_dir_block'.

[ Trigger an ext4_error() instead of just warning if the directory is
  missing a '.' or '..' entry.   Also make sure we return an error code
  if the file system is corrupted.  -TYT ]

Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220414025223.4113128-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ta: Adapt patch to cope with the android specific changes introduced in
commit 705a3e5b18 ("ANDROID: ext4: Handle casefolding with encryption").
Pass zero value for lblk when calling ext4_check_dir_entry().]
Cc: Daniel Rosenberg <drosen@google.com>
Reported-and-tested-by: syzbot+a07b88e6427ec1c97aa5@syzkaller.appspotmail.com
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Change-Id: I9d4218ffa0ddae2aa75aa4755221ef7f856b04e9
2023-01-13 08:55:46 +00:00
..
acl.c
ext4: main fast-commit commit path
2020-10-21 23:22:37 -04:00
acl.h
balloc.c
ext4: shrink race window in ext4_should_retry_alloc()
2021-04-07 15:00:03 +02:00
bitmap.c
block_validity.c
ext4: rename system_blks to s_system_blks inside ext4_sb_info
2020-10-18 10:36:59 -04:00
dir.c
Merge 5.10.71 into android12-5.10-lts
2021-10-06 17:33:06 +02:00
ext4_extents.h
ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max
2020-06-03 23:16:49 -04:00
ext4_jbd2.c
ext4: fix null-ptr-deref in '__ext4_journal_ensure_credits'
2022-01-27 10:54:28 +01:00
ext4_jbd2.h
ext4: drop ext4_journal_free_reserved()
2020-06-03 23:16:53 -04:00
ext4.h
Merge 5.10.121 into android12-5.10-lts
2022-07-23 16:10:22 +02:00
extents_status.c
ext4: remove check for zero nr_to_scan in ext4_es_scan()
2021-07-14 16:55:41 +02:00
extents_status.h
ext4: fix extent_status trace points
2020-01-25 02:03:03 -05:00
extents.c
ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0
2022-09-28 11:10:41 +02:00
fast_commit.c
ext4: fix incorrect type issue during replay_del_range
2022-02-08 18:30:41 +01:00
fast_commit.h
ext4: fix fast commit alignment issues
2021-06-10 13:39:26 +02:00
file.c
Merge 5.10.36 into android12-5.10
2021-05-13 14:22:11 +02:00
fsmap.c
Revert "treewide: Change list_sort to use const pointers"
2021-10-04 11:07:40 +02:00
fsmap.h
fsync.c
ext4: make s_mount_flags modifications atomic
2020-11-06 23:01:05 -05:00
hash.c
ANDROID: ext4: fix encrypt+casefold support
2020-11-11 18:43:09 +00:00
ialloc.c
Merge 5.10.146 into android12-5.10-lts
2022-09-29 17:06:30 +02:00
indirect.c
ext4: use ext4_sb_bread() instead of sb_bread()
2020-10-18 10:37:14 -04:00
inline.c
Merge 5.10.137 into android12-5.10-lts
2022-08-29 16:53:14 +02:00
inode-test.c
kunit: allow kunit tests to be loaded as a module
2020-01-09 16:42:29 -07:00
inode.c
Merge 5.10.137 into android12-5.10-lts
2022-08-29 16:53:14 +02:00
ioctl.c
Merge 5.10.94 into android12-5.10-lts
2022-01-27 11:49:22 +01:00
Kconfig
ext: EXT4_KUNIT_TESTS should depend on EXT4_FS instead of selecting it
2021-03-04 11:38:15 +01:00
Makefile
ext4 / jbd2: add fast commit initialization
2020-10-21 23:22:26 -04:00
mballoc.c
ext4: limit the number of retries after discarding preallocations blocks
2022-09-28 11:10:41 +02:00
mballoc.h
ext4: limit the length of per-inode prealloc list
2020-08-19 12:04:36 -04:00
migrate.c
ext4: recover csum seed of tmp_inode after migrating to extents
2022-08-21 15:16:03 +02:00
mmp.c
ext4: fix possible UAF when remounting r/o a mmp-protected file system
2021-11-02 19:48:18 +01:00
move_extent.c
ext4: use common helpers in all places reading metadata buffers
2020-10-18 10:37:14 -04:00
namei.c
BACKPORT: ext4: fix use-after-free in ext4_rename_dir_prepare
2023-01-13 08:55:46 +00:00
page-io.c
ext4: fix symlink file size not match to file content
2022-04-27 13:53:56 +02:00
readpage.c
Merge 5.9-rc2 into android-mainline
2020-08-24 10:01:23 +02:00
resize.c
ext4: avoid resizing to a partial cluster size
2022-08-25 11:38:18 +02:00
super.c
Merge 5.10.121 into android12-5.10-lts
2022-07-23 16:10:22 +02:00
symlink.c
ext4: report correct st_size for encrypted symlinks
2021-09-08 08:48:59 +02:00
sysfs.c
ext4: shrink race window in ext4_should_retry_alloc()
2021-04-07 15:00:03 +02:00
truncate.h
verity.c
BACKPORT: ext4,f2fs: fix readahead of verity data
2022-11-15 01:01:46 +00:00
xattr_hurd.c
Merge 5.8-rc2 into android-mainline
2020-06-27 09:48:57 +02:00
xattr_security.c
FROMLIST: Add flags option to get xattr method paired to __vfs_getxattr
2019-11-05 13:50:57 -08:00
xattr_trusted.c
FROMLIST: Add flags option to get xattr method paired to __vfs_getxattr
2019-11-05 13:50:57 -08:00
xattr_user.c
FROMLIST: Add flags option to get xattr method paired to __vfs_getxattr
2019-11-05 13:50:57 -08:00
xattr.c
ext4: fix use-after-free in ext4_xattr_set_entry
2022-08-21 15:16:23 +02:00
xattr.h
ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
2022-08-21 15:16:23 +02:00