From: Liu Bo <bo.li.liu@oracle.com>
To: Filipe Manana <fdmanana@gmail.com>
Cc: "linux-btrfs@vger.kernel.org" <linux-btrfs@vger.kernel.org>
Subject: Re: [PATCH v2] Btrfs: fix out of bounds array access while reading extent buffer
Date: Wed, 9 Aug 2017 11:03:19 -0700 [thread overview]
Message-ID: <20170809180318.GA26951@lim.localdomain> (raw)
In-Reply-To: <CAL3q7H6+B5uiOq6Lx-6Zx+ETDAaUEN7QhV9uBeNnOO2a+eHAQA@mail.gmail.com>
On Wed, Aug 09, 2017 at 06:40:04PM +0100, Filipe Manana wrote:
> On Wed, Aug 9, 2017 at 5:31 PM, Liu Bo <bo.li.liu@oracle.com> wrote:
> > There is a cornel case that slip through the checkers in functions
> > reading extent buffer, ie.
> >
> > if (start < eb->len) and (start + len > eb->len),
> > then
> >
> > a) map_private_extent_buffer() returns immediately because
> > it's thinking the range spans across two pages,
> >
> > b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len)
> > and WARN_ON(start + len > eb->start + eb->len), both are OK in this
> > corner case, but it'd actually try to access the eb->pages out of
> > bounds because of (start + len > eb->len).
> >
> > The case is found by switching extent inline ref type from shared data
> > ref to non-shared data ref, which is a kind of metadata corruption.
> >
> > It'd use the wrong helper to access the eb,
> > eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing
> > here is "struct btrfs_shared_data_ref". And if the extent item
> > happens to be the first item in the eb, then offset/length will get
> > over eb->len which ends up an invalid memory access.
> >
> > This is adding proper checks in order to avoid invalid memory access,
> > ie. 'general protection fault', before it's too late.
> >
> > Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
> > ---
> >
> > v2: Improve the commit log to clarify that this can only happen if
> > metadata is corrupted.
> >
> > fs/btrfs/extent_io.c | 22 ++++++++++++++--------
> > 1 file changed, 14 insertions(+), 8 deletions(-)
> >
> > diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> > index 0aff9b2..d198e87 100644
> > --- a/fs/btrfs/extent_io.c
> > +++ b/fs/btrfs/extent_io.c
> > @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
> > char *dst = (char *)dstv;
> > size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1);
> > unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> > + unsigned long num_pages = num_extent_pages(eb->start, eb->len);
>
> Forgot to note that if CONFIG_BTRFS_ASSERT is not set, this variable
> is unused and the compiler and static checkers will emit a warning.
> Other than that all looks fine. Thanks.
>
True, then lets remove it, I don't think we could reach that ASSERT if
(start + len > eb->len).
thanks,
-liubo
> >
> > - WARN_ON(start > eb->len);
> > - WARN_ON(start + len > eb->start + eb->len);
> > + if (start + len > eb->len) {
> > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> > + eb->start, eb->len, start, len);
> > + memset(dst, 0, len);
> > + return;
> > + }
> >
> > offset = (start_offset + start) & (PAGE_SIZE - 1);
> >
> > while (len > 0) {
> > + ASSERT(i < num_pages);
> > page = eb->pages[i];
> >
> > cur = min(len, (PAGE_SIZE - offset));
> > @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> > unsigned long end_i = (start_offset + start + min_len - 1) >>
> > PAGE_SHIFT;
> >
> > + if (start + min_len > eb->len) {
> > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> > + eb->start, eb->len, start, min_len);
> > + return -EINVAL;
> > + }
> > +
> > if (i != end_i)
> > return 1;
> >
> > @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
> > *map_start = ((u64)i << PAGE_SHIFT) - start_offset;
> > }
> >
> > - if (start + min_len > eb->len) {
> > - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> > - eb->start, eb->len, start, min_len);
> > - return -EINVAL;
> > - }
> > -
> > p = eb->pages[i];
> > kaddr = page_address(p);
> > *map = kaddr + offset;
> > --
> > 2.9.4
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
>
> --
> Filipe David Manana,
>
> “Whether you think you can, or you think you can't — you're right.”
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-08-09 18:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-07 19:39 [PATCH] Btrfs: fix out of bounds array access while reading extent buffer Liu Bo
2017-08-08 8:47 ` Filipe Manana
2017-08-08 17:05 ` Liu Bo
2017-08-09 15:03 ` Filipe Manana
2017-08-09 16:31 ` [PATCH v2] " Liu Bo
2017-08-09 17:35 ` Filipe Manana
2017-08-09 17:40 ` Filipe Manana
2017-08-09 18:03 ` Liu Bo [this message]
2017-08-09 17:10 ` [PATCH v3] " Liu Bo
2017-08-09 18:15 ` Hugo Mills
2017-08-11 0:47 ` Duncan
2017-08-11 21:26 ` [PATCH] " kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170809180318.GA26951@lim.localdomain \
--to=bo.li.liu@oracle.com \
--cc=fdmanana@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).