oss-sec mailing list archives
Re: CVE-2020-27815 Linux kernel: jfs: array-index-out-of-bounds in dbAdjTree
From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Mon, 28 Dec 2020 16:14:59 +0800
Patch for this issue : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c61b3e4839007668360ed8b87d7da96d2e59fc6c Regards. butt3rflyh4ck. On Tue, Dec 1, 2020 at 1:50 AM butt3rflyh4ck <butterflyhuangxx () gmail com> wrote:
Hello, I report an array-index-out-of-bounds bugs in fs/jfs/jfs_dmap.c in dbAdjTree and reproduce it in Linux kernel 5.9.6 version. Description: In the Linux kernel through 5.9.6, there is a array-index-out-of-bounds in fs/jfs/jfs_dmap.c in dbAdjTree and it may cause out of bounds read and Denial of Service. Root Cause: the dmtree_t is that typedef union dmtree { struct dmaptree t1; struct dmapctl t2; } dmtree_t; the dmaptree is that struct dmaptree { __le32 nleafs; /* 4: number of tree leafs */ __le32 l2nleafs; /* 4: l2 number of tree leafs */ __le32 leafidx; /* 4: index of first tree leaf */ __le32 height; /* 4: height of the tree */ s8 budmin; /* 1: min l2 tree leaf value to combine */ s8 stree[TREESIZE]; /* TREESIZE: tree */ u8 pad[2]; /* 2: pad to word boundary */ };the TREESIZE is totally 341. the dmapctl is that: struct dmapctl { __le32 nleafs; /* 4: number of tree leafs */ __le32 l2nleafs; /* 4: l2 number of tree leafs */ __le32 leafidx; /* 4: index of the first tree leaf */ __le32 height; /* 4: height of tree */ s8 budmin; /* 1: minimum l2 tree leaf value */ s8 stree[CTLTREESIZE]; /* CTLTREESIZE: dmapctl tree */ u8 pad[2714]; /* 2714: pad to 4096 */ }; /* - 4096 - */ the CTLTREESIZE is totally 1365. The dmt_stree was used in dbAdjTree. Since dmt_stree can refer to the stree in both structures dmaptree and dmapctl. the stree size is not consistent, may it cause index out of range. CVE assigned : CVE-2020-27815 Patch: It's in linux-next now, not available in upstream. Credit: This issue was discovered by the ADLab of venustech. Regards. butt3rflyh4ck.
Current thread:
- CVE-2020-27815 Linux kernel: jfs: array-index-out-of-bounds in dbAdjTree butt3rflyh4ck (Nov 30)
- Re: CVE-2020-27815 Linux kernel: jfs: array-index-out-of-bounds in dbAdjTree butt3rflyh4ck (Dec 28)