From: Qu Wenruo <quwenruo.btrfs@gmx.com>
To: Young Xiao <92siuyang@gmail.com>,
clm@fb.com, josef@toxicpanda.com, dsterba@suse.com,
linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] btrfs: fix out of bounds array access while reading extent buffer
Date: Fri, 14 Jun 2019 21:52:47 +0800 [thread overview]
Message-ID: <55b4adb7-59dc-5465-a99a-8ff0a9d7c450@gmx.com> (raw)
In-Reply-To: <1560513109-2568-1-git-send-email-92siuyang@gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 2840 bytes --]
On 2019/6/14 下午7:51, Young Xiao wrote:
> There is a corner case that slips through the checkers in functions
> reading extent buffer, ie.
>
> if (start < eb->len) and (start + len > eb->len), then:
> the checkers in read_extent_buffer_to_user(), and memcmp_extent_buffer()
> WARN_ON(start > eb->len) and WARN_ON(start + len > eb->start + eb->len),
> both are OK in this corner case, but it'd actually try to access the eb->pages
> out of bounds because of (start + len > eb->len).
>
> This is adding proper checks in order to avoid invalid memory access,
> ie. 'general protection fault', before it's too late.
>
> See commit f716abd55d1e ("Btrfs: fix out of bounds array access while
> reading extent buffer") for details.
>
> Signed-off-by: Young Xiao <92siuyang@gmail.com>
> ---
> fs/btrfs/extent_io.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index db337e5..dcf3b2e 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -5476,8 +5476,12 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb,
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> int ret = 0;
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (start + len > eb->len) {
The original (start + len > eb->start + eb->len) check is so wrong from
the very beginning. eb->start makes no sense in the context.
So your patch makes sense.
But it's not 100% fixed.
If @start and @len overflow u64, e.g @start = 1 << 63 + 8k, @len = 1<<
63 + 8K. it can still skip the check.
So, we still need to check @start against eb->len, then @start + @len
against eb->len.
Also, shouldn't we include the equal case for @start? (although start +
len == eb->len should be OK)
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, len);
> + memset(dst, 0, len);
I'd prefer not to do the memset, as @start and @len is already wrong, I
doubt the @dst could be completely some wild pointer, and set them could
easily screw up the whole kernel.
Thanks,
Qu
> + return;
> + }
>
> offset = offset_in_page(start_offset + start);
>
> @@ -5554,8 +5558,12 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> int ret = 0;
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (start + len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, len);
> + memset(ptr, 0, len);
> + return;
> + }
>
> offset = offset_in_page(start_offset + start);
>
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2019-06-14 13:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-14 11:51 [PATCH] btrfs: fix out of bounds array access while reading extent buffer Young Xiao
2019-06-14 13:52 ` Qu Wenruo [this message]
-- strict thread matches above, loose matches on Subject: below --
2017-08-07 19:39 [PATCH] Btrfs: " Liu Bo
2017-08-08 8:47 ` Filipe Manana
2017-08-08 17:05 ` Liu Bo
2017-08-09 15:03 ` Filipe Manana
2017-08-11 21:26 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55b4adb7-59dc-5465-a99a-8ff0a9d7c450@gmx.com \
--to=quwenruo.btrfs@gmx.com \
--cc=92siuyang@gmail.com \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).