Headline

CVE-2019-19039: CVE/CVE-2019-19039 at master · bobfuzzer/CVE

** DISPUTED ** __btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a vulnerability because “1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1 sysctl option. So it’s really up to the system administrator to judge whether dmesg access shall be disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is not the case.”

4 years ago

CVE

Open in Source

#vulnerability #ios #mac #ubuntu #linux #c++#bios #ssl

CVE-2019-19039
- Target
- Bug Type
- Abstract
- Reproduce
- Details
  - Bug Causes
  - KASAN logs
- Conclusion
- Discoverer
- Acknowledgments

Target

Linux Kernel 5.3.11 BTRFS FileSystem

Bug Type

Information Disclosure

Abstract

some operation after mount crafted image can cause an unknown bug, it shows register information to normal user by calling dmesg command

Reproduce

gcc -o poc poc_2019_19039.c mkdir mnt mount poc_2019_19039.img ./mnt cp poc ./mnt/ cd mnt ./poc

Details****Bug Causes

fs/btrfs/extent-tree.c:4582 (link)

  }
  extent\_slot = path->slots\[0\];
}

[1] } else if (WARN_ON(ret == -ENOENT)) { [2] btrfs_print_leaf(path->nodes[0]); // btrfs_err(info, "unable to find ref byte nr %llu parent %llu root %llu owner %llu offset %llu", bytenr, parent, root_objectid, owner_objectid, owner_offset); btrfs_abort_transaction(trans, ret); goto out; } else { btrfs_abort_transaction(trans, ret); goto out; }

in [1], local variable ret is -ENOENT.

kernel calls btrfs_print_leaf, it shows register informations to normal priv users

KASAN logs

¯u7{½XGxH5̟ࠣMzp|.Iinux:  Context ^ڵ¹p
                  P is not valid (left unmapped).
[  163.913497] ------------[ cut here ]------------
[  163.913717] WARNING: CPU: 0 PID: 230 at fs/btrfs/extent-tree.c:4851 __btrfs_free_extent.isra.67+0x842/0xd60
[  163.913717] Modules linked in:
[  163.913717] CPU: 0 PID: 230 Comm: 212 Not tainted 5.3.11 #1
[  163.913717] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  163.913717] RIP: 0010:__btrfs_free_extent.isra.67+0x842/0xd60
[  163.913717] Code: 41 89 c5 e9 f5 fa ff ff 4c 89 ff e8 88 52 d5 ff 8b 4b 40 41 b8 01 00 00 00 e9 9b fe ff ff 48 c7 c7 c0 47 b3 82 e8 02 00 ba ff <0f> 0b 48 89 df e8 64 53 d5 ff 48 8b 3b e8 ac 4e 00 00 41 57 4c 8b
[  163.913717] RSP: 0018:ffff888064fa7830 EFLAGS: 00000282
[  163.913717] RAX: 0000000000000024 RBX: ffff88806a5508f0 RCX: 0000000000000000
[  163.913717] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffed100c9f4efc
[  163.913717] RBP: 0000000000000000 R08: ffffed100da85c5b R09: ffffed100da85c5b
[  163.913717] R10: 0000000000000001 R11: ffffed100da85c5a R12: 0000000000000001
[  163.913717] R13: 00000000fffffffe R14: 0000000001c0e000 R15: 0000000000000000
[  163.913717] FS:  00007f2aa6738440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000
[  163.913717] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  163.913717] CR2: 00007efd5b25b3f0 CR3: 000000006a9a0000 CR4: 00000000000006f0
[  163.913717] Call Trace:
[  163.913717]  ? update_block_group+0x730/0x730
[  163.913717]  ? _raw_write_lock+0xe0/0xe0
[  163.913717]  ? _raw_spin_lock+0x7f/0xe0
[  163.913717]  ? _raw_spin_lock+0x7f/0xe0
[  163.913717]  ? _raw_write_lock+0xe0/0xe0
[  163.913717]  ? apic_timer_interrupt+0xa/0x20
[  163.913717]  __btrfs_run_delayed_refs+0xd96/0x1ba0
[  163.913717]  ? btrfs_trans_release_chunk_metadata+0x15/0x70
[  163.913717]  ? alloc_reserved_file_extent+0x470/0x470
[  163.913717]  ? btrfs_create_pending_block_groups+0x250/0x350
[  163.913717]  ? btrfs_free_block_groups+0x420/0x420
[  163.913717]  ? free_log_tree+0x136/0x1b0
[  163.913717]  ? kfree+0x98/0x200
[  163.913717]  ? mutex_lock+0x93/0xf0
[  163.913717]  ? __mutex_lock_slowpath+0x10/0x10
[  163.913717]  ? _raw_write_lock+0xe0/0xe0
[  163.913717]  btrfs_run_delayed_refs+0x120/0x200
[  163.913717]  btrfs_commit_transaction+0x7da/0x1100
[  163.913717]  ? apic_timer_interrupt+0xa/0x20
[  163.913717]  ? apic_timer_interrupt+0xa/0x20
[  163.913717]  ? btrfs_apply_pending_changes+0x80/0x80
[  163.913717]  ? up_write+0x33/0x50
[  163.913717]  btrfs_sync_file+0x71c/0x767
[  163.913717]  ? btrfs_file_write_iter+0x9e0/0x9e0
[  163.913717]  ? neigh_stat_seq_next+0x20/0xf0
[  163.913717]  ? __fsnotify_update_child_dentry_flags.part.3+0x170/0x170
[  163.913717]  ? switch_fpu_return+0xfe/0x1f0
[  163.913717]  ? do_fsync+0x33/0x60
[  163.913717]  ? btrfs_file_write_iter+0x9e0/0x9e0
[  163.913717]  do_fsync+0x33/0x60
[  163.913717]  __x64_sys_fsync+0x18/0x20
[  163.913717]  do_syscall_64+0x5e/0x190
[  163.913717]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  163.913717] RIP: 0033:0x7f2aa625f469
[  163.913717] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
[  163.913717] RSP: 002b:00007fff6a124458 EFLAGS: 00000203 ORIG_RAX: 000000000000004a
[  163.913717] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2aa625f469
[  163.913717] RDX: 00007f2aa625f469 RSI: 0000000000001011 RDI: 0000000000000004
[  163.913717] RBP: 00007fff6a128650 R08: 00007fff6a128738 R09: 00007fff6a128738
[  163.913717] R10: 00007fff6a128738 R11: 0000000000000203 R12: 0000557610f695d0
[  163.913717] R13: 00007fff6a128730 R14: 0000000000000000 R15: 0000000000000000
[  163.913717] ---[ end trace 91cdd991a622b34f ]---
[  163.947792] BTRFS info (device loop0): leaf 29401088 gen 9 total ptrs 15 free space 3132 owner 2
[  163.951632]  item 0 key (12582912 168 8192) itemoff 3942 itemsize 53
[  163.955430]      extent refs 1 gen 9 flags 1
[  163.957530]      ref#0: extent data backref root 5 objectid 266 offset 4096 count 1
[  163.959760]  item 1 key (12582912 192 8388608) itemoff 3918 itemsize 24
[  163.962038]      block group used 8192 chunk_objectid 256 flags 1
[  163.964083]  item 2 key (20971520 192 8388608) itemoff 3894 itemsize 24
[  163.964379]      block group used 4096 chunk_objectid 256 flags 34
[  163.966527]  item 3 key (20975616 169 0) itemoff 3861 itemsize 33
[  163.967329]      extent refs 1 gen 5 flags 2
[  163.968213]      ref#0: tree block backref root 3
[  163.968675]  item 4 key (29360128 169 0) itemoff 3828 itemsize 33
[  163.968841]      extent refs 1 gen 9 flags 2
[  163.968841]      ref#0: tree block backref root 5
[  163.968841]  item 5 key (29360128 192 33554432) itemoff 3804 itemsize 24
[  163.968841]      block group used 36864 chunk_objectid 256 flags 36
[  163.968841]  item 6 key (29364224 169 0) itemoff 3771 itemsize 33
[  163.972379]      extent refs 1 gen 6 flags 2
[  163.973960]      ref#0: tree block backref root 9
[  163.974633]  item 7 key (29380608 169 0) itemoff 3738 itemsize 33
[  163.976881]      extent refs 1 gen 4 flags 2
[  163.977202]      ref#0: tree block backref root 18446744073709551607
[  163.977639]  item 8 key (29384704 169 1) itemoff 3705 itemsize 33
[  163.979380]      extent refs 1 gen 9 flags 2
[  163.979816]      ref#0: tree block backref root 5
[  163.980999]  item 9 key (29388800 169 0) itemoff 3672 itemsize 33
[  163.983435]      extent refs 1 gen 9 flags 2
[  163.985948]      ref#0: tree block backref root 5
[  163.986373]  item 10 key (29392896 169 0) itemoff 3639 itemsize 33
[  163.986714]      extent refs 1 gen 9 flags 2
[  163.987903]      ref#0: tree block backref root 7
[  163.988354]  item 11 key (29396992 169 0) itemoff 3606 itemsize 33
[  163.988727]      extent refs 1 gen 6 flags 2
[  163.991042]      ref#0: tree block backref root 4
[  163.994935]  item 12 key (29401088 169 0) itemoff 3573 itemsize 33
[  163.995663]      extent refs 1 gen 9 flags 2
[  163.997572]      ref#0: tree block backref root 2
[  163.999348]  item 13 key (29405184 169 0) itemoff 3540 itemsize 33
[  164.000127]      extent refs 1 gen 9 flags 2
[  164.003544]      ref#0: tree block backref root 1
[  164.006135]  item 14 key (29417472 0 32) itemoff 3507 itemsize 33
[  164.009739] BTRFS error (device loop0): unable to find ref byte nr 29417472 parent 0 root 1  owner 0 offset 0
[  164.013356] ------------[ cut here ]------------
[  164.015651] WARNING: CPU: 0 PID: 230 at fs/btrfs/extent-tree.c:4857 __btrfs_free_extent.isra.67+0x8b7/0xd60
[  164.015971] Modules linked in:
[  164.015971] CPU: 0 PID: 230 Comm: 212 Tainted: G        W         5.3.11 #1
[  164.015971] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  164.015971] RIP: 0010:__btrfs_free_extent.isra.67+0x8b7/0xd60
[  164.015971] Code: 48 8d bd b8 0c 00 00 e8 97 31 d5 ff 5e f0 48 0f ba ad b8 0c 00 00 02 72 13 be fe ff ff ff 48 c7 c7 a0 49 b3 82 e8 49 f7 b0 ff <0f> 0b 48 8b 7c 24 10 b9 fe ff ff ff ba f9 12 00 00 48 c7 c6 c0 5c
[  164.015971] RSP: 0018:ffff888064fa7830 EFLAGS: 00000286
[  164.015971] RAX: 0000000000000000 RBX: ffff88806a5508f0 RCX: ffffffff8121013e
[  164.015971] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88806d41f4b0
[  164.015971] RBP: ffff888067eb8000 R08: ffffed100da83e97 R09: ffffed100da83e97
[  164.015971] R10: 0000000000000001 R11: ffffed100da83e96 R12: 0000000000000001
[  164.015971] R13: 00000000fffffffe R14: 0000000001c0e000 R15: 0000000000000000
[  164.015971] FS:  00007f2aa6738440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000
[  164.015971] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  164.015971] CR2: 00007efd5b25b3f0 CR3: 000000006a9a0000 CR4: 00000000000006f0
[  164.015971] Call Trace:
[  164.015971]  ? update_block_group+0x730/0x730
[  164.015971]  ? _raw_write_lock+0xe0/0xe0
[  164.015971]  ? _raw_spin_lock+0x7f/0xe0
[  164.015971]  ? _raw_spin_lock+0x7f/0xe0
[  164.015971]  ? _raw_write_lock+0xe0/0xe0
[  164.015971]  ? apic_timer_interrupt+0xa/0x20
[  164.015971]  __btrfs_run_delayed_refs+0xd96/0x1ba0
[  164.015971]  ? btrfs_trans_release_chunk_metadata+0x15/0x70
[  164.015971]  ? alloc_reserved_file_extent+0x470/0x470
[  164.015971]  ? btrfs_create_pending_block_groups+0x250/0x350
[  164.015971]  ? btrfs_free_block_groups+0x420/0x420
[  164.015971]  ? free_log_tree+0x136/0x1b0
[  164.015971]  ? kfree+0x98/0x200
[  164.015971]  ? mutex_lock+0x93/0xf0
[  164.015971]  ? __mutex_lock_slowpath+0x10/0x10
[  164.015971]  ? _raw_write_lock+0xe0/0xe0
[  164.015971]  btrfs_run_delayed_refs+0x120/0x200
[  164.015971]  btrfs_commit_transaction+0x7da/0x1100
[  164.015971]  ? apic_timer_interrupt+0xa/0x20
[  164.015971]  ? apic_timer_interrupt+0xa/0x20
[  164.015971]  ? btrfs_apply_pending_changes+0x80/0x80
[  164.015971]  ? up_write+0x33/0x50
[  164.015971]  btrfs_sync_file+0x71c/0x767
[  164.015971]  ? btrfs_file_write_iter+0x9e0/0x9e0
[  164.015971]  ? neigh_stat_seq_next+0x20/0xf0
[  164.015971]  ? __fsnotify_update_child_dentry_flags.part.3+0x170/0x170
[  164.015971]  ? switch_fpu_return+0xfe/0x1f0
[  164.015971]  ? do_fsync+0x33/0x60
[  164.015971]  ? btrfs_file_write_iter+0x9e0/0x9e0
[  164.015971]  do_fsync+0x33/0x60
[  164.015971]  __x64_sys_fsync+0x18/0x20
[  164.015971]  do_syscall_64+0x5e/0x190
[  164.015971]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  164.015971] RIP: 0033:0x7f2aa625f469
[  164.015971] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
[  164.015971] RSP: 002b:00007fff6a124458 EFLAGS: 00000203 ORIG_RAX: 000000000000004a
[  164.015971] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2aa625f469
[  164.015971] RDX: 00007f2aa625f469 RSI: 0000000000001011 RDI: 0000000000000004
[  164.015971] RBP: 00007fff6a128650 R08: 00007fff6a128738 R09: 00007fff6a128738
[  164.015971] R10: 00007fff6a128738 R11: 0000000000000203 R12: 0000557610f695d0
[  164.015971] R13: 00007fff6a128730 R14: 0000000000000000 R15: 0000000000000000
[  164.015971] ---[ end trace 91cdd991a622b350 ]---
[  164.050349] BTRFS: error (device loop0) in __btrfs_free_extent:4857: errno=-2 No such entry
[  164.053543] BTRFS info (device loop0): forced readonly
[  164.058698] BTRFS: error (device loop0) in btrfs_run_delayed_refs:2795: errno=-2 No such entry
[  164.063746] BTRFS warning (device loop0): Skipping commit of aborted transaction.
[  164.066320] BTRFS: error (device loop0) in cleanup_transaction:1826: errno=-2 No such entry

Conclusion

mount crafted Btrfs image leak register informations.(user can call dmesg command, and it shows register informations)

it can allow hackers to view register values(Kernel Base, Heap Base, GS, CR registers, ETC…), and it can use with other vulnerability exploitation

Discoverer

Team bobfuzzer

Acknowledgments

This Project used ported version(to 5.0.21 and 5.3.14 linux kernel) of filesystem fuzzer ‘JANUS’ which developed by GeorgiaTech Systems Software & Security Lab(SSLab)

Thank you for the excellent fuzzer and paper below.