* [PATCH] Btrfs: fix out of bounds array access while reading extent buffer
@ 2017-08-07 19:39 Liu Bo
2017-08-08 8:47 ` Filipe Manana
` (3 more replies)
0 siblings, 4 replies; 14+ messages in thread
From: Liu Bo @ 2017-08-07 19:39 UTC (permalink / raw)
To: linux-btrfs
There is a cornel case that slip through the checkers in functions
reading extent buffer, ie.
if (start < eb->len) and (start + len > eb->len),
then
a) map_private_extent_buffer() returns immediately because
it's thinking the range spans across two pages,
b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
and WARN_ON(start + len > eb->start + eb->len), both are OK in this
corner case, but it'd actually try to access the eb->pages out of
bounds because of (start + len > eb->len).
The case is found by switching extent inline ref type from shared data
ref to non-shared data ref.
This is adding proper checks in order to avoid invalid memory access,
ie. 'general protection', before it's too late.
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
---
fs/btrfs/extent_io.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 0aff9b2..d198e87 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
char *dst = (char *)dstv;
size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
unsigned long i = (start_offset + start) >> PAGE_SHIFT;
+ unsigned long num_pages = num_extent_pages(eb->start, eb->len);
- WARN_ON(start > eb->len);
- WARN_ON(start + len > eb->start + eb->len);
+ if (start + len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, len);
+ memset(dst, 0, len);
+ return;
+ }
offset = (start_offset + start) & (PAGE_SIZE - 1);
while (len > 0) {
+ ASSERT(i < num_pages);
page = eb->pages[i];
cur = min(len, (PAGE_SIZE - offset));
@@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
unsigned long end_i = (start_offset + start + min_len - 1) >>
PAGE_SHIFT;
+ if (start + min_len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, min_len);
+ return -EINVAL;
+ }
+
if (i != end_i)
return 1;
@@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
*map_start = ((u64)i << PAGE_SHIFT) - start_offset;
}
- if (start + min_len > eb->len) {
- WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
- eb->start, eb->len, start, min_len);
- return -EINVAL;
- }
-
p = eb->pages[i];
kaddr = page_address(p);
*map = kaddr + offset;
--
2.9.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-07 19:39 [PATCH] Btrfs: fix out of bounds array access while reading extent buffer Liu Bo
@ 2017-08-08 8:47 ` Filipe Manana
2017-08-08 17:05 ` Liu Bo
2017-08-09 16:31 ` [PATCH v2] " Liu Bo
` (2 subsequent siblings)
3 siblings, 1 reply; 14+ messages in thread
From: Filipe Manana @ 2017-08-08 8:47 UTC (permalink / raw)
To: Liu Bo; +Cc: linux-btrfs
On Mon, Aug 7, 2017 at 8:39 PM, Liu Bo <bo.li.liu@oracle.com> wrote:
> There is a cornel case that slip through the checkers in functions
> reading extent buffer, ie.
>
> if (start < eb->len) and (start + len > eb->len),
> then
>
> a) map_private_extent_buffer() returns immediately because
> it's thinking the range spans across two pages,
>
> b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
> and WARN_ON(start + len > eb->start + eb->len), both are OK in this
> corner case, but it'd actually try to access the eb->pages out of
> bounds because of (start + len > eb->len).
>
> The case is found by switching extent inline ref type from shared data
> ref to non-shared data ref.
>
> This is adding proper checks in order to avoid invalid memory access,
> ie. 'general protection', before it's too late.
Hi Bo,
I don't understand these 2 last paragraphs.
How do you fix the invalid memory access? All the change does is make
sure that attempts to read from invalid regions of an extent buffer
result in a warning and returning an error code. Those paragraphs give
the idea that the problem is that some caller is passing a wrong
offset/length pair, however you aren't fixing any caller. can you
clarify?
Also when you say " The case is found by switching extent inline ref
type from shared data ref to non-shared data ref", it gives the idea
this is a deterministic problem that always happens when doing that
switch. If so, can we have a test case?
Also missing the word "fault" after 'general protection'.
Thanks.
>
> Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
> ---
> fs/btrfs/extent_io.c | 22 ++++++++++++++--------
> 1 file changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index 0aff9b2..d198e87 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
> char *dst = (char *)dstv;
> size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> + unsigned long num_pages = num_extent_pages(eb->start, eb->len);
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (start + len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, len);
> + memset(dst, 0, len);
> + return;
> + }
>
> offset = (start_offset + start) & (PAGE_SIZE - 1);
>
> while (len > 0) {
> + ASSERT(i < num_pages);
> page = eb->pages[i];
>
> cur = min(len, (PAGE_SIZE - offset));
> @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> unsigned long end_i = (start_offset + start + min_len - 1) >>
> PAGE_SHIFT;
>
> + if (start + min_len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, min_len);
> + return -EINVAL;
> + }
> +
> if (i != end_i)
> return 1;
>
> @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> *map_start = ((u64)i << PAGE_SHIFT) - start_offset;
> }
>
> - if (start + min_len > eb->len) {
> - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> - eb->start, eb->len, start, min_len);
> - return -EINVAL;
> - }
> -
> p = eb->pages[i];
> kaddr = page_address(p);
> *map = kaddr + offset;
> --
> 2.9.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Filipe David Manana,
“Whether you think you can, or you think you can't — you're right.”
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-08 8:47 ` Filipe Manana
@ 2017-08-08 17:05 ` Liu Bo
2017-08-09 15:03 ` Filipe Manana
0 siblings, 1 reply; 14+ messages in thread
From: Liu Bo @ 2017-08-08 17:05 UTC (permalink / raw)
To: Filipe Manana; +Cc: linux-btrfs
Hi Filipe,
On Tue, Aug 08, 2017 at 09:47:21AM +0100, Filipe Manana wrote:
> On Mon, Aug 7, 2017 at 8:39 PM, Liu Bo <bo.li.liu@oracle.com> wrote:
> > There is a cornel case that slip through the checkers in functions
> > reading extent buffer, ie.
> >
> > if (start < eb->len) and (start + len > eb->len),
> > then
> >
> > a) map_private_extent_buffer() returns immediately because
> > it's thinking the range spans across two pages,
> >
> > b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
> > and WARN_ON(start + len > eb->start + eb->len), both are OK in this
> > corner case, but it'd actually try to access the eb->pages out of
> > bounds because of (start + len > eb->len).
> >
> > The case is found by switching extent inline ref type from shared data
> > ref to non-shared data ref.
> >
> > This is adding proper checks in order to avoid invalid memory access,
> > ie. 'general protection', before it's too late.
>
> Hi Bo,
>
> I don't understand these 2 last paragraphs.
> How do you fix the invalid memory access? All the change does is make
> sure that attempts to read from invalid regions of an extent buffer
> result in a warning and returning an error code. Those paragraphs give
> the idea that the problem is that some caller is passing a wrong
> offset/length pair, however you aren't fixing any caller. can you
> clarify?
>
I see your doubt, that wrong offset/length pair comes from one of
btrfs_setget helpers, eg. btrfs_extent_data_ref_root.
The invalid memory access happens when the pointer it's using to
access fields in "struct btrfs_extent_data_ref" is actually a "struct
btrfs_shared_data_ref", this is caused by switching those types.
So the offset/length pair is correct from btrfs_setget helper's point
of view, but it's just using the wrong helper due to a wrong ref type
(in v2 this'll be added to the commit log to clarity).
> Also when you say " The case is found by switching extent inline ref
> type from shared data ref to non-shared data ref", it gives the idea
> this is a deterministic problem that always happens when doing that
> switch. If so, can we have a test case?
>
It is deterministic, but it depends on patching btrfs-corrupt-block
and last time I posted a corrupt-block related case, I was told that
tool is gonna change a lot and maybe get deleted in the near future,
so it's not yet suitable for fstests cases.
> Also missing the word "fault" after 'general protection'.
>
Yeah, there is a 'fault', the full text is
"general protection fault: 0000 [#1] SMP KASAN",
will update.
Thanks,
-liubo
> Thanks.
>
> >
> > Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
> > ---
> > fs/btrfs/extent_io.c | 22 ++++++++++++++--------
> > 1 file changed, 14 insertions(+), 8 deletions(-)
> >
> > diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> > index 0aff9b2..d198e87 100644
> > --- a/fs/btrfs/extent_io.c
> > +++ b/fs/btrfs/extent_io.c
> > @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
> > char *dst = (char *)dstv;
> > size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
> > unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> > + unsigned long num_pages = num_extent_pages(eb->start, eb->len);
> >
> > - WARN_ON(start > eb->len);
> > - WARN_ON(start + len > eb->start + eb->len);
> > + if (start + len > eb->len) {
> > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> > + eb->start, eb->len, start, len);
> > + memset(dst, 0, len);
> > + return;
> > + }
> >
> > offset = (start_offset + start) & (PAGE_SIZE - 1);
> >
> > while (len > 0) {
> > + ASSERT(i < num_pages);
> > page = eb->pages[i];
> >
> > cur = min(len, (PAGE_SIZE - offset));
> > @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> > unsigned long end_i = (start_offset + start + min_len - 1) >>
> > PAGE_SHIFT;
> >
> > + if (start + min_len > eb->len) {
> > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> > + eb->start, eb->len, start, min_len);
> > + return -EINVAL;
> > + }
> > +
> > if (i != end_i)
> > return 1;
> >
> > @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> > *map_start = ((u64)i << PAGE_SHIFT) - start_offset;
> > }
> >
> > - if (start + min_len > eb->len) {
> > - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> > - eb->start, eb->len, start, min_len);
> > - return -EINVAL;
> > - }
> > -
> > p = eb->pages[i];
> > kaddr = page_address(p);
> > *map = kaddr + offset;
> > --
> > 2.9.4
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
>
> --
> Filipe David Manana,
>
> “Whether you think you can, or you think you can't — you're right.”
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-08 17:05 ` Liu Bo
@ 2017-08-09 15:03 ` Filipe Manana
0 siblings, 0 replies; 14+ messages in thread
From: Filipe Manana @ 2017-08-09 15:03 UTC (permalink / raw)
To: Liu Bo; +Cc: linux-btrfs
On Tue, Aug 8, 2017 at 6:05 PM, Liu Bo <bo.li.liu@oracle.com> wrote:
> Hi Filipe,
>
> On Tue, Aug 08, 2017 at 09:47:21AM +0100, Filipe Manana wrote:
>> On Mon, Aug 7, 2017 at 8:39 PM, Liu Bo <bo.li.liu@oracle.com> wrote:
>> > There is a cornel case that slip through the checkers in functions
>> > reading extent buffer, ie.
>> >
>> > if (start < eb->len) and (start + len > eb->len),
>> > then
>> >
>> > a) map_private_extent_buffer() returns immediately because
>> > it's thinking the range spans across two pages,
>> >
>> > b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
>> > and WARN_ON(start + len > eb->start + eb->len), both are OK in this
>> > corner case, but it'd actually try to access the eb->pages out of
>> > bounds because of (start + len > eb->len).
>> >
>> > The case is found by switching extent inline ref type from shared data
>> > ref to non-shared data ref.
>> >
>> > This is adding proper checks in order to avoid invalid memory access,
>> > ie. 'general protection', before it's too late.
>>
>> Hi Bo,
>>
>> I don't understand these 2 last paragraphs.
>> How do you fix the invalid memory access? All the change does is make
>> sure that attempts to read from invalid regions of an extent buffer
>> result in a warning and returning an error code. Those paragraphs give
>> the idea that the problem is that some caller is passing a wrong
>> offset/length pair, however you aren't fixing any caller. can you
>> clarify?
>>
>
> I see your doubt, that wrong offset/length pair comes from one of
> btrfs_setget helpers, eg. btrfs_extent_data_ref_root.
>
> The invalid memory access happens when the pointer it's using to
> access fields in "struct btrfs_extent_data_ref" is actually a "struct
> btrfs_shared_data_ref", this is caused by switching those types.
>
> So the offset/length pair is correct from btrfs_setget helper's point
> of view, but it's just using the wrong helper due to a wrong ref type
> (in v2 this'll be added to the commit log to clarity).
>
>> Also when you say " The case is found by switching extent inline ref
>> type from shared data ref to non-shared data ref", it gives the idea
>> this is a deterministic problem that always happens when doing that
>> switch. If so, can we have a test case?
>>
>
> It is deterministic, but it depends on patching btrfs-corrupt-block
> and last time I posted a corrupt-block related case, I was told that
> tool is gonna change a lot and maybe get deleted in the near future,
> so it's not yet suitable for fstests cases.
Ok, so this only happens if the metadata is corrupted. It wasn't clear
for me from the change log.
Thanks.
>
>> Also missing the word "fault" after 'general protection'.
>>
>
> Yeah, there is a 'fault', the full text is
> "general protection fault: 0000 [#1] SMP KASAN",
> will update.
>
> Thanks,
>
> -liubo
>
>> Thanks.
>>
>> >
>> > Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
>> > ---
>> > fs/btrfs/extent_io.c | 22 ++++++++++++++--------
>> > 1 file changed, 14 insertions(+), 8 deletions(-)
>> >
>> > diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
>> > index 0aff9b2..d198e87 100644
>> > --- a/fs/btrfs/extent_io.c
>> > +++ b/fs/btrfs/extent_io.c
>> > @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
>> > char *dst = (char *)dstv;
>> > size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
>> > unsigned long i = (start_offset + start) >> PAGE_SHIFT;
>> > + unsigned long num_pages = num_extent_pages(eb->start, eb->len);
>> >
>> > - WARN_ON(start > eb->len);
>> > - WARN_ON(start + len > eb->start + eb->len);
>> > + if (start + len > eb->len) {
>> > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
>> > + eb->start, eb->len, start, len);
>> > + memset(dst, 0, len);
>> > + return;
>> > + }
>> >
>> > offset = (start_offset + start) & (PAGE_SIZE - 1);
>> >
>> > while (len > 0) {
>> > + ASSERT(i < num_pages);
>> > page = eb->pages[i];
>> >
>> > cur = min(len, (PAGE_SIZE - offset));
>> > @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
>> > unsigned long end_i = (start_offset + start + min_len - 1) >>
>> > PAGE_SHIFT;
>> >
>> > + if (start + min_len > eb->len) {
>> > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
>> > + eb->start, eb->len, start, min_len);
>> > + return -EINVAL;
>> > + }
>> > +
>> > if (i != end_i)
>> > return 1;
>> >
>> > @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
>> > *map_start = ((u64)i << PAGE_SHIFT) - start_offset;
>> > }
>> >
>> > - if (start + min_len > eb->len) {
>> > - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
>> > - eb->start, eb->len, start, min_len);
>> > - return -EINVAL;
>> > - }
>> > -
>> > p = eb->pages[i];
>> > kaddr = page_address(p);
>> > *map = kaddr + offset;
>> > --
>> > 2.9.4
>> >
>> > --
>> > To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
>> > the body of a message to majordomo@vger.kernel.org
>> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>>
>>
>> --
>> Filipe David Manana,
>>
>> “Whether you think you can, or you think you can't — you're right.”
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Filipe David Manana,
“Whether you think you can, or you think you can't — you're right.”
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v2] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-07 19:39 [PATCH] Btrfs: fix out of bounds array access while reading extent buffer Liu Bo
2017-08-08 8:47 ` Filipe Manana
@ 2017-08-09 16:31 ` Liu Bo
2017-08-09 17:35 ` Filipe Manana
2017-08-09 17:40 ` Filipe Manana
2017-08-09 17:10 ` [PATCH v3] " Liu Bo
2017-08-11 21:26 ` [PATCH] " kbuild test robot
3 siblings, 2 replies; 14+ messages in thread
From: Liu Bo @ 2017-08-09 16:31 UTC (permalink / raw)
To: linux-btrfs
There is a cornel case that slip through the checkers in functions
reading extent buffer, ie.
if (start < eb->len) and (start + len > eb->len),
then
a) map_private_extent_buffer() returns immediately because
it's thinking the range spans across two pages,
b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
and WARN_ON(start + len > eb->start + eb->len), both are OK in this
corner case, but it'd actually try to access the eb->pages out of
bounds because of (start + len > eb->len).
The case is found by switching extent inline ref type from shared data
ref to non-shared data ref, which is a kind of metadata corruption.
It'd use the wrong helper to access the eb,
eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing
here is "struct btrfs_shared_data_ref". And if the extent item
happens to be the first item in the eb, then offset/length will get
over eb->len which ends up an invalid memory access.
This is adding proper checks in order to avoid invalid memory access,
ie. 'general protection fault', before it's too late.
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
---
v2: Improve the commit log to clarify that this can only happen if
metadata is corrupted.
fs/btrfs/extent_io.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 0aff9b2..d198e87 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
char *dst = (char *)dstv;
size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
unsigned long i = (start_offset + start) >> PAGE_SHIFT;
+ unsigned long num_pages = num_extent_pages(eb->start, eb->len);
- WARN_ON(start > eb->len);
- WARN_ON(start + len > eb->start + eb->len);
+ if (start + len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, len);
+ memset(dst, 0, len);
+ return;
+ }
offset = (start_offset + start) & (PAGE_SIZE - 1);
while (len > 0) {
+ ASSERT(i < num_pages);
page = eb->pages[i];
cur = min(len, (PAGE_SIZE - offset));
@@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
unsigned long end_i = (start_offset + start + min_len - 1) >>
PAGE_SHIFT;
+ if (start + min_len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, min_len);
+ return -EINVAL;
+ }
+
if (i != end_i)
return 1;
@@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
*map_start = ((u64)i << PAGE_SHIFT) - start_offset;
}
- if (start + min_len > eb->len) {
- WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
- eb->start, eb->len, start, min_len);
- return -EINVAL;
- }
-
p = eb->pages[i];
kaddr = page_address(p);
*map = kaddr + offset;
--
2.9.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-09 16:31 ` [PATCH v2] " Liu Bo
@ 2017-08-09 17:35 ` Filipe Manana
2017-08-09 17:40 ` Filipe Manana
1 sibling, 0 replies; 14+ messages in thread
From: Filipe Manana @ 2017-08-09 17:35 UTC (permalink / raw)
To: Liu Bo; +Cc: linux-btrfs
On Wed, Aug 9, 2017 at 5:31 PM, Liu Bo <bo.li.liu@oracle.com> wrote:
> There is a cornel case that slip through the checkers in functions
> reading extent buffer, ie.
>
> if (start < eb->len) and (start + len > eb->len),
> then
>
> a) map_private_extent_buffer() returns immediately because
> it's thinking the range spans across two pages,
>
> b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
> and WARN_ON(start + len > eb->start + eb->len), both are OK in this
> corner case, but it'd actually try to access the eb->pages out of
> bounds because of (start + len > eb->len).
>
> The case is found by switching extent inline ref type from shared data
> ref to non-shared data ref, which is a kind of metadata corruption.
>
> It'd use the wrong helper to access the eb,
> eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing
> here is "struct btrfs_shared_data_ref". And if the extent item
> happens to be the first item in the eb, then offset/length will get
> over eb->len which ends up an invalid memory access.
>
> This is adding proper checks in order to avoid invalid memory access,
> ie. 'general protection fault', before it's too late.
>
> Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
> ---
>
> v2: Improve the commit log to clarify that this can only happen if
> metadata is corrupted.
Thanks for adding the clarification!
>
> fs/btrfs/extent_io.c | 22 ++++++++++++++--------
> 1 file changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index 0aff9b2..d198e87 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
> char *dst = (char *)dstv;
> size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> + unsigned long num_pages = num_extent_pages(eb->start, eb->len);
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (start + len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, len);
> + memset(dst, 0, len);
> + return;
> + }
>
> offset = (start_offset + start) & (PAGE_SIZE - 1);
>
> while (len > 0) {
> + ASSERT(i < num_pages);
> page = eb->pages[i];
>
> cur = min(len, (PAGE_SIZE - offset));
> @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> unsigned long end_i = (start_offset + start + min_len - 1) >>
> PAGE_SHIFT;
>
> + if (start + min_len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, min_len);
> + return -EINVAL;
> + }
> +
> if (i != end_i)
> return 1;
>
> @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> *map_start = ((u64)i << PAGE_SHIFT) - start_offset;
> }
>
> - if (start + min_len > eb->len) {
> - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> - eb->start, eb->len, start, min_len);
> - return -EINVAL;
> - }
> -
> p = eb->pages[i];
> kaddr = page_address(p);
> *map = kaddr + offset;
> --
> 2.9.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Filipe David Manana,
“Whether you think you can, or you think you can't — you're right.”
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-09 16:31 ` [PATCH v2] " Liu Bo
2017-08-09 17:35 ` Filipe Manana
@ 2017-08-09 17:40 ` Filipe Manana
2017-08-09 18:03 ` Liu Bo
1 sibling, 1 reply; 14+ messages in thread
From: Filipe Manana @ 2017-08-09 17:40 UTC (permalink / raw)
To: Liu Bo; +Cc: linux-btrfs
On Wed, Aug 9, 2017 at 5:31 PM, Liu Bo <bo.li.liu@oracle.com> wrote:
> There is a cornel case that slip through the checkers in functions
> reading extent buffer, ie.
>
> if (start < eb->len) and (start + len > eb->len),
> then
>
> a) map_private_extent_buffer() returns immediately because
> it's thinking the range spans across two pages,
>
> b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
> and WARN_ON(start + len > eb->start + eb->len), both are OK in this
> corner case, but it'd actually try to access the eb->pages out of
> bounds because of (start + len > eb->len).
>
> The case is found by switching extent inline ref type from shared data
> ref to non-shared data ref, which is a kind of metadata corruption.
>
> It'd use the wrong helper to access the eb,
> eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing
> here is "struct btrfs_shared_data_ref". And if the extent item
> happens to be the first item in the eb, then offset/length will get
> over eb->len which ends up an invalid memory access.
>
> This is adding proper checks in order to avoid invalid memory access,
> ie. 'general protection fault', before it's too late.
>
> Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
> ---
>
> v2: Improve the commit log to clarify that this can only happen if
> metadata is corrupted.
>
> fs/btrfs/extent_io.c | 22 ++++++++++++++--------
> 1 file changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index 0aff9b2..d198e87 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
> char *dst = (char *)dstv;
> size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> + unsigned long num_pages = num_extent_pages(eb->start, eb->len);
Forgot to note that if CONFIG_BTRFS_ASSERT is not set, this variable
is unused and the compiler and static checkers will emit a warning.
Other than that all looks fine. Thanks.
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (start + len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, len);
> + memset(dst, 0, len);
> + return;
> + }
>
> offset = (start_offset + start) & (PAGE_SIZE - 1);
>
> while (len > 0) {
> + ASSERT(i < num_pages);
> page = eb->pages[i];
>
> cur = min(len, (PAGE_SIZE - offset));
> @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> unsigned long end_i = (start_offset + start + min_len - 1) >>
> PAGE_SHIFT;
>
> + if (start + min_len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, min_len);
> + return -EINVAL;
> + }
> +
> if (i != end_i)
> return 1;
>
> @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> *map_start = ((u64)i << PAGE_SHIFT) - start_offset;
> }
>
> - if (start + min_len > eb->len) {
> - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> - eb->start, eb->len, start, min_len);
> - return -EINVAL;
> - }
> -
> p = eb->pages[i];
> kaddr = page_address(p);
> *map = kaddr + offset;
> --
> 2.9.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Filipe David Manana,
“Whether you think you can, or you think you can't — you're right.”
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-09 17:40 ` Filipe Manana
@ 2017-08-09 18:03 ` Liu Bo
0 siblings, 0 replies; 14+ messages in thread
From: Liu Bo @ 2017-08-09 18:03 UTC (permalink / raw)
To: Filipe Manana; +Cc: linux-btrfs
On Wed, Aug 09, 2017 at 06:40:04PM +0100, Filipe Manana wrote:
> On Wed, Aug 9, 2017 at 5:31 PM, Liu Bo <bo.li.liu@oracle.com> wrote:
> > There is a cornel case that slip through the checkers in functions
> > reading extent buffer, ie.
> >
> > if (start < eb->len) and (start + len > eb->len),
> > then
> >
> > a) map_private_extent_buffer() returns immediately because
> > it's thinking the range spans across two pages,
> >
> > b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
> > and WARN_ON(start + len > eb->start + eb->len), both are OK in this
> > corner case, but it'd actually try to access the eb->pages out of
> > bounds because of (start + len > eb->len).
> >
> > The case is found by switching extent inline ref type from shared data
> > ref to non-shared data ref, which is a kind of metadata corruption.
> >
> > It'd use the wrong helper to access the eb,
> > eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing
> > here is "struct btrfs_shared_data_ref". And if the extent item
> > happens to be the first item in the eb, then offset/length will get
> > over eb->len which ends up an invalid memory access.
> >
> > This is adding proper checks in order to avoid invalid memory access,
> > ie. 'general protection fault', before it's too late.
> >
> > Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
> > ---
> >
> > v2: Improve the commit log to clarify that this can only happen if
> > metadata is corrupted.
> >
> > fs/btrfs/extent_io.c | 22 ++++++++++++++--------
> > 1 file changed, 14 insertions(+), 8 deletions(-)
> >
> > diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> > index 0aff9b2..d198e87 100644
> > --- a/fs/btrfs/extent_io.c
> > +++ b/fs/btrfs/extent_io.c
> > @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
> > char *dst = (char *)dstv;
> > size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
> > unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> > + unsigned long num_pages = num_extent_pages(eb->start, eb->len);
>
> Forgot to note that if CONFIG_BTRFS_ASSERT is not set, this variable
> is unused and the compiler and static checkers will emit a warning.
> Other than that all looks fine. Thanks.
>
True, then lets remove it, I don't think we could reach that ASSERT if
(start + len > eb->len).
thanks,
-liubo
> >
> > - WARN_ON(start > eb->len);
> > - WARN_ON(start + len > eb->start + eb->len);
> > + if (start + len > eb->len) {
> > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> > + eb->start, eb->len, start, len);
> > + memset(dst, 0, len);
> > + return;
> > + }
> >
> > offset = (start_offset + start) & (PAGE_SIZE - 1);
> >
> > while (len > 0) {
> > + ASSERT(i < num_pages);
> > page = eb->pages[i];
> >
> > cur = min(len, (PAGE_SIZE - offset));
> > @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> > unsigned long end_i = (start_offset + start + min_len - 1) >>
> > PAGE_SHIFT;
> >
> > + if (start + min_len > eb->len) {
> > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> > + eb->start, eb->len, start, min_len);
> > + return -EINVAL;
> > + }
> > +
> > if (i != end_i)
> > return 1;
> >
> > @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> > *map_start = ((u64)i << PAGE_SHIFT) - start_offset;
> > }
> >
> > - if (start + min_len > eb->len) {
> > - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> > - eb->start, eb->len, start, min_len);
> > - return -EINVAL;
> > - }
> > -
> > p = eb->pages[i];
> > kaddr = page_address(p);
> > *map = kaddr + offset;
> > --
> > 2.9.4
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
>
> --
> Filipe David Manana,
>
> “Whether you think you can, or you think you can't — you're right.”
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v3] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-07 19:39 [PATCH] Btrfs: fix out of bounds array access while reading extent buffer Liu Bo
2017-08-08 8:47 ` Filipe Manana
2017-08-09 16:31 ` [PATCH v2] " Liu Bo
@ 2017-08-09 17:10 ` Liu Bo
2017-08-09 18:15 ` Hugo Mills
2017-08-11 21:26 ` [PATCH] " kbuild test robot
3 siblings, 1 reply; 14+ messages in thread
From: Liu Bo @ 2017-08-09 17:10 UTC (permalink / raw)
To: linux-btrfs
There is a cornel case that slip through the checkers in functions
reading extent buffer, ie.
if (start < eb->len) and (start + len > eb->len),
then
a) map_private_extent_buffer() returns immediately because
it's thinking the range spans across two pages,
b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
and WARN_ON(start + len > eb->start + eb->len), both are OK in this
corner case, but it'd actually try to access the eb->pages out of
bounds because of (start + len > eb->len).
The case is found by switching extent inline ref type from shared data
ref to non-shared data ref, which is a kind of metadata corruption.
It'd use the wrong helper to access the eb,
eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing
here is "struct btrfs_shared_data_ref". And if the extent item
happens to be the first item in the eb, then offset/length will get
over eb->len which ends up an invalid memory access.
This is adding proper checks in order to avoid invalid memory access,
ie. 'general protection fault', before it's too late.
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
---
v3: Remove the unnecessary ASSERT and num_pages.
v2: Improve the commit log to clarify that this can only happen if
metadata is corrupted.
fs/btrfs/extent_io.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 0aff9b2..e6c6853 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -5417,8 +5417,12 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
unsigned long i = (start_offset + start) >> PAGE_SHIFT;
- WARN_ON(start > eb->len);
- WARN_ON(start + len > eb->start + eb->len);
+ if (start + len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, len);
+ memset(dst, 0, len);
+ return;
+ }
offset = (start_offset + start) & (PAGE_SIZE - 1);
@@ -5491,6 +5495,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
unsigned long end_i = (start_offset + start + min_len - 1) >>
PAGE_SHIFT;
+ if (start + min_len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, min_len);
+ return -EINVAL;
+ }
+
if (i != end_i)
return 1;
@@ -5502,12 +5512,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
*map_start = ((u64)i << PAGE_SHIFT) - start_offset;
}
- if (start + min_len > eb->len) {
- WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
- eb->start, eb->len, start, min_len);
- return -EINVAL;
- }
-
p = eb->pages[i];
kaddr = page_address(p);
*map = kaddr + offset;
--
2.9.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v3] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-09 17:10 ` [PATCH v3] " Liu Bo
@ 2017-08-09 18:15 ` Hugo Mills
2017-08-11 0:47 ` Duncan
0 siblings, 1 reply; 14+ messages in thread
From: Hugo Mills @ 2017-08-09 18:15 UTC (permalink / raw)
To: Liu Bo; +Cc: linux-btrfs
[-- Attachment #1: Type: text/plain, Size: 3435 bytes --]
On Wed, Aug 09, 2017 at 11:10:16AM -0600, Liu Bo wrote:
> There is a cornel case that slip through the checkers in functions
^^^^^^ corner
Sorry, that's been bugging me every time it goes past. A cornel is
a kind of tree, apparently.
Hugo.
> reading extent buffer, ie.
>
> if (start < eb->len) and (start + len > eb->len),
> then
>
> a) map_private_extent_buffer() returns immediately because
> it's thinking the range spans across two pages,
>
> b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
> and WARN_ON(start + len > eb->start + eb->len), both are OK in this
> corner case, but it'd actually try to access the eb->pages out of
> bounds because of (start + len > eb->len).
>
> The case is found by switching extent inline ref type from shared data
> ref to non-shared data ref, which is a kind of metadata corruption.
>
> It'd use the wrong helper to access the eb,
> eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing
> here is "struct btrfs_shared_data_ref". And if the extent item
> happens to be the first item in the eb, then offset/length will get
> over eb->len which ends up an invalid memory access.
>
> This is adding proper checks in order to avoid invalid memory access,
> ie. 'general protection fault', before it's too late.
>
> Reviewed-by: Filipe Manana <fdmanana@suse.com>
> Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
> ---
>
> v3: Remove the unnecessary ASSERT and num_pages.
>
> v2: Improve the commit log to clarify that this can only happen if
> metadata is corrupted.
>
> fs/btrfs/extent_io.c | 20 ++++++++++++--------
> 1 file changed, 12 insertions(+), 8 deletions(-)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index 0aff9b2..e6c6853 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -5417,8 +5417,12 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
> size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (start + len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, len);
> + memset(dst, 0, len);
> + return;
> + }
>
> offset = (start_offset + start) & (PAGE_SIZE - 1);
>
> @@ -5491,6 +5495,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> unsigned long end_i = (start_offset + start + min_len - 1) >>
> PAGE_SHIFT;
>
> + if (start + min_len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, min_len);
> + return -EINVAL;
> + }
> +
> if (i != end_i)
> return 1;
>
> @@ -5502,12 +5512,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> *map_start = ((u64)i << PAGE_SHIFT) - start_offset;
> }
>
> - if (start + min_len > eb->len) {
> - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> - eb->start, eb->len, start, min_len);
> - return -EINVAL;
> - }
> -
> p = eb->pages[i];
> kaddr = page_address(p);
> *map = kaddr + offset;
--
Hugo Mills | Jazz is the sort of music where no-one plays
hugo@... carfax.org.uk | anything the same way once.
http://carfax.org.uk/ |
PGP: E2AB1DE4 |
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v3] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-09 18:15 ` Hugo Mills
@ 2017-08-11 0:47 ` Duncan
0 siblings, 0 replies; 14+ messages in thread
From: Duncan @ 2017-08-11 0:47 UTC (permalink / raw)
To: linux-btrfs
Hugo Mills posted on Wed, 09 Aug 2017 18:15:29 +0000 as excerpted:
> On Wed, Aug 09, 2017 at 11:10:16AM -0600, Liu Bo wrote:
>> There is a cornel case that slip through the checkers in functions
> ^^^^^^ corner
>
> Sorry, that's been bugging me every time it goes past. A cornel is
> a kind of tree, apparently.
LOL! Me too but likely more so because I actually live in Cornell
Condominiums so seeing "cornel" in this context is a rather confusing
context switch, to say the least! I let it slip the first time as I
never expected it to make it to a v3, but...
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] Btrfs: fix out of bounds array access while reading extent buffer
2017-08-07 19:39 [PATCH] Btrfs: fix out of bounds array access while reading extent buffer Liu Bo
` (2 preceding siblings ...)
2017-08-09 17:10 ` [PATCH v3] " Liu Bo
@ 2017-08-11 21:26 ` kbuild test robot
3 siblings, 0 replies; 14+ messages in thread
From: kbuild test robot @ 2017-08-11 21:26 UTC (permalink / raw)
To: Liu Bo; +Cc: kbuild-all, linux-btrfs
[-- Attachment #1: Type: text/plain, Size: 2045 bytes --]
Hi Liu,
[auto build test WARNING on v4.13-rc4]
[also build test WARNING on next-20170811]
[cannot apply to btrfs/next]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Liu-Bo/Btrfs-fix-out-of-bounds-array-access-while-reading-extent-buffer/20170810-235607
config: x86_64-randconfig-a0-08120433 (attached as .config)
compiler: gcc-4.4 (Debian 4.4.7-8) 4.4.7
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All warnings (new ones prefixed by >>):
fs//btrfs/extent_io.c: In function 'read_extent_buffer':
>> fs//btrfs/extent_io.c:5419: warning: unused variable 'num_pages'
vim +/num_pages +5419 fs//btrfs/extent_io.c
5407
5408 void read_extent_buffer(struct extent_buffer *eb, void *dstv,
5409 unsigned long start,
5410 unsigned long len)
5411 {
5412 size_t cur;
5413 size_t offset;
5414 struct page *page;
5415 char *kaddr;
5416 char *dst = (char *)dstv;
5417 size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
5418 unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> 5419 unsigned long num_pages = num_extent_pages(eb->start, eb->len);
5420
5421 if (start + len > eb->len) {
5422 WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
5423 eb->start, eb->len, start, len);
5424 memset(dst, 0, len);
5425 return;
5426 }
5427
5428 offset = (start_offset + start) & (PAGE_SIZE - 1);
5429
5430 while (len > 0) {
5431 ASSERT(i < num_pages);
5432 page = eb->pages[i];
5433
5434 cur = min(len, (PAGE_SIZE - offset));
5435 kaddr = page_address(page);
5436 memcpy(dst, kaddr + offset, cur);
5437
5438 dst += cur;
5439 len -= cur;
5440 offset = 0;
5441 i++;
5442 }
5443 }
5444
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 29010 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] btrfs: fix out of bounds array access while reading extent buffer
@ 2019-06-14 11:51 Young Xiao
2019-06-14 13:52 ` Qu Wenruo
0 siblings, 1 reply; 14+ messages in thread
From: Young Xiao @ 2019-06-14 11:51 UTC (permalink / raw)
To: clm, josef, dsterba, linux-btrfs, linux-kernel; +Cc: Young Xiao
There is a corner case that slips through the checkers in functions
reading extent buffer, ie.
if (start < eb->len) and (start + len > eb->len), then:
the checkers in read_extent_buffer_to_user(), and memcmp_extent_buffer()
WARN_ON(start > eb->len) and WARN_ON(start + len > eb->start + eb->len),
both are OK in this corner case, but it'd actually try to access the eb->pages
out of bounds because of (start + len > eb->len).
This is adding proper checks in order to avoid invalid memory access,
ie. 'general protection fault', before it's too late.
See commit f716abd55d1e ("Btrfs: fix out of bounds array access while
reading extent buffer") for details.
Signed-off-by: Young Xiao <92siuyang@gmail.com>
---
fs/btrfs/extent_io.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index db337e5..dcf3b2e 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -5476,8 +5476,12 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb,
unsigned long i = (start_offset + start) >> PAGE_SHIFT;
int ret = 0;
- WARN_ON(start > eb->len);
- WARN_ON(start + len > eb->start + eb->len);
+ if (start + len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, len);
+ memset(dst, 0, len);
+ return;
+ }
offset = offset_in_page(start_offset + start);
@@ -5554,8 +5558,12 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
unsigned long i = (start_offset + start) >> PAGE_SHIFT;
int ret = 0;
- WARN_ON(start > eb->len);
- WARN_ON(start + len > eb->start + eb->len);
+ if (start + len > eb->len) {
+ WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
+ eb->start, eb->len, start, len);
+ memset(ptr, 0, len);
+ return;
+ }
offset = offset_in_page(start_offset + start);
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] btrfs: fix out of bounds array access while reading extent buffer
2019-06-14 11:51 [PATCH] btrfs: " Young Xiao
@ 2019-06-14 13:52 ` Qu Wenruo
0 siblings, 0 replies; 14+ messages in thread
From: Qu Wenruo @ 2019-06-14 13:52 UTC (permalink / raw)
To: Young Xiao, clm, josef, dsterba, linux-btrfs, linux-kernel
[-- Attachment #1.1: Type: text/plain, Size: 2840 bytes --]
On 2019/6/14 下午7:51, Young Xiao wrote:
> There is a corner case that slips through the checkers in functions
> reading extent buffer, ie.
>
> if (start < eb->len) and (start + len > eb->len), then:
> the checkers in read_extent_buffer_to_user(), and memcmp_extent_buffer()
> WARN_ON(start > eb->len) and WARN_ON(start + len > eb->start + eb->len),
> both are OK in this corner case, but it'd actually try to access the eb->pages
> out of bounds because of (start + len > eb->len).
>
> This is adding proper checks in order to avoid invalid memory access,
> ie. 'general protection fault', before it's too late.
>
> See commit f716abd55d1e ("Btrfs: fix out of bounds array access while
> reading extent buffer") for details.
>
> Signed-off-by: Young Xiao <92siuyang@gmail.com>
> ---
> fs/btrfs/extent_io.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index db337e5..dcf3b2e 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -5476,8 +5476,12 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb,
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> int ret = 0;
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (start + len > eb->len) {
The original (start + len > eb->start + eb->len) check is so wrong from
the very beginning. eb->start makes no sense in the context.
So your patch makes sense.
But it's not 100% fixed.
If @start and @len overflow u64, e.g @start = 1 << 63 + 8k, @len = 1<<
63 + 8K. it can still skip the check.
So, we still need to check @start against eb->len, then @start + @len
against eb->len.
Also, shouldn't we include the equal case for @start? (although start +
len == eb->len should be OK)
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, len);
> + memset(dst, 0, len);
I'd prefer not to do the memset, as @start and @len is already wrong, I
doubt the @dst could be completely some wild pointer, and set them could
easily screw up the whole kernel.
Thanks,
Qu
> + return;
> + }
>
> offset = offset_in_page(start_offset + start);
>
> @@ -5554,8 +5558,12 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> int ret = 0;
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (start + len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, len);
> + memset(ptr, 0, len);
> + return;
> + }
>
> offset = offset_in_page(start_offset + start);
>
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-06-14 13:53 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-07 19:39 [PATCH] Btrfs: fix out of bounds array access while reading extent buffer Liu Bo
2017-08-08 8:47 ` Filipe Manana
2017-08-08 17:05 ` Liu Bo
2017-08-09 15:03 ` Filipe Manana
2017-08-09 16:31 ` [PATCH v2] " Liu Bo
2017-08-09 17:35 ` Filipe Manana
2017-08-09 17:40 ` Filipe Manana
2017-08-09 18:03 ` Liu Bo
2017-08-09 17:10 ` [PATCH v3] " Liu Bo
2017-08-09 18:15 ` Hugo Mills
2017-08-11 0:47 ` Duncan
2017-08-11 21:26 ` [PATCH] " kbuild test robot
2019-06-14 11:51 [PATCH] btrfs: " Young Xiao
2019-06-14 13:52 ` Qu Wenruo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).