From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 902F2C433FE
	for <linux-kernel@archiver.kernel.org>; Sun, 12 Dec 2021 09:16:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229977AbhLLJQk (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Sun, 12 Dec 2021 04:16:40 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58498 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229955AbhLLJQk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 12 Dec 2021 04:16:40 -0500
Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 792A3C061714;
        Sun, 12 Dec 2021 01:16:39 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by sin.source.kernel.org (Postfix) with ESMTPS id AB51FCE0B21;
        Sun, 12 Dec 2021 09:16:37 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5F02AC341C6;
        Sun, 12 Dec 2021 09:16:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1639300595;
        bh=FcCfq4bNjl8T6b/+8viEc5WUfvmEh89NrvoiU1a3sYo=;
        h=From:To:Cc:Subject:Date:From;
        b=nSylLWdl/51/bEM84CdSYtjLlUdiW90rNo5EfAtj691K6sfdOePWpG6Z8ekFpGEyE
         /xHtJVf+ui8eTKgyk3u6m8CK1EkoSA8R3xpyCX/dFa/Tnj4E4utDyqLaGi9uQ8Qkvu
         N6qCSEP4MR3oE7uXW4TOczO5b1FeJmxaQU7GZpRQgzDxrqvoGGqQVpwb+dYjjvxc3Q
         E0FmRVL/ICLoC6IWHg00wdqNNSA9zRjVO+R9eMsYKj+eeLlW/UeztUCtNof5Wh1ei3
         jvA3+EA5Ab7wRVqYUzAWrJgmrufy6MhvcYi4sYB2WpwulS+z5HBAIrSycwzMYWaW2j
         R43Bffk254rKQ==
From:   Chao Yu <chao@kernel.org>
To:     jaegeuk@kernel.org
Cc:     linux-f2fs-devel@lists.sourceforge.net,
        linux-kernel@vger.kernel.org, Chao Yu <chao@kernel.org>,
        stable@vger.kernel.org, Wenqing Liu <wenqingliu0120@gmail.com>
Subject: [PATCH v3] f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
Date:   Sun, 12 Dec 2021 17:16:30 +0800
Message-Id: <20211212091630.6325-1-chao@kernel.org>
X-Mailer: git-send-email 2.32.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

As Wenqing Liu reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=215235

- Overview
page fault in f2fs_setxattr() when mount and operate on corrupted image

- Reproduce
tested on kernel 5.16-rc3, 5.15.X under root

1. unzip tmp7.zip
2. ./single.sh f2fs 7

Sometimes need to run the script several times

- Kernel dump
loop0: detected capacity change from 0 to 131072
F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): Mounted with checkpoint version = 7548c2ee
BUG: unable to handle page fault for address: ffffe47bc7123f48
RIP: 0010:kfree+0x66/0x320
Call Trace:
 __f2fs_setxattr+0x2aa/0xc00 [f2fs]
 f2fs_setxattr+0xfa/0x480 [f2fs]
 __f2fs_set_acl+0x19b/0x330 [f2fs]
 __vfs_removexattr+0x52/0x70
 __vfs_removexattr_locked+0xb1/0x140
 vfs_removexattr+0x56/0x100
 removexattr+0x57/0x80
 path_removexattr+0xa3/0xc0
 __x64_sys_removexattr+0x17/0x20
 do_syscall_64+0x37/0xb0
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The root cause is in __f2fs_setxattr(), we missed to do sanity check on
last xattr entry, result in out-of-bound memory access during updating
inconsistent xattr data of target inode.

After the fix, it can detect such xattr inconsistency as below:

F2FS-fs (loop11): inode (7) has invalid last xattr entry, entry_size: 60676
F2FS-fs (loop11): inode (8) has corrupted xattr
F2FS-fs (loop11): inode (8) has corrupted xattr
F2FS-fs (loop11): inode (8) has invalid last xattr entry, entry_size: 47736

Cc: stable@vger.kernel.org
Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
Signed-off-by: Chao Yu <chao@kernel.org>
---
v3:
- fix compile warning:
warning: format ‘%u’ expects argument of type ‘unsigned int’, but argument 4 has type ‘long unsigned int’ [-Wformat=]
 fs/f2fs/xattr.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
index e348f33bcb2b..797ac505a075 100644
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -684,8 +684,17 @@ static int __f2fs_setxattr(struct inode *inode, int index,
 	}
 
 	last = here;
-	while (!IS_XATTR_LAST_ENTRY(last))
+	while (!IS_XATTR_LAST_ENTRY(last)) {
+		if ((void *)(last) + sizeof(__u32) > last_base_addr ||
+			(void *)XATTR_NEXT_ENTRY(last) > last_base_addr) {
+			f2fs_err(F2FS_I_SB(inode), "inode (%lu) has invalid last xattr entry, entry_size: %zu",
+					inode->i_ino, ENTRY_SIZE(last));
+			set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
+			error = -EFSCORRUPTED;
+			goto exit;
+		}
 		last = XATTR_NEXT_ENTRY(last);
+	}
 
 	newsize = XATTR_ALIGN(sizeof(struct f2fs_xattr_entry) + len + size);
 
-- 
2.32.0


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-f2fs-devel-bounces@lists.sourceforge.net>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.sourceforge.net (lists.sourceforge.net [216.105.38.7])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 09113C433F5
	for <linux-f2fs-devel@archiver.kernel.org>; Sun, 12 Dec 2021 09:17:01 +0000 (UTC)
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2)
	(envelope-from <linux-f2fs-devel-bounces@lists.sourceforge.net>)
	id 1mwKyZ-00065f-Nm; Sun, 12 Dec 2021 09:16:59 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
 (envelope-from <chao@kernel.org>) id 1mwKyT-00065R-5w
 for linux-f2fs-devel@lists.sourceforge.net; Sun, 12 Dec 2021 09:16:53 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version
 :Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=Whur3XxZ3oeuWOH1h0ikM5pHhtlniDvAzAfGzVLGXoM=; b=jtEqsN3QH/sRujeaFc4qq+/jUY
 tyCRovXHyBUbGKG4Xoe88U1maJc0fivRV6foUnI2ZPMoPs109/8pnmD/0dP4tIDtCSvBqq05jAwAN
 Gsim1fNsjHyYB/GMZ0Yvyf1XXmIt+PbzGsDEn2GX5pdTntkqQeXfT/D/pZhNFboaNhmU=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-Id:Date:
 Subject:Cc:To:From:Sender:Reply-To:Content-ID:Content-Description:Resent-Date
 :Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=Whur3XxZ3oeuWOH1h0ikM5pHhtlniDvAzAfGzVLGXoM=; b=g
 J+0skFO12INPwXWFnoQ9p8r0hh3FCdTFk1j0TTrJfYpQ3h9tXYt+Sb6IRVh3Nh9rYrzrkK7FUR6Id
 8n9MRllSVyjTfphlwaaEf0Xi4mXCtk3+U3SqyyQLjWyAxo4/fitV0osi/gEKjpSJm0mPwb3k56MzQ
 olkWcKn9+tv9dAwI=;
Received: from sin.source.kernel.org ([145.40.73.55])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3)
 id 1mwKyS-00CvXJ-8n
 for linux-f2fs-devel@lists.sourceforge.net; Sun, 12 Dec 2021 09:16:53 +0000
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by sin.source.kernel.org (Postfix) with ESMTPS id 81A1ACE0B0D;
 Sun, 12 Dec 2021 09:16:37 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5F02AC341C6;
 Sun, 12 Dec 2021 09:16:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
 s=k20201202; t=1639300595;
 bh=FcCfq4bNjl8T6b/+8viEc5WUfvmEh89NrvoiU1a3sYo=;
 h=From:To:Cc:Subject:Date:From;
 b=nSylLWdl/51/bEM84CdSYtjLlUdiW90rNo5EfAtj691K6sfdOePWpG6Z8ekFpGEyE
 /xHtJVf+ui8eTKgyk3u6m8CK1EkoSA8R3xpyCX/dFa/Tnj4E4utDyqLaGi9uQ8Qkvu
 N6qCSEP4MR3oE7uXW4TOczO5b1FeJmxaQU7GZpRQgzDxrqvoGGqQVpwb+dYjjvxc3Q
 E0FmRVL/ICLoC6IWHg00wdqNNSA9zRjVO+R9eMsYKj+eeLlW/UeztUCtNof5Wh1ei3
 jvA3+EA5Ab7wRVqYUzAWrJgmrufy6MhvcYi4sYB2WpwulS+z5HBAIrSycwzMYWaW2j
 R43Bffk254rKQ==
From: Chao Yu <chao@kernel.org>
To: jaegeuk@kernel.org
Date: Sun, 12 Dec 2021 17:16:30 +0800
Message-Id: <20211212091630.6325-1-chao@kernel.org>
X-Mailer: git-send-email 2.32.0
MIME-Version: 1.0
X-Headers-End: 1mwKyS-00CvXJ-8n
Subject: [f2fs-dev] [PATCH v3] f2fs: fix to do sanity check on last xattr
 entry in __f2fs_setxattr()
X-BeenThere: linux-f2fs-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-f2fs-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/linux-f2fs-devel>, 
 <mailto:linux-f2fs-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=linux-f2fs-devel>
List-Post: <mailto:linux-f2fs-devel@lists.sourceforge.net>
List-Help: <mailto:linux-f2fs-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel>, 
 <mailto:linux-f2fs-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Wenqing Liu <wenqingliu0120@gmail.com>, linux-kernel@vger.kernel.org,
 stable@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net

QXMgV2VucWluZyBMaXUgcmVwb3J0ZWQgaW4gYnVnemlsbGE6CgpodHRwczovL2J1Z3ppbGxhLmtl
cm5lbC5vcmcvc2hvd19idWcuY2dpP2lkPTIxNTIzNQoKLSBPdmVydmlldwpwYWdlIGZhdWx0IGlu
IGYyZnNfc2V0eGF0dHIoKSB3aGVuIG1vdW50IGFuZCBvcGVyYXRlIG9uIGNvcnJ1cHRlZCBpbWFn
ZQoKLSBSZXByb2R1Y2UKdGVzdGVkIG9uIGtlcm5lbCA1LjE2LXJjMywgNS4xNS5YIHVuZGVyIHJv
b3QKCjEuIHVuemlwIHRtcDcuemlwCjIuIC4vc2luZ2xlLnNoIGYyZnMgNwoKU29tZXRpbWVzIG5l
ZWQgdG8gcnVuIHRoZSBzY3JpcHQgc2V2ZXJhbCB0aW1lcwoKLSBLZXJuZWwgZHVtcApsb29wMDog
ZGV0ZWN0ZWQgY2FwYWNpdHkgY2hhbmdlIGZyb20gMCB0byAxMzEwNzIKRjJGUy1mcyAobG9vcDAp
OiBGb3VuZCBuYXRfYml0cyBpbiBjaGVja3BvaW50CkYyRlMtZnMgKGxvb3AwKTogTW91bnRlZCB3
aXRoIGNoZWNrcG9pbnQgdmVyc2lvbiA9IDc1NDhjMmVlCkJVRzogdW5hYmxlIHRvIGhhbmRsZSBw
YWdlIGZhdWx0IGZvciBhZGRyZXNzOiBmZmZmZTQ3YmM3MTIzZjQ4ClJJUDogMDAxMDprZnJlZSsw
eDY2LzB4MzIwCkNhbGwgVHJhY2U6CiBfX2YyZnNfc2V0eGF0dHIrMHgyYWEvMHhjMDAgW2YyZnNd
CiBmMmZzX3NldHhhdHRyKzB4ZmEvMHg0ODAgW2YyZnNdCiBfX2YyZnNfc2V0X2FjbCsweDE5Yi8w
eDMzMCBbZjJmc10KIF9fdmZzX3JlbW92ZXhhdHRyKzB4NTIvMHg3MAogX192ZnNfcmVtb3ZleGF0
dHJfbG9ja2VkKzB4YjEvMHgxNDAKIHZmc19yZW1vdmV4YXR0cisweDU2LzB4MTAwCiByZW1vdmV4
YXR0cisweDU3LzB4ODAKIHBhdGhfcmVtb3ZleGF0dHIrMHhhMy8weGMwCiBfX3g2NF9zeXNfcmVt
b3ZleGF0dHIrMHgxNy8weDIwCiBkb19zeXNjYWxsXzY0KzB4MzcvMHhiMAogZW50cnlfU1lTQ0FM
TF82NF9hZnRlcl9od2ZyYW1lKzB4NDQvMHhhZQoKVGhlIHJvb3QgY2F1c2UgaXMgaW4gX19mMmZz
X3NldHhhdHRyKCksIHdlIG1pc3NlZCB0byBkbyBzYW5pdHkgY2hlY2sgb24KbGFzdCB4YXR0ciBl
bnRyeSwgcmVzdWx0IGluIG91dC1vZi1ib3VuZCBtZW1vcnkgYWNjZXNzIGR1cmluZyB1cGRhdGlu
ZwppbmNvbnNpc3RlbnQgeGF0dHIgZGF0YSBvZiB0YXJnZXQgaW5vZGUuCgpBZnRlciB0aGUgZml4
LCBpdCBjYW4gZGV0ZWN0IHN1Y2ggeGF0dHIgaW5jb25zaXN0ZW5jeSBhcyBiZWxvdzoKCkYyRlMt
ZnMgKGxvb3AxMSk6IGlub2RlICg3KSBoYXMgaW52YWxpZCBsYXN0IHhhdHRyIGVudHJ5LCBlbnRy
eV9zaXplOiA2MDY3NgpGMkZTLWZzIChsb29wMTEpOiBpbm9kZSAoOCkgaGFzIGNvcnJ1cHRlZCB4
YXR0cgpGMkZTLWZzIChsb29wMTEpOiBpbm9kZSAoOCkgaGFzIGNvcnJ1cHRlZCB4YXR0cgpGMkZT
LWZzIChsb29wMTEpOiBpbm9kZSAoOCkgaGFzIGludmFsaWQgbGFzdCB4YXR0ciBlbnRyeSwgZW50
cnlfc2l6ZTogNDc3MzYKCkNjOiBzdGFibGVAdmdlci5rZXJuZWwub3JnClJlcG9ydGVkLWJ5OiBX
ZW5xaW5nIExpdSA8d2VucWluZ2xpdTAxMjBAZ21haWwuY29tPgpTaWduZWQtb2ZmLWJ5OiBDaGFv
IFl1IDxjaGFvQGtlcm5lbC5vcmc+Ci0tLQp2MzoKLSBmaXggY29tcGlsZSB3YXJuaW5nOgp3YXJu
aW5nOiBmb3JtYXQg4oCYJXXigJkgZXhwZWN0cyBhcmd1bWVudCBvZiB0eXBlIOKAmHVuc2lnbmVk
IGludOKAmSwgYnV0IGFyZ3VtZW50IDQgaGFzIHR5cGUg4oCYbG9uZyB1bnNpZ25lZCBpbnTigJkg
Wy1XZm9ybWF0PV0KIGZzL2YyZnMveGF0dHIuYyB8IDExICsrKysrKysrKystCiAxIGZpbGUgY2hh
bmdlZCwgMTAgaW5zZXJ0aW9ucygrKSwgMSBkZWxldGlvbigtKQoKZGlmZiAtLWdpdCBhL2ZzL2Yy
ZnMveGF0dHIuYyBiL2ZzL2YyZnMveGF0dHIuYwppbmRleCBlMzQ4ZjMzYmNiMmIuLjc5N2FjNTA1
YTA3NSAxMDA2NDQKLS0tIGEvZnMvZjJmcy94YXR0ci5jCisrKyBiL2ZzL2YyZnMveGF0dHIuYwpA
QCAtNjg0LDggKzY4NCwxNyBAQCBzdGF0aWMgaW50IF9fZjJmc19zZXR4YXR0cihzdHJ1Y3QgaW5v
ZGUgKmlub2RlLCBpbnQgaW5kZXgsCiAJfQogCiAJbGFzdCA9IGhlcmU7Ci0Jd2hpbGUgKCFJU19Y
QVRUUl9MQVNUX0VOVFJZKGxhc3QpKQorCXdoaWxlICghSVNfWEFUVFJfTEFTVF9FTlRSWShsYXN0
KSkgeworCQlpZiAoKHZvaWQgKikobGFzdCkgKyBzaXplb2YoX191MzIpID4gbGFzdF9iYXNlX2Fk
ZHIgfHwKKwkJCSh2b2lkICopWEFUVFJfTkVYVF9FTlRSWShsYXN0KSA+IGxhc3RfYmFzZV9hZGRy
KSB7CisJCQlmMmZzX2VycihGMkZTX0lfU0IoaW5vZGUpLCAiaW5vZGUgKCVsdSkgaGFzIGludmFs
aWQgbGFzdCB4YXR0ciBlbnRyeSwgZW50cnlfc2l6ZTogJXp1IiwKKwkJCQkJaW5vZGUtPmlfaW5v
LCBFTlRSWV9TSVpFKGxhc3QpKTsKKwkJCXNldF9zYmlfZmxhZyhGMkZTX0lfU0IoaW5vZGUpLCBT
QklfTkVFRF9GU0NLKTsKKwkJCWVycm9yID0gLUVGU0NPUlJVUFRFRDsKKwkJCWdvdG8gZXhpdDsK
KwkJfQogCQlsYXN0ID0gWEFUVFJfTkVYVF9FTlRSWShsYXN0KTsKKwl9CiAKIAluZXdzaXplID0g
WEFUVFJfQUxJR04oc2l6ZW9mKHN0cnVjdCBmMmZzX3hhdHRyX2VudHJ5KSArIGxlbiArIHNpemUp
OwogCi0tIAoyLjMyLjAKCgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX18KTGludXgtZjJmcy1kZXZlbCBtYWlsaW5nIGxpc3QKTGludXgtZjJmcy1kZXZlbEBs
aXN0cy5zb3VyY2Vmb3JnZS5uZXQKaHR0cHM6Ly9saXN0cy5zb3VyY2Vmb3JnZS5uZXQvbGlzdHMv
bGlzdGluZm8vbGludXgtZjJmcy1kZXZlbAo=