'[oss-security] CVE-2020-27815 Linux kernel: jfs: array-index-out-of-bounds in dbAdjTree'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2020-27815 Linux kernel: jfs: array-index-out-of-bounds in dbAdjTree
From:       butt3rflyh4ck <butterflyhuangxx () gmail ! com>
Date:       2020-11-30 17:50:50
Message-ID: CAFcO6XMCxbHjiHFWUoFW5jcwfOrgz3atyW_MfHaQ4Akv6XF4jw () mail ! gmail ! com
[Download RAW message or body]

Hello,

I report an array-index-out-of-bounds bugs in fs/jfs/jfs_dmap.c in
dbAdjTree and reproduce it in Linux kernel 5.9.6 version.

Description:

In the Linux kernel through 5.9.6, there is a
array-index-out-of-bounds in fs/jfs/jfs_dmap.c in dbAdjTree and it may
cause out of bounds read and Denial of Service.

Root Cause:

the dmtree_t is that
 typedef union dmtree {
 struct dmaptree t1;
 struct dmapctl t2;
} dmtree_t;

 the dmaptree is that
  struct dmaptree {
  __le32 nleafs; /* 4: number of tree leafs */
  __le32 l2nleafs; /* 4: l2 number of tree leafs */
  __le32 leafidx; /* 4: index of first tree leaf */
  __le32 height; /* 4: height of the tree */
  s8 budmin; /* 1: min l2 tree leaf value to combine */
  s8 stree[TREESIZE]; /* TREESIZE: tree */
  u8 pad[2]; /* 2: pad to word boundary */
 };the TREESIZE is totally 341.

the dmapctl is that:
struct dmapctl {
__le32 nleafs; /* 4: number of tree leafs */
__le32 l2nleafs; /* 4: l2 number of tree leafs */
__le32 leafidx; /* 4: index of the first tree leaf */
__le32 height; /* 4: height of tree */
s8 budmin; /* 1: minimum l2 tree leaf value */
s8 stree[CTLTREESIZE]; /* CTLTREESIZE: dmapctl tree */
u8 pad[2714]; /* 2714: pad to 4096 */
}; /* - 4096 - */
the CTLTREESIZE is totally 1365.
The dmt_stree was used in dbAdjTree. Since dmt_stree can refer to the
stree in both structures dmaptree and dmapctl. the stree size is not
consistent, may it cause index out of range.

CVE assigned :
CVE-2020-27815

Patch:
It's in linux-next now, not available in upstream.

Credit:
This issue was discovered by the ADLab of venustech.

Regards.
 butt3rflyh4ck.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic