From: Hawkins Jiawei <yin31149@gmail.com>
To: syzbot+ffe24b1afbc4cb5ae8fb@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org, reiserfs-devel@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
linux-kernel-mentees@lists.linuxfoundation.org,
yin31149@gmail.com, 18801353760@163.com, paskripkin@gmail.com,
skhan@linuxfoundation.org
Subject: [PATCH] reiserfs: add check in search_by_entry_key()
Date: Wed, 17 Aug 2022 16:55:11 +0800 [thread overview]
Message-ID: <20220817085512.75936-1-yin31149@gmail.com> (raw)
In-Reply-To: <000000000000bcbb0205e13dc53a@google.com>
Syzkaller reports use-after-free Read as follows:
------------[ cut here ]------------
BUG: KASAN: use-after-free in bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline]
BUG: KASAN: use-after-free in search_by_entry_key+0x81f/0x960 fs/reiserfs/namei.c:165
Read of size 4 at addr ffff8880715ee014 by task syz-executor352/3611
CPU: 0 PID: 3611 Comm: syz-executor352 Not tainted 5.19.0-rc1-syzkaller-00263-g1c27f1fc1549 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline]
search_by_entry_key+0x81f/0x960 fs/reiserfs/namei.c:165
reiserfs_find_entry.part.0+0x139/0xdf0 fs/reiserfs/namei.c:322
reiserfs_find_entry fs/reiserfs/namei.c:368 [inline]
reiserfs_lookup+0x24a/0x490 fs/reiserfs/namei.c:368
__lookup_slow+0x24c/0x480 fs/namei.c:1701
lookup_one_len+0x16a/0x1a0 fs/namei.c:2730
reiserfs_lookup_privroot+0x92/0x280 fs/reiserfs/xattr.c:980
reiserfs_fill_super+0x21bb/0x2fb0 fs/reiserfs/super.c:2176
mount_bdev+0x34d/0x410 fs/super.c:1367
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
</TASK>
The buggy address belongs to the physical page:
page:ffffea0001c57b80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x715ee
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c57bc8 ffff8880b9a403c0 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
Memory state around the buggy address:
ffff8880715edf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880715edf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880715ee000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880715ee080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880715ee100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
The root cause is that the value of rbound in bin_search_in_dir_item()
is out of bounds.
To be more specific, struct buffer_head's b_data field
contains the directory entry headers array, according to
set_de_item_location(). So the array's length should be less
than the size of b_data, or it may access the invalid memory.
This patch solves it by comparing the array's size with b_data's size.
Reported-by: syzbot+ffe24b1afbc4cb5ae8fb@syzkaller.appspotmail.com
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
---
fs/reiserfs/namei.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c
index 3d7a35d6a18b..c4c056ffafde 100644
--- a/fs/reiserfs/namei.c
+++ b/fs/reiserfs/namei.c
@@ -33,7 +33,11 @@ static int bin_search_in_dir_item(struct reiserfs_dir_entry *de, loff_t off)
int rbound, lbound, j;
lbound = 0;
- rbound = ih_entry_count(ih) - 1;
+ if (ih_location(ih) + ih_entry_count(ih) * IH_SIZE >=
+ de->de_bh->b_size)
+ rbound = (de->de_bh->b_size - ih_location(ih)) / IH_SIZE - 1;
+ else
+ rbound = ih_entry_count(ih) - 1;
for (j = (rbound + lbound) / 2; lbound <= rbound;
j = (rbound + lbound) / 2) {
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Hawkins Jiawei <yin31149@gmail.com>
To: syzbot+ffe24b1afbc4cb5ae8fb@syzkaller.appspotmail.com
Cc: paskripkin@gmail.com, syzkaller-bugs@googlegroups.com,
linux-kernel@vger.kernel.org, reiserfs-devel@vger.kernel.org,
yin31149@gmail.com,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: [PATCH] reiserfs: add check in search_by_entry_key()
Date: Wed, 17 Aug 2022 16:55:11 +0800 [thread overview]
Message-ID: <20220817085512.75936-1-yin31149@gmail.com> (raw)
In-Reply-To: <000000000000bcbb0205e13dc53a@google.com>
Syzkaller reports use-after-free Read as follows:
------------[ cut here ]------------
BUG: KASAN: use-after-free in bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline]
BUG: KASAN: use-after-free in search_by_entry_key+0x81f/0x960 fs/reiserfs/namei.c:165
Read of size 4 at addr ffff8880715ee014 by task syz-executor352/3611
CPU: 0 PID: 3611 Comm: syz-executor352 Not tainted 5.19.0-rc1-syzkaller-00263-g1c27f1fc1549 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
bin_search_in_dir_item fs/reiserfs/namei.c:40 [inline]
search_by_entry_key+0x81f/0x960 fs/reiserfs/namei.c:165
reiserfs_find_entry.part.0+0x139/0xdf0 fs/reiserfs/namei.c:322
reiserfs_find_entry fs/reiserfs/namei.c:368 [inline]
reiserfs_lookup+0x24a/0x490 fs/reiserfs/namei.c:368
__lookup_slow+0x24c/0x480 fs/namei.c:1701
lookup_one_len+0x16a/0x1a0 fs/namei.c:2730
reiserfs_lookup_privroot+0x92/0x280 fs/reiserfs/xattr.c:980
reiserfs_fill_super+0x21bb/0x2fb0 fs/reiserfs/super.c:2176
mount_bdev+0x34d/0x410 fs/super.c:1367
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
</TASK>
The buggy address belongs to the physical page:
page:ffffea0001c57b80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x715ee
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c57bc8 ffff8880b9a403c0 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
Memory state around the buggy address:
ffff8880715edf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880715edf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880715ee000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880715ee080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880715ee100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
The root cause is that the value of rbound in bin_search_in_dir_item()
is out of bounds.
To be more specific, struct buffer_head's b_data field
contains the directory entry headers array, according to
set_de_item_location(). So the array's length should be less
than the size of b_data, or it may access the invalid memory.
This patch solves it by comparing the array's size with b_data's size.
Reported-by: syzbot+ffe24b1afbc4cb5ae8fb@syzkaller.appspotmail.com
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
---
fs/reiserfs/namei.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c
index 3d7a35d6a18b..c4c056ffafde 100644
--- a/fs/reiserfs/namei.c
+++ b/fs/reiserfs/namei.c
@@ -33,7 +33,11 @@ static int bin_search_in_dir_item(struct reiserfs_dir_entry *de, loff_t off)
int rbound, lbound, j;
lbound = 0;
- rbound = ih_entry_count(ih) - 1;
+ if (ih_location(ih) + ih_entry_count(ih) * IH_SIZE >=
+ de->de_bh->b_size)
+ rbound = (de->de_bh->b_size - ih_location(ih)) / IH_SIZE - 1;
+ else
+ rbound = ih_entry_count(ih) - 1;
for (j = (rbound + lbound) / 2; lbound <= rbound;
j = (rbound + lbound) / 2) {
--
2.25.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2022-08-17 8:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-12 10:38 [syzbot] KASAN: use-after-free Read in search_by_entry_key (2) syzbot
2022-08-17 8:55 ` Hawkins Jiawei [this message]
2022-08-17 8:55 ` [PATCH] reiserfs: add check in search_by_entry_key() Hawkins Jiawei
2022-08-17 16:10 ` [PATCH v2] reiserfs: add check in bin_search_in_dir_item() Hawkins Jiawei
2022-08-17 16:10 ` Hawkins Jiawei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220817085512.75936-1-yin31149@gmail.com \
--to=yin31149@gmail.com \
--cc=18801353760@163.com \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paskripkin@gmail.com \
--cc=reiserfs-devel@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+ffe24b1afbc4cb5ae8fb@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.