From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53C55C4321E for ; Tue, 18 Oct 2022 00:16:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231499AbiJRAQk (ORCPT ); Mon, 17 Oct 2022 20:16:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231809AbiJRAOY (ORCPT ); Mon, 17 Oct 2022 20:14:24 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BECC089AC8; Mon, 17 Oct 2022 17:11:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0655C6134E; Tue, 18 Oct 2022 00:11:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 95D59C433C1; Tue, 18 Oct 2022 00:11:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1666051873; bh=XuvPXLrd3VRDLS0Rt+7rJqoBhOB8FPwYG2pX+O/1MCk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LadM60cfTl4qtvQ9w0cXOfpkFycxfHQoC4e6vxD/9WBAyH7nHc+gNIZU5gwHjEkYn 0lZXV6cdKqnj53Ymg4WoasUylfCueoxQ43oiEX4zwJRI2Oj5qUQa1d7CUq5MrT0lo2 u/hJpbpl4m6+9TqgddYL321G9DTEjdL42uSxQ4cjghEZmRNWSn/rC1RoQLlHdeFyYs 2Ki7GCM4a02jrX0b+Fbp8PiFRRIcJKqB4KVKO4pAzwUYzDIzfzCGpsQzEaNZHlLzna DAqvn62X1qYNBTfb8aZvlSvSmpZcM9c/6BWOQgY7jhkfjJ/EO3g/5Lczzj6opglFGW kAYoemCR4GVtw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Andrew Price , syzbot+dcf33a7aae997956fe06@syzkaller.appspotmail.com, Andreas Gruenbacher , Sasha Levin , rpeterso@redhat.com, cluster-devel@redhat.com Subject: [PATCH AUTOSEL 5.4 06/13] gfs2: Check sb_bsize_shift after reading superblock Date: Mon, 17 Oct 2022 20:10:55 -0400 Message-Id: <20221018001102.2731930-6-sashal@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20221018001102.2731930-1-sashal@kernel.org> References: <20221018001102.2731930-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Andrew Price [ Upstream commit 670f8ce56dd0632dc29a0322e188cc73ce3c6b92 ] Fuzzers like to scribble over sb_bsize_shift but in reality it's very unlikely that this field would be corrupted on its own. Nevertheless it should be checked to avoid the possibility of messy mount errors due to bad calculations. It's always a fixed value based on the block size so we can just check that it's the expected value. Tested with: mkfs.gfs2 -O -p lock_nolock /dev/vdb for i in 0 -1 64 65 32 33; do gfs2_edit -p sb field sb_bsize_shift $i /dev/vdb mount /dev/vdb /mnt/test && umount /mnt/test done Before this patch we get a withdraw after [ 76.413681] gfs2: fsid=loop0.0: fatal: invalid metadata block [ 76.413681] bh = 19 (type: exp=5, found=4) [ 76.413681] function = gfs2_meta_buffer, file = fs/gfs2/meta_io.c, line = 492 and with UBSAN configured we also get complaints like [ 76.373395] UBSAN: shift-out-of-bounds in fs/gfs2/ops_fstype.c:295:19 [ 76.373815] shift exponent 4294967287 is too large for 64-bit type 'long unsigned int' After the patch, these complaints don't appear, mount fails immediately and we get an explanation in dmesg. Reported-by: syzbot+dcf33a7aae997956fe06@syzkaller.appspotmail.com Signed-off-by: Andrew Price Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin --- fs/gfs2/ops_fstype.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index 2841134f7812..2112ff7a0172 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -180,7 +180,10 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent) pr_warn("Invalid superblock size\n"); return -EINVAL; } - + if (sb->sb_bsize_shift != ffs(sb->sb_bsize) - 1) { + pr_warn("Invalid block size shift\n"); + return -EINVAL; + } return 0; } -- 2.35.1 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sasha Levin Date: Mon, 17 Oct 2022 20:10:55 -0400 Subject: [Cluster-devel] [PATCH AUTOSEL 5.4 06/13] gfs2: Check sb_bsize_shift after reading superblock In-Reply-To: <20221018001102.2731930-1-sashal@kernel.org> References: <20221018001102.2731930-1-sashal@kernel.org> Message-ID: <20221018001102.2731930-6-sashal@kernel.org> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit From: Andrew Price [ Upstream commit 670f8ce56dd0632dc29a0322e188cc73ce3c6b92 ] Fuzzers like to scribble over sb_bsize_shift but in reality it's very unlikely that this field would be corrupted on its own. Nevertheless it should be checked to avoid the possibility of messy mount errors due to bad calculations. It's always a fixed value based on the block size so we can just check that it's the expected value. Tested with: mkfs.gfs2 -O -p lock_nolock /dev/vdb for i in 0 -1 64 65 32 33; do gfs2_edit -p sb field sb_bsize_shift $i /dev/vdb mount /dev/vdb /mnt/test && umount /mnt/test done Before this patch we get a withdraw after [ 76.413681] gfs2: fsid=loop0.0: fatal: invalid metadata block [ 76.413681] bh = 19 (type: exp=5, found=4) [ 76.413681] function = gfs2_meta_buffer, file = fs/gfs2/meta_io.c, line = 492 and with UBSAN configured we also get complaints like [ 76.373395] UBSAN: shift-out-of-bounds in fs/gfs2/ops_fstype.c:295:19 [ 76.373815] shift exponent 4294967287 is too large for 64-bit type 'long unsigned int' After the patch, these complaints don't appear, mount fails immediately and we get an explanation in dmesg. Reported-by: syzbot+dcf33a7aae997956fe06 at syzkaller.appspotmail.com Signed-off-by: Andrew Price Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin --- fs/gfs2/ops_fstype.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index 2841134f7812..2112ff7a0172 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -180,7 +180,10 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent) pr_warn("Invalid superblock size\n"); return -EINVAL; } - + if (sb->sb_bsize_shift != ffs(sb->sb_bsize) - 1) { + pr_warn("Invalid block size shift\n"); + return -EINVAL; + } return 0; } -- 2.35.1