* [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption.
@ 2018-05-23 8:22 Qu Wenruo
2018-05-23 8:22 ` [PATCH v3 1/4] btrfs: compression: Add linux/sizes.h for compression.h Qu Wenruo
` (4 more replies)
0 siblings, 5 replies; 13+ messages in thread
From: Qu Wenruo @ 2018-05-23 8:22 UTC (permalink / raw)
To: linux-btrfs
This patchset can be fetched from github:
https://github.com/adam900710/linux/tree/lzo_corruption
Which is based on v4.17-rc5.
James Harvey reported pretty strange kernel misbehavior where after
reading certain btrfs compressed data, kernel crash with unrelated
calltrace.
(https://bugzilla.kernel.org/show_bug.cgi?id=199707 and
https://www.spinics.net/lists/linux-btrfs/msg77971.html)
Thanks for his comprehensive debug help, we located the problem to:
1) Bad lzo decompression verification check
The direct cause.
The lzo decompression code involves memory copy for compressed data
who crosses page boundary.
And if corrupted segment header contains invalid length, btrfs will
do memory copy and then corrupt kernel memory.
Fix it by add header length check for each segment, and just in case,
also add uncompressed data length check. (Patch 3)
The full explanation and kasan output can also be found in that patch.
2) Compressed extent created for NODATASUM inode
The root cause.
Will be addressed in another patchset.
Other patches are mostly cosmetic, like adding extra include for
compression.h, to avoid later compiling error. (Patch 1)
Or adding comment of how btrfs organise its compressed data (Patch 2)
And adding extra check for inlined compressed data even it's not really
possible to happen (Patch 4)
Changelog:
v2:
Cosmetic updates. Mostly for comment and gramma.
Comment and gramma fixes suggested by Nikolay.
One 4 bytes <-> LE32 convert fixes in comment.
Added reviewed-by tag for the 1st patch.
v3:
Fix comment error for inlined lzo compressed extent. (Still has
header), thanks David for pointing this out.
Add example ascii graph as an example.
Enhance inlined extent check, as header length must match with segment
header length + LZO_LEN * 2.
Qu Wenruo (4):
btrfs: compression: Add linux/sizes.h for compression.h
btrfs: lzo: Add comment about the how btrfs records its lzo compressed
data
btrfs: lzo: Add header length check to avoid slab out of bounds access
btrfs: lzo: Harden inline lzo compressed extent decompression
fs/btrfs/compression.h | 1 +
fs/btrfs/lzo.c | 81 ++++++++++++++++++++++++++++++++++++++++--
2 files changed, 80 insertions(+), 2 deletions(-)
--
2.17.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH v3 1/4] btrfs: compression: Add linux/sizes.h for compression.h
2018-05-23 8:22 [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption Qu Wenruo
@ 2018-05-23 8:22 ` Qu Wenruo
2018-05-23 8:22 ` [PATCH v3 2/4] btrfs: lzo: Add comment about the how btrfs records its lzo compressed data Qu Wenruo
` (3 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: Qu Wenruo @ 2018-05-23 8:22 UTC (permalink / raw)
To: linux-btrfs
Since compression.h is using SZ_* macros, and if some user only includes
compression.h without linux/sizes.h, it will cause compile error.
One example is lzo.c, if it uses BTRFS_MAX_COMPRESSED, it would cause
compile error.
Fix it by adding linux/sizes.h in compression.h
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
---
fs/btrfs/compression.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/compression.h b/fs/btrfs/compression.h
index cc605f7b23fb..317703d9b073 100644
--- a/fs/btrfs/compression.h
+++ b/fs/btrfs/compression.h
@@ -6,6 +6,7 @@
#ifndef BTRFS_COMPRESSION_H
#define BTRFS_COMPRESSION_H
+#include <linux/sizes.h>
/*
* We want to make sure that amount of RAM required to uncompress an extent is
* reasonable, so we limit the total size in ram of a compressed extent to
--
2.17.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 2/4] btrfs: lzo: Add comment about the how btrfs records its lzo compressed data
2018-05-23 8:22 [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption Qu Wenruo
2018-05-23 8:22 ` [PATCH v3 1/4] btrfs: compression: Add linux/sizes.h for compression.h Qu Wenruo
@ 2018-05-23 8:22 ` Qu Wenruo
2018-05-23 8:23 ` [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access Qu Wenruo
` (2 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: Qu Wenruo @ 2018-05-23 8:22 UTC (permalink / raw)
To: linux-btrfs
Although it's not that complex, but such comment could still save
several minutes for newer reader/reviewer.
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
fs/btrfs/lzo.c | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c
index 0667ea07f766..ec5db393c758 100644
--- a/fs/btrfs/lzo.c
+++ b/fs/btrfs/lzo.c
@@ -17,6 +17,41 @@
#define LZO_LEN 4
+/*
+ * Btrfs LZO compression format
+ *
+ * Regular and inlined LZO compressed data extents consist of:
+ * 1. Header
+ * Fixed size. LZO_LEN (4) bytes long, LE32.
+ * Records the total size (*includes* the header) of real compressed data.
+ *
+ * 2. Segment(s)
+ * Variable size. Each segment includes one segment header, with data
+ * payload followed.
+ * One regular LZO compressed extent can have one or more segments.
+ * While For inlined LZO compressed extent, only *ONE* segment is allowed.
+ * One segment represents at most one page of uncompressed data.
+ *
+ * 2.1 Segment header
+ * Fixed size. LZO_LEN (4) bytes long, LE32.
+ * Records the total size of the segment (*excludes* the header).
+ * Segment header *NEVER* crosses page boundary, thus it's possible to
+ * have pending zero at page end.
+ *
+ * 2.2 Data Payload
+ * Variable size. Size up limit should be lzo1x_worst_compress(PAGE_SIZE).
+ *
+ * Example:
+ * Page 1:
+ * 0 0x2 0x4 0x6 0x8 0xa 0xc 0xe 0x10
+ * 0x0000 | Header | SegHdr 01 | Data payload 01 ... |
+ * ...
+ * 0x0ff0 | SegHdr N | Data payload N ... |00|
+ * ^^ pending zero
+ * Page 2:
+ * 0x1000 | SegHdr N+1| Data payload N+1 ... |
+ */
+
struct workspace {
void *mem;
void *buf; /* where decompressed data goes */
--
2.17.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access
2018-05-23 8:22 [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption Qu Wenruo
2018-05-23 8:22 ` [PATCH v3 1/4] btrfs: compression: Add linux/sizes.h for compression.h Qu Wenruo
2018-05-23 8:22 ` [PATCH v3 2/4] btrfs: lzo: Add comment about the how btrfs records its lzo compressed data Qu Wenruo
@ 2018-05-23 8:23 ` Qu Wenruo
2018-05-24 2:09 ` Misono Tomohiro
` (2 more replies)
2018-05-23 8:23 ` [PATCH v3 4/4] btrfs: lzo: Harden inline lzo compressed extent decompression Qu Wenruo
2018-05-24 17:19 ` [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption David Sterba
4 siblings, 3 replies; 13+ messages in thread
From: Qu Wenruo @ 2018-05-23 8:23 UTC (permalink / raw)
To: linux-btrfs
James Harvey reported that some corrupted compressed extent data can
lead to various kernel memory corruption.
Such corrupted extent data belongs to inode with NODATASUM flags, thus
data csum won't help us detecting such bug.
If lucky enough, kasan could catch it like:
==================================================================
BUG: KASAN: slab-out-of-bounds in lzo_decompress_bio+0x384/0x7a0 [btrfs]
Write of size 4096 at addr ffff8800606cb0f8 by task kworker/u16:0/2338
CPU: 3 PID: 2338 Comm: kworker/u16:0 Tainted: G O 4.17.0-rc5-custom+ #50
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Workqueue: btrfs-endio btrfs_endio_helper [btrfs]
Call Trace:
dump_stack+0xc2/0x16b
print_address_description+0x6a/0x270
kasan_report+0x260/0x380
memcpy+0x34/0x50
lzo_decompress_bio+0x384/0x7a0 [btrfs]
end_compressed_bio_read+0x99f/0x10b0 [btrfs]
bio_endio+0x32e/0x640
normal_work_helper+0x15a/0xea0 [btrfs]
process_one_work+0x7e3/0x1470
worker_thread+0x1b0/0x1170
kthread+0x2db/0x390
ret_from_fork+0x22/0x40
...
==================================================================
The offending compressed data has the following info:
Header: length 32768 (Looks completely valid)
Segment 0 Header: length 3472882419 (Obvious out of bounds)
Then when handling segment 0, since it's over the current page, we need
the compressed data to workspace, then such large size would trigger
out-of-bounds memory access, screwing up the whole kernel.
Fix it by adding extra checks on header and segment headers to ensure we
won't access out-of-bounds, and even checks the decompressed data won't
be out-of-bounds.
Reported-by: James Harvey <jamespharvey20@gmail.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
fs/btrfs/lzo.c | 35 ++++++++++++++++++++++++++++++++++-
1 file changed, 34 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c
index ec5db393c758..4f4de460b08d 100644
--- a/fs/btrfs/lzo.c
+++ b/fs/btrfs/lzo.c
@@ -293,6 +293,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
unsigned long working_bytes;
size_t in_len;
size_t out_len;
+ size_t max_segment_len = lzo1x_worst_compress(PAGE_SIZE);
unsigned long in_offset;
unsigned long in_page_bytes_left;
unsigned long tot_in;
@@ -306,6 +307,18 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
data_in = kmap(pages_in[0]);
tot_len = read_compress_length(data_in);
+ /*
+ * Compressed data header check.
+ *
+ * The real compressed size can't exceed extent length, and all pages
+ * should be used (a full pending page is not possible).
+ * If this happens it means the compressed extent is corrupted.
+ */
+ if (tot_len > min_t(size_t, BTRFS_MAX_COMPRESSED, srclen) ||
+ tot_len < srclen - PAGE_SIZE) {
+ ret = -EUCLEAN;
+ goto done;
+ }
tot_in = LZO_LEN;
in_offset = LZO_LEN;
@@ -320,6 +333,17 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
in_offset += LZO_LEN;
tot_in += LZO_LEN;
+ /*
+ * Segment header check.
+ *
+ * The segment length must not exceed max lzo compression
+ * size, nor the total compressed size
+ */
+ if (in_len > max_segment_len || tot_in + in_len > tot_len) {
+ ret = -EUCLEAN;
+ goto done;
+ }
+
tot_in += in_len;
working_bytes = in_len;
may_late_unmap = need_unmap = false;
@@ -370,7 +394,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
}
}
- out_len = lzo1x_worst_compress(PAGE_SIZE);
+ out_len = max_segment_len;
ret = lzo1x_decompress_safe(buf, in_len, workspace->buf,
&out_len);
if (need_unmap)
@@ -380,6 +404,15 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
ret = -EIO;
break;
}
+ /*
+ * Decompressed data length check.
+ * The uncompressed data should not exceed uncompressed extent
+ * size.
+ */
+ if (tot_out + out_len > cb->len) {
+ ret = -EUCLEAN;
+ break;
+ }
buf_start = tot_out;
tot_out += out_len;
--
2.17.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 4/4] btrfs: lzo: Harden inline lzo compressed extent decompression
2018-05-23 8:22 [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption Qu Wenruo
` (2 preceding siblings ...)
2018-05-23 8:23 ` [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access Qu Wenruo
@ 2018-05-23 8:23 ` Qu Wenruo
2018-05-24 17:19 ` [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption David Sterba
4 siblings, 0 replies; 13+ messages in thread
From: Qu Wenruo @ 2018-05-23 8:23 UTC (permalink / raw)
To: linux-btrfs
For inlined extent, we only have one segment, thus less thing to check.
And further more, inlined extent always has csum in its leaf header,
it's less possible to have corrupted data.
Anyway, still check header and segment header.
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
fs/btrfs/lzo.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c
index 4f4de460b08d..8604f6bc0a29 100644
--- a/fs/btrfs/lzo.c
+++ b/fs/btrfs/lzo.c
@@ -437,15 +437,24 @@ static int lzo_decompress(struct list_head *ws, unsigned char *data_in,
struct workspace *workspace = list_entry(ws, struct workspace, list);
size_t in_len;
size_t out_len;
+ size_t max_segment_len = lzo1x_worst_compress(PAGE_SIZE);
int ret = 0;
char *kaddr;
unsigned long bytes;
- BUG_ON(srclen < LZO_LEN);
+ if (srclen < LZO_LEN || srclen > max_segment_len + LZO_LEN * 2)
+ return -EUCLEAN;
+ in_len = read_compress_length(data_in);
+ if (in_len != srclen)
+ return -EUCLEAN;
data_in += LZO_LEN;
in_len = read_compress_length(data_in);
+ if (in_len != srclen - LZO_LEN * 2) {
+ ret = -EUCLEAN;
+ goto out;
+ }
data_in += LZO_LEN;
out_len = PAGE_SIZE;
--
2.17.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access
2018-05-23 8:23 ` [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access Qu Wenruo
@ 2018-05-24 2:09 ` Misono Tomohiro
2018-05-24 4:01 ` Qu Wenruo
2018-05-29 8:30 ` Misono Tomohiro
2018-05-30 4:58 ` [PATCH v4 " Qu Wenruo
2 siblings, 1 reply; 13+ messages in thread
From: Misono Tomohiro @ 2018-05-24 2:09 UTC (permalink / raw)
To: Qu Wenruo, linux-btrfs
On 2018/05/23 17:23, Qu Wenruo wrote:
> James Harvey reported that some corrupted compressed extent data can
> lead to various kernel memory corruption.
>
> Such corrupted extent data belongs to inode with NODATASUM flags, thus
> data csum won't help us detecting such bug.
>
> If lucky enough, kasan could catch it like:
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in lzo_decompress_bio+0x384/0x7a0 [btrfs]
> Write of size 4096 at addr ffff8800606cb0f8 by task kworker/u16:0/2338
>
> CPU: 3 PID: 2338 Comm: kworker/u16:0 Tainted: G O 4.17.0-rc5-custom+ #50
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
> Workqueue: btrfs-endio btrfs_endio_helper [btrfs]
> Call Trace:
> dump_stack+0xc2/0x16b
> print_address_description+0x6a/0x270
> kasan_report+0x260/0x380
> memcpy+0x34/0x50
> lzo_decompress_bio+0x384/0x7a0 [btrfs]
> end_compressed_bio_read+0x99f/0x10b0 [btrfs]
> bio_endio+0x32e/0x640
> normal_work_helper+0x15a/0xea0 [btrfs]
> process_one_work+0x7e3/0x1470
> worker_thread+0x1b0/0x1170
> kthread+0x2db/0x390
> ret_from_fork+0x22/0x40
> ...
> ==================================================================
>
> The offending compressed data has the following info:
>
> Header: length 32768 (Looks completely valid)
> Segment 0 Header: length 3472882419 (Obvious out of bounds)
>
> Then when handling segment 0, since it's over the current page, we need
> the compressed data to workspace, then such large size would trigger
> out-of-bounds memory access, screwing up the whole kernel.
>
> Fix it by adding extra checks on header and segment headers to ensure we
> won't access out-of-bounds, and even checks the decompressed data won't
> be out-of-bounds.
>
> Reported-by: James Harvey <jamespharvey20@gmail.com>
> Signed-off-by: Qu Wenruo <wqu@suse.com>
> ---
> fs/btrfs/lzo.c | 35 ++++++++++++++++++++++++++++++++++-
> 1 file changed, 34 insertions(+), 1 deletion(-)
>
> diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c
> index ec5db393c758..4f4de460b08d 100644
> --- a/fs/btrfs/lzo.c
> +++ b/fs/btrfs/lzo.c
> @@ -293,6 +293,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> unsigned long working_bytes;
> size_t in_len;
> size_t out_len;
> + size_t max_segment_len = lzo1x_worst_compress(PAGE_SIZE);
> unsigned long in_offset;
> unsigned long in_page_bytes_left;
> unsigned long tot_in;
> @@ -306,6 +307,18 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>
> data_in = kmap(pages_in[0]);
> tot_len = read_compress_length(data_in);
> + /*
> + * Compressed data header check.
> + *
> + * The real compressed size can't exceed extent length, and all pages
> + * should be used (a full pending page is not possible).
> + * If this happens it means the compressed extent is corrupted.
> + */
> + if (tot_len > min_t(size_t, BTRFS_MAX_COMPRESSED, srclen) ||
> + tot_len < srclen - PAGE_SIZE) {
> + ret = -EUCLEAN;
> + goto done;
> + }
>
> tot_in = LZO_LEN;
> in_offset = LZO_LEN;
Just 1 line below here is:
tot_len = min_t(size_t, srclen, tot_len);
but this is not needed because always tot_len <= srclen, considered above if, right?
> @@ -320,6 +333,17 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> in_offset += LZO_LEN;
> tot_in += LZO_LEN;
>
> + /*
> + * Segment header check.
> + *
> + * The segment length must not exceed max lzo compression
> + * size, nor the total compressed size
> + */
> + if (in_len > max_segment_len || tot_in + in_len > tot_len) {
> + ret = -EUCLEAN;
> + goto done;
> + }
> +
> tot_in += in_len;
> working_bytes = in_len;
> may_late_unmap = need_unmap = false;
> @@ -370,7 +394,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> }
> }
>
> - out_len = lzo1x_worst_compress(PAGE_SIZE);
> + out_len = max_segment_len;
> ret = lzo1x_decompress_safe(buf, in_len, workspace->buf,
> &out_len);
> if (need_unmap)
> @@ -380,6 +404,15 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> ret = -EIO;
> break;
> }
> + /*
> + * Decompressed data length check.
> + * The uncompressed data should not exceed uncompressed extent
> + * size.
> + */
> + if (tot_out + out_len > cb->len) {
> + ret = -EUCLEAN;
> + break;
> + }
>
> buf_start = tot_out;
> tot_out += out_len;
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access
2018-05-24 2:09 ` Misono Tomohiro
@ 2018-05-24 4:01 ` Qu Wenruo
0 siblings, 0 replies; 13+ messages in thread
From: Qu Wenruo @ 2018-05-24 4:01 UTC (permalink / raw)
To: Misono Tomohiro, Qu Wenruo, linux-btrfs
[-- Attachment #1.1: Type: text/plain, Size: 5117 bytes --]
On 2018年05月24日 10:09, Misono Tomohiro wrote:
> On 2018/05/23 17:23, Qu Wenruo wrote:
>> James Harvey reported that some corrupted compressed extent data can
>> lead to various kernel memory corruption.
>>
>> Such corrupted extent data belongs to inode with NODATASUM flags, thus
>> data csum won't help us detecting such bug.
>>
>> If lucky enough, kasan could catch it like:
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in lzo_decompress_bio+0x384/0x7a0 [btrfs]
>> Write of size 4096 at addr ffff8800606cb0f8 by task kworker/u16:0/2338
>>
>> CPU: 3 PID: 2338 Comm: kworker/u16:0 Tainted: G O 4.17.0-rc5-custom+ #50
>> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
>> Workqueue: btrfs-endio btrfs_endio_helper [btrfs]
>> Call Trace:
>> dump_stack+0xc2/0x16b
>> print_address_description+0x6a/0x270
>> kasan_report+0x260/0x380
>> memcpy+0x34/0x50
>> lzo_decompress_bio+0x384/0x7a0 [btrfs]
>> end_compressed_bio_read+0x99f/0x10b0 [btrfs]
>> bio_endio+0x32e/0x640
>> normal_work_helper+0x15a/0xea0 [btrfs]
>> process_one_work+0x7e3/0x1470
>> worker_thread+0x1b0/0x1170
>> kthread+0x2db/0x390
>> ret_from_fork+0x22/0x40
>> ...
>> ==================================================================
>>
>> The offending compressed data has the following info:
>>
>> Header: length 32768 (Looks completely valid)
>> Segment 0 Header: length 3472882419 (Obvious out of bounds)
>>
>> Then when handling segment 0, since it's over the current page, we need
>> the compressed data to workspace, then such large size would trigger
>> out-of-bounds memory access, screwing up the whole kernel.
>>
>> Fix it by adding extra checks on header and segment headers to ensure we
>> won't access out-of-bounds, and even checks the decompressed data won't
>> be out-of-bounds.
>>
>> Reported-by: James Harvey <jamespharvey20@gmail.com>
>> Signed-off-by: Qu Wenruo <wqu@suse.com>
>> ---
>> fs/btrfs/lzo.c | 35 ++++++++++++++++++++++++++++++++++-
>> 1 file changed, 34 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c
>> index ec5db393c758..4f4de460b08d 100644
>> --- a/fs/btrfs/lzo.c
>> +++ b/fs/btrfs/lzo.c
>> @@ -293,6 +293,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>> unsigned long working_bytes;
>> size_t in_len;
>> size_t out_len;
>> + size_t max_segment_len = lzo1x_worst_compress(PAGE_SIZE);
>> unsigned long in_offset;
>> unsigned long in_page_bytes_left;
>> unsigned long tot_in;
>> @@ -306,6 +307,18 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>>
>> data_in = kmap(pages_in[0]);
>> tot_len = read_compress_length(data_in);
>> + /*
>> + * Compressed data header check.
>> + *
>> + * The real compressed size can't exceed extent length, and all pages
>> + * should be used (a full pending page is not possible).
>> + * If this happens it means the compressed extent is corrupted.
>> + */
>> + if (tot_len > min_t(size_t, BTRFS_MAX_COMPRESSED, srclen) ||
>> + tot_len < srclen - PAGE_SIZE) {
>> + ret = -EUCLEAN;
>> + goto done;
>> + }
>>
>> tot_in = LZO_LEN;
>> in_offset = LZO_LEN;
>
> Just 1 line below here is:
> tot_len = min_t(size_t, srclen, tot_len);
> but this is not needed because always tot_len <= srclen, considered above if, right?
Right, github version updated.
Thanks,
Qu
>
>> @@ -320,6 +333,17 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>> in_offset += LZO_LEN;
>> tot_in += LZO_LEN;
>>
>> + /*
>> + * Segment header check.
>> + *
>> + * The segment length must not exceed max lzo compression
>> + * size, nor the total compressed size
>> + */
>> + if (in_len > max_segment_len || tot_in + in_len > tot_len) {
>> + ret = -EUCLEAN;
>> + goto done;
>> + }
>> +
>> tot_in += in_len;
>> working_bytes = in_len;
>> may_late_unmap = need_unmap = false;
>> @@ -370,7 +394,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>> }
>> }
>>
>> - out_len = lzo1x_worst_compress(PAGE_SIZE);
>> + out_len = max_segment_len;
>> ret = lzo1x_decompress_safe(buf, in_len, workspace->buf,
>> &out_len);
>> if (need_unmap)
>> @@ -380,6 +404,15 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>> ret = -EIO;
>> break;
>> }
>> + /*
>> + * Decompressed data length check.
>> + * The uncompressed data should not exceed uncompressed extent
>> + * size.
>> + */
>> + if (tot_out + out_len > cb->len) {
>> + ret = -EUCLEAN;
>> + break;
>> + }
>>
>> buf_start = tot_out;
>> tot_out += out_len;
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption.
2018-05-23 8:22 [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption Qu Wenruo
` (3 preceding siblings ...)
2018-05-23 8:23 ` [PATCH v3 4/4] btrfs: lzo: Harden inline lzo compressed extent decompression Qu Wenruo
@ 2018-05-24 17:19 ` David Sterba
4 siblings, 0 replies; 13+ messages in thread
From: David Sterba @ 2018-05-24 17:19 UTC (permalink / raw)
To: Qu Wenruo; +Cc: linux-btrfs
On Wed, May 23, 2018 at 04:22:57PM +0800, Qu Wenruo wrote:
> James Harvey reported pretty strange kernel misbehavior where after
> reading certain btrfs compressed data, kernel crash with unrelated
> calltrace.
> (https://bugzilla.kernel.org/show_bug.cgi?id=199707 and
> https://www.spinics.net/lists/linux-btrfs/msg77971.html)
...
> Thanks for his comprehensive debug help, we located the problem to:
>
> v3:
> Fix comment error for inlined lzo compressed extent. (Still has
> header), thanks David for pointing this out.
> Add example ascii graph as an example.
> Enhance inlined extent check, as header length must match with segment
> header length + LZO_LEN * 2.
>
> Qu Wenruo (4):
> btrfs: compression: Add linux/sizes.h for compression.h
> btrfs: lzo: Add comment about the how btrfs records its lzo compressed
> data
> btrfs: lzo: Add header length check to avoid slab out of bounds access
> btrfs: lzo: Harden inline lzo compressed extent decompression
Thanks, added to misc-next. I left the wost compression estimate in the
local variable, only added a const to it. Zlib and zstd are using a
different compression container format but some of the check might apply
there too, I haven't looked closer.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access
2018-05-23 8:23 ` [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access Qu Wenruo
2018-05-24 2:09 ` Misono Tomohiro
@ 2018-05-29 8:30 ` Misono Tomohiro
2018-05-29 8:51 ` Qu Wenruo
2018-05-30 4:58 ` [PATCH v4 " Qu Wenruo
2 siblings, 1 reply; 13+ messages in thread
From: Misono Tomohiro @ 2018-05-29 8:30 UTC (permalink / raw)
To: Qu Wenruo, linux-btrfs
On 2018/05/23 17:23, Qu Wenruo wrote:
> James Harvey reported that some corrupted compressed extent data can
> lead to various kernel memory corruption.
>
> Such corrupted extent data belongs to inode with NODATASUM flags, thus
> data csum won't help us detecting such bug.
>
> If lucky enough, kasan could catch it like:
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in lzo_decompress_bio+0x384/0x7a0 [btrfs]
> Write of size 4096 at addr ffff8800606cb0f8 by task kworker/u16:0/2338
>
> CPU: 3 PID: 2338 Comm: kworker/u16:0 Tainted: G O 4.17.0-rc5-custom+ #50
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
> Workqueue: btrfs-endio btrfs_endio_helper [btrfs]
> Call Trace:
> dump_stack+0xc2/0x16b
> print_address_description+0x6a/0x270
> kasan_report+0x260/0x380
> memcpy+0x34/0x50
> lzo_decompress_bio+0x384/0x7a0 [btrfs]
> end_compressed_bio_read+0x99f/0x10b0 [btrfs]
> bio_endio+0x32e/0x640
> normal_work_helper+0x15a/0xea0 [btrfs]
> process_one_work+0x7e3/0x1470
> worker_thread+0x1b0/0x1170
> kthread+0x2db/0x390
> ret_from_fork+0x22/0x40
> ...
> ==================================================================
>
> The offending compressed data has the following info:
>
> Header: length 32768 (Looks completely valid)
> Segment 0 Header: length 3472882419 (Obvious out of bounds)
>
> Then when handling segment 0, since it's over the current page, we need
> the compressed data to workspace, then such large size would trigger
> out-of-bounds memory access, screwing up the whole kernel.
>
> Fix it by adding extra checks on header and segment headers to ensure we
> won't access out-of-bounds, and even checks the decompressed data won't
> be out-of-bounds.
>
> Reported-by: James Harvey <jamespharvey20@gmail.com>
> Signed-off-by: Qu Wenruo <wqu@suse.com>
> ---
> fs/btrfs/lzo.c | 35 ++++++++++++++++++++++++++++++++++-
> 1 file changed, 34 insertions(+), 1 deletion(-)
>
> diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c
> index ec5db393c758..4f4de460b08d 100644
> --- a/fs/btrfs/lzo.c
> +++ b/fs/btrfs/lzo.c
> @@ -293,6 +293,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> unsigned long working_bytes;
> size_t in_len;
> size_t out_len;
> + size_t max_segment_len = lzo1x_worst_compress(PAGE_SIZE);
> unsigned long in_offset;
> unsigned long in_page_bytes_left;
> unsigned long tot_in;
> @@ -306,6 +307,18 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>
> data_in = kmap(pages_in[0]);
> tot_len = read_compress_length(data_in);
> + /*
> + * Compressed data header check.
> + *
> + * The real compressed size can't exceed extent length, and all pages
> + * should be used (a full pending page is not possible).
> + * If this happens it means the compressed extent is corrupted.
> + */
> + if (tot_len > min_t(size_t, BTRFS_MAX_COMPRESSED, srclen) ||
> + tot_len < srclen - PAGE_SIZE) {
> + ret = -EUCLEAN;
> + goto done;
> + }
>
> tot_in = LZO_LEN;
> in_offset = LZO_LEN;
> @@ -320,6 +333,17 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> in_offset += LZO_LEN;
> tot_in += LZO_LEN;
>
> + /*
> + * Segment header check.
> + *
> + * The segment length must not exceed max lzo compression
> + * size, nor the total compressed size
> + */
> + if (in_len > max_segment_len || tot_in + in_len > tot_len) {
> + ret = -EUCLEAN;
> + goto done;
> + }
> +
> tot_in += in_len;
> working_bytes = in_len;
> may_late_unmap = need_unmap = false;
> @@ -370,7 +394,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> }
> }
>
> - out_len = lzo1x_worst_compress(PAGE_SIZE);
> + out_len = max_segment_len;
> ret = lzo1x_decompress_safe(buf, in_len, workspace->buf,
> &out_len);
> if (need_unmap)
> @@ -380,6 +404,15 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> ret = -EIO;
> break;
> }
> + /*
> + * Decompressed data length check.
> + * The uncompressed data should not exceed uncompressed extent
> + * size.
> + */
> + if (tot_out + out_len > cb->len) {
> + ret = -EUCLEAN;
> + break;
> + }
I observed this part causes some failure of lzo related xfstests (038, 056, 103, 138).
It seems that when pages to be read start from middle of (shared) extents,
they needs to be decompressed from the beginning, and therefore (tot_out + out_len)
can exceeds cb->len.
Simplified version of btrfs/103 can be used to observe this:
=====
CLONER=/path/to/xfstest/src/cloner
mkfs.btrfs -fq $DEV
mount -o compress=lzo $DEV /mnt
# make 1 extent (skip 1st 4k)
xfs_io -f \
-c "pwrite -S 0xaa 4096 4096" \
-c "pwrite -S 0xbb 8192 4096" \
/mnt/bar > /dev/null 2>&1
# clone second half of above extent to beginning of the file
$CLONER -s 8192 -d 0 -l 4096 /mnt/foo /mnt/foo
umount /mnt
mount $DEV /mnt
# Input/Output error happens
od -t x1 /mnt/foo
=====
btrfs_decompress_buf2page() skips copy if decompressed region is not
a part of pages to be read. Also, it will copy at most bio->bi_iter.bi_size as code says:
(compression.c)
1183 bio_advance(bio, bytes);
1184 if (!bio->bi_iter.bi_size)
1185 return 0;
cb->len is set to bio->bi_iter.bi_size in btrfs_submit_compressed_read().
So, I think it is ok to remove above "if (tot_out + out_len > cb->len)".
Or, should other conditions be checked?
Thanks,
Tomohiro Misono
>
> buf_start = tot_out;
> tot_out += out_len;
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access
2018-05-29 8:30 ` Misono Tomohiro
@ 2018-05-29 8:51 ` Qu Wenruo
0 siblings, 0 replies; 13+ messages in thread
From: Qu Wenruo @ 2018-05-29 8:51 UTC (permalink / raw)
To: Misono Tomohiro, linux-btrfs
[-- Attachment #1.1: Type: text/plain, Size: 6164 bytes --]
On 2018年05月29日 16:30, Misono Tomohiro wrote:
> On 2018/05/23 17:23, Qu Wenruo wrote:
>> James Harvey reported that some corrupted compressed extent data can
>> lead to various kernel memory corruption.
>>
>> Such corrupted extent data belongs to inode with NODATASUM flags, thus
>> data csum won't help us detecting such bug.
>>
>> If lucky enough, kasan could catch it like:
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in lzo_decompress_bio+0x384/0x7a0 [btrfs]
>> Write of size 4096 at addr ffff8800606cb0f8 by task kworker/u16:0/2338
>>
>> CPU: 3 PID: 2338 Comm: kworker/u16:0 Tainted: G O 4.17.0-rc5-custom+ #50
>> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
>> Workqueue: btrfs-endio btrfs_endio_helper [btrfs]
>> Call Trace:
>> dump_stack+0xc2/0x16b
>> print_address_description+0x6a/0x270
>> kasan_report+0x260/0x380
>> memcpy+0x34/0x50
>> lzo_decompress_bio+0x384/0x7a0 [btrfs]
>> end_compressed_bio_read+0x99f/0x10b0 [btrfs]
>> bio_endio+0x32e/0x640
>> normal_work_helper+0x15a/0xea0 [btrfs]
>> process_one_work+0x7e3/0x1470
>> worker_thread+0x1b0/0x1170
>> kthread+0x2db/0x390
>> ret_from_fork+0x22/0x40
>> ...
>> ==================================================================
>>
>> The offending compressed data has the following info:
>>
>> Header: length 32768 (Looks completely valid)
>> Segment 0 Header: length 3472882419 (Obvious out of bounds)
>>
>> Then when handling segment 0, since it's over the current page, we need
>> the compressed data to workspace, then such large size would trigger
>> out-of-bounds memory access, screwing up the whole kernel.
>>
>> Fix it by adding extra checks on header and segment headers to ensure we
>> won't access out-of-bounds, and even checks the decompressed data won't
>> be out-of-bounds.
>>
>> Reported-by: James Harvey <jamespharvey20@gmail.com>
>> Signed-off-by: Qu Wenruo <wqu@suse.com>
>> ---
>> fs/btrfs/lzo.c | 35 ++++++++++++++++++++++++++++++++++-
>> 1 file changed, 34 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c
>> index ec5db393c758..4f4de460b08d 100644
>> --- a/fs/btrfs/lzo.c
>> +++ b/fs/btrfs/lzo.c
>> @@ -293,6 +293,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>> unsigned long working_bytes;
>> size_t in_len;
>> size_t out_len;
>> + size_t max_segment_len = lzo1x_worst_compress(PAGE_SIZE);
>> unsigned long in_offset;
>> unsigned long in_page_bytes_left;
>> unsigned long tot_in;
>> @@ -306,6 +307,18 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>>
>> data_in = kmap(pages_in[0]);
>> tot_len = read_compress_length(data_in);
>> + /*
>> + * Compressed data header check.
>> + *
>> + * The real compressed size can't exceed extent length, and all pages
>> + * should be used (a full pending page is not possible).
>> + * If this happens it means the compressed extent is corrupted.
>> + */
>> + if (tot_len > min_t(size_t, BTRFS_MAX_COMPRESSED, srclen) ||
>> + tot_len < srclen - PAGE_SIZE) {
>> + ret = -EUCLEAN;
>> + goto done;
>> + }
>>
>> tot_in = LZO_LEN;
>> in_offset = LZO_LEN;
>> @@ -320,6 +333,17 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>> in_offset += LZO_LEN;
>> tot_in += LZO_LEN;
>>
>> + /*
>> + * Segment header check.
>> + *
>> + * The segment length must not exceed max lzo compression
>> + * size, nor the total compressed size
>> + */
>> + if (in_len > max_segment_len || tot_in + in_len > tot_len) {
>> + ret = -EUCLEAN;
>> + goto done;
>> + }
>> +
>> tot_in += in_len;
>> working_bytes = in_len;
>> may_late_unmap = need_unmap = false;
>> @@ -370,7 +394,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>> }
>> }
>>
>> - out_len = lzo1x_worst_compress(PAGE_SIZE);
>> + out_len = max_segment_len;
>> ret = lzo1x_decompress_safe(buf, in_len, workspace->buf,
>> &out_len);
>> if (need_unmap)
>> @@ -380,6 +404,15 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>> ret = -EIO;
>> break;
>> }
>
>
>> + /*
>> + * Decompressed data length check.
>> + * The uncompressed data should not exceed uncompressed extent
>> + * size.
>> + */
>> + if (tot_out + out_len > cb->len) {
>> + ret = -EUCLEAN;
>> + break;
>> + }
>
> I observed this part causes some failure of lzo related xfstests (038, 056, 103, 138).
>
> It seems that when pages to be read start from middle of (shared) extents,
> they needs to be decompressed from the beginning, and therefore (tot_out + out_len)
> can exceeds cb->len.
>
> Simplified version of btrfs/103 can be used to observe this:
> =====
> CLONER=/path/to/xfstest/src/cloner
> mkfs.btrfs -fq $DEV
> mount -o compress=lzo $DEV /mnt
>
> # make 1 extent (skip 1st 4k)
> xfs_io -f \
> -c "pwrite -S 0xaa 4096 4096" \
> -c "pwrite -S 0xbb 8192 4096" \
> /mnt/bar > /dev/null 2>&1
> # clone second half of above extent to beginning of the file
> $CLONER -s 8192 -d 0 -l 4096 /mnt/foo /mnt/foo
>
> umount /mnt
> mount $DEV /mnt
>
> # Input/Output error happens
> od -t x1 /mnt/foo
> =====
>
> btrfs_decompress_buf2page() skips copy if decompressed region is not
> a part of pages to be read. Also, it will copy at most bio->bi_iter.bi_size as code says:
>
> (compression.c)
> 1183 bio_advance(bio, bytes);
> 1184 if (!bio->bi_iter.bi_size)
> 1185 return 0;
>
> cb->len is set to bio->bi_iter.bi_size in btrfs_submit_compressed_read().
>
> So, I think it is ok to remove above "if (tot_out + out_len > cb->len)".
> Or, should other conditions be checked?
Oh, right.
I just forgot that case.
I'll update the patch to fix it.
Thanks,
Qu
>
> Thanks,
> Tomohiro Misono
>
>>
>> buf_start = tot_out;
>> tot_out += out_len;
>>
>
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH v4 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access
2018-05-23 8:23 ` [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access Qu Wenruo
2018-05-24 2:09 ` Misono Tomohiro
2018-05-29 8:30 ` Misono Tomohiro
@ 2018-05-30 4:58 ` Qu Wenruo
2018-05-30 5:14 ` Misono Tomohiro
2018-05-30 14:47 ` David Sterba
2 siblings, 2 replies; 13+ messages in thread
From: Qu Wenruo @ 2018-05-30 4:58 UTC (permalink / raw)
To: linux-btrfs
James Harvey reported that some corrupted compressed extent data can
lead to various kernel memory corruption.
Such corrupted extent data belongs to inode with NODATASUM flags, thus
data csum won't help us detecting such bug.
If lucky enough, kasan could catch it like:
==================================================================
BUG: KASAN: slab-out-of-bounds in lzo_decompress_bio+0x384/0x7a0 [btrfs]
Write of size 4096 at addr ffff8800606cb0f8 by task kworker/u16:0/2338
CPU: 3 PID: 2338 Comm: kworker/u16:0 Tainted: G O 4.17.0-rc5-custom+ #50
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Workqueue: btrfs-endio btrfs_endio_helper [btrfs]
Call Trace:
dump_stack+0xc2/0x16b
print_address_description+0x6a/0x270
kasan_report+0x260/0x380
memcpy+0x34/0x50
lzo_decompress_bio+0x384/0x7a0 [btrfs]
end_compressed_bio_read+0x99f/0x10b0 [btrfs]
bio_endio+0x32e/0x640
normal_work_helper+0x15a/0xea0 [btrfs]
process_one_work+0x7e3/0x1470
worker_thread+0x1b0/0x1170
kthread+0x2db/0x390
ret_from_fork+0x22/0x40
...
==================================================================
The offending compressed data has the following info:
Header: length 32768 (Looks completely valid)
Segment 0 Header: length 3472882419 (Obvious out of bounds)
Then when handling segment 0, since it's over the current page, we need
the compressed data to workspace, then such large size would trigger
out-of-bounds memory access, screwing up the whole kernel.
Fix it by adding extra checks on header and segment headers to ensure we
won't access out-of-bounds, and even checks the decompressed data won't
be out-of-bounds.
Reported-by: James Harvey <jamespharvey20@gmail.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
changelog:
v3->v4:
Remove the incorrect decompression output length check.
For compressed extent with offset, its cb->len is no longer the full
uncompressed extent size.
For decompressed size check, it's alraedy done in
btrfs_decompress_buf2page(), thus we don't need this incorrect check
here. Thanks Misono for pointing this out.
---
fs/btrfs/lzo.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c
index ec5db393c758..995a96b51b38 100644
--- a/fs/btrfs/lzo.c
+++ b/fs/btrfs/lzo.c
@@ -293,6 +293,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
unsigned long working_bytes;
size_t in_len;
size_t out_len;
+ size_t max_segment_len = lzo1x_worst_compress(PAGE_SIZE);
unsigned long in_offset;
unsigned long in_page_bytes_left;
unsigned long tot_in;
@@ -306,10 +307,21 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
data_in = kmap(pages_in[0]);
tot_len = read_compress_length(data_in);
+ /*
+ * Compressed data header check.
+ *
+ * The real compressed size can't exceed extent length, and all pages
+ * should be used (a full pending page is not possible).
+ * If this happens it means the compressed extent is corrupted.
+ */
+ if (tot_len > min_t(size_t, BTRFS_MAX_COMPRESSED, srclen) ||
+ tot_len < srclen - PAGE_SIZE) {
+ ret = -EUCLEAN;
+ goto done;
+ }
tot_in = LZO_LEN;
in_offset = LZO_LEN;
- tot_len = min_t(size_t, srclen, tot_len);
in_page_bytes_left = PAGE_SIZE - LZO_LEN;
tot_out = 0;
@@ -320,6 +332,17 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
in_offset += LZO_LEN;
tot_in += LZO_LEN;
+ /*
+ * Segment header check.
+ *
+ * The segment length must not exceed max lzo compression
+ * size, nor the total compressed size
+ */
+ if (in_len > max_segment_len || tot_in + in_len > tot_len) {
+ ret = -EUCLEAN;
+ goto done;
+ }
+
tot_in += in_len;
working_bytes = in_len;
may_late_unmap = need_unmap = false;
@@ -370,7 +393,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
}
}
- out_len = lzo1x_worst_compress(PAGE_SIZE);
+ out_len = max_segment_len;
ret = lzo1x_decompress_safe(buf, in_len, workspace->buf,
&out_len);
if (need_unmap)
--
2.17.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH v4 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access
2018-05-30 4:58 ` [PATCH v4 " Qu Wenruo
@ 2018-05-30 5:14 ` Misono Tomohiro
2018-05-30 14:47 ` David Sterba
1 sibling, 0 replies; 13+ messages in thread
From: Misono Tomohiro @ 2018-05-30 5:14 UTC (permalink / raw)
To: Qu Wenruo, linux-btrfs
Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
Thanks,
Tomohiro Misono
On 2018/05/30 13:58, Qu Wenruo wrote:
> James Harvey reported that some corrupted compressed extent data can
> lead to various kernel memory corruption.
>
> Such corrupted extent data belongs to inode with NODATASUM flags, thus
> data csum won't help us detecting such bug.
>
> If lucky enough, kasan could catch it like:
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in lzo_decompress_bio+0x384/0x7a0 [btrfs]
> Write of size 4096 at addr ffff8800606cb0f8 by task kworker/u16:0/2338
>
> CPU: 3 PID: 2338 Comm: kworker/u16:0 Tainted: G O 4.17.0-rc5-custom+ #50
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
> Workqueue: btrfs-endio btrfs_endio_helper [btrfs]
> Call Trace:
> dump_stack+0xc2/0x16b
> print_address_description+0x6a/0x270
> kasan_report+0x260/0x380
> memcpy+0x34/0x50
> lzo_decompress_bio+0x384/0x7a0 [btrfs]
> end_compressed_bio_read+0x99f/0x10b0 [btrfs]
> bio_endio+0x32e/0x640
> normal_work_helper+0x15a/0xea0 [btrfs]
> process_one_work+0x7e3/0x1470
> worker_thread+0x1b0/0x1170
> kthread+0x2db/0x390
> ret_from_fork+0x22/0x40
> ...
> ==================================================================
>
> The offending compressed data has the following info:
>
> Header: length 32768 (Looks completely valid)
> Segment 0 Header: length 3472882419 (Obvious out of bounds)
>
> Then when handling segment 0, since it's over the current page, we need
> the compressed data to workspace, then such large size would trigger
> out-of-bounds memory access, screwing up the whole kernel.
>
> Fix it by adding extra checks on header and segment headers to ensure we
> won't access out-of-bounds, and even checks the decompressed data won't
> be out-of-bounds.
>
> Reported-by: James Harvey <jamespharvey20@gmail.com>
> Signed-off-by: Qu Wenruo <wqu@suse.com>
> ---
> changelog:
> v3->v4:
> Remove the incorrect decompression output length check.
> For compressed extent with offset, its cb->len is no longer the full
> uncompressed extent size.
> For decompressed size check, it's alraedy done in
> btrfs_decompress_buf2page(), thus we don't need this incorrect check
> here. Thanks Misono for pointing this out.
> ---
> fs/btrfs/lzo.c | 27 +++++++++++++++++++++++++--
> 1 file changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c
> index ec5db393c758..995a96b51b38 100644
> --- a/fs/btrfs/lzo.c
> +++ b/fs/btrfs/lzo.c
> @@ -293,6 +293,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> unsigned long working_bytes;
> size_t in_len;
> size_t out_len;
> + size_t max_segment_len = lzo1x_worst_compress(PAGE_SIZE);
> unsigned long in_offset;
> unsigned long in_page_bytes_left;
> unsigned long tot_in;
> @@ -306,10 +307,21 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
>
> data_in = kmap(pages_in[0]);
> tot_len = read_compress_length(data_in);
> + /*
> + * Compressed data header check.
> + *
> + * The real compressed size can't exceed extent length, and all pages
> + * should be used (a full pending page is not possible).
> + * If this happens it means the compressed extent is corrupted.
> + */
> + if (tot_len > min_t(size_t, BTRFS_MAX_COMPRESSED, srclen) ||
> + tot_len < srclen - PAGE_SIZE) {
> + ret = -EUCLEAN;
> + goto done;
> + }
>
> tot_in = LZO_LEN;
> in_offset = LZO_LEN;
> - tot_len = min_t(size_t, srclen, tot_len);
> in_page_bytes_left = PAGE_SIZE - LZO_LEN;
>
> tot_out = 0;
> @@ -320,6 +332,17 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> in_offset += LZO_LEN;
> tot_in += LZO_LEN;
>
> + /*
> + * Segment header check.
> + *
> + * The segment length must not exceed max lzo compression
> + * size, nor the total compressed size
> + */
> + if (in_len > max_segment_len || tot_in + in_len > tot_len) {
> + ret = -EUCLEAN;
> + goto done;
> + }
> +
> tot_in += in_len;
> working_bytes = in_len;
> may_late_unmap = need_unmap = false;
> @@ -370,7 +393,7 @@ static int lzo_decompress_bio(struct list_head *ws, struct compressed_bio *cb)
> }
> }
>
> - out_len = lzo1x_worst_compress(PAGE_SIZE);
> + out_len = max_segment_len;
> ret = lzo1x_decompress_safe(buf, in_len, workspace->buf,
> &out_len);
> if (need_unmap)
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH v4 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access
2018-05-30 4:58 ` [PATCH v4 " Qu Wenruo
2018-05-30 5:14 ` Misono Tomohiro
@ 2018-05-30 14:47 ` David Sterba
1 sibling, 0 replies; 13+ messages in thread
From: David Sterba @ 2018-05-30 14:47 UTC (permalink / raw)
To: Qu Wenruo; +Cc: linux-btrfs
On Wed, May 30, 2018 at 12:58:24PM +0800, Qu Wenruo wrote:
>
> Reported-by: James Harvey <jamespharvey20@gmail.com>
> Signed-off-by: Qu Wenruo <wqu@suse.com>
> ---
> changelog:
> v3->v4:
Patch replaced, thanks.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2018-05-30 14:50 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-23 8:22 [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption Qu Wenruo
2018-05-23 8:22 ` [PATCH v3 1/4] btrfs: compression: Add linux/sizes.h for compression.h Qu Wenruo
2018-05-23 8:22 ` [PATCH v3 2/4] btrfs: lzo: Add comment about the how btrfs records its lzo compressed data Qu Wenruo
2018-05-23 8:23 ` [PATCH v3 3/4] btrfs: lzo: Add header length check to avoid slab out of bounds access Qu Wenruo
2018-05-24 2:09 ` Misono Tomohiro
2018-05-24 4:01 ` Qu Wenruo
2018-05-29 8:30 ` Misono Tomohiro
2018-05-29 8:51 ` Qu Wenruo
2018-05-30 4:58 ` [PATCH v4 " Qu Wenruo
2018-05-30 5:14 ` Misono Tomohiro
2018-05-30 14:47 ` David Sterba
2018-05-23 8:23 ` [PATCH v3 4/4] btrfs: lzo: Harden inline lzo compressed extent decompression Qu Wenruo
2018-05-24 17:19 ` [PATCH v3 0/4] btrfs: lzo: Harden decompression callers to avoid kernel memory corruption David Sterba
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.