All of lore.kernel.org
 help / color / mirror / Atom feed
From: Salvatore Bonaccorso <carnil@debian.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	Wenqing Liu <wenqingliu0120@gmail.com>, Chao Yu <chao@kernel.org>,
	Jaegeuk Kim <jaegeuk@kernel.org>
Subject: Re: [PATCH 5.10 60/76] f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr()
Date: Mon, 3 Jan 2022 22:11:18 +0100	[thread overview]
Message-ID: <YdNmdhsKS5ZWHOlB@eldamar.lan> (raw)
In-Reply-To: <20211227151326.779679392@linuxfoundation.org>

Hi,

On Mon, Dec 27, 2021 at 04:31:15PM +0100, Greg Kroah-Hartman wrote:
> From: Chao Yu <chao@kernel.org>
> 
> commit 5598b24efaf4892741c798b425d543e4bed357a1 upstream.
> 
> As Wenqing Liu reported in bugzilla:
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=215235
> 
> - Overview
> page fault in f2fs_setxattr() when mount and operate on corrupted image
> 
> - Reproduce
> tested on kernel 5.16-rc3, 5.15.X under root
> 
> 1. unzip tmp7.zip
> 2. ./single.sh f2fs 7
> 
> Sometimes need to run the script several times
> 
> - Kernel dump
> loop0: detected capacity change from 0 to 131072
> F2FS-fs (loop0): Found nat_bits in checkpoint
> F2FS-fs (loop0): Mounted with checkpoint version = 7548c2ee
> BUG: unable to handle page fault for address: ffffe47bc7123f48
> RIP: 0010:kfree+0x66/0x320
> Call Trace:
>  __f2fs_setxattr+0x2aa/0xc00 [f2fs]
>  f2fs_setxattr+0xfa/0x480 [f2fs]
>  __f2fs_set_acl+0x19b/0x330 [f2fs]
>  __vfs_removexattr+0x52/0x70
>  __vfs_removexattr_locked+0xb1/0x140
>  vfs_removexattr+0x56/0x100
>  removexattr+0x57/0x80
>  path_removexattr+0xa3/0xc0
>  __x64_sys_removexattr+0x17/0x20
>  do_syscall_64+0x37/0xb0
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> The root cause is in __f2fs_setxattr(), we missed to do sanity check on
> last xattr entry, result in out-of-bound memory access during updating
> inconsistent xattr data of target inode.
> 
> After the fix, it can detect such xattr inconsistency as below:
> 
> F2FS-fs (loop11): inode (7) has invalid last xattr entry, entry_size: 60676
> F2FS-fs (loop11): inode (8) has corrupted xattr
> F2FS-fs (loop11): inode (8) has corrupted xattr
> F2FS-fs (loop11): inode (8) has invalid last xattr entry, entry_size: 47736
> 
> Cc: stable@vger.kernel.org
> Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
> Signed-off-by: Chao Yu <chao@kernel.org>
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  fs/f2fs/xattr.c |   11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> --- a/fs/f2fs/xattr.c
> +++ b/fs/f2fs/xattr.c
> @@ -680,8 +680,17 @@ static int __f2fs_setxattr(struct inode
>  	}
>  
>  	last = here;
> -	while (!IS_XATTR_LAST_ENTRY(last))
> +	while (!IS_XATTR_LAST_ENTRY(last)) {
> +		if ((void *)(last) + sizeof(__u32) > last_base_addr ||
> +			(void *)XATTR_NEXT_ENTRY(last) > last_base_addr) {
> +			f2fs_err(F2FS_I_SB(inode), "inode (%lu) has invalid last xattr entry, entry_size: %zu",
> +					inode->i_ino, ENTRY_SIZE(last));
> +			set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
> +			error = -EFSCORRUPTED;
> +			goto exit;
> +		}
>  		last = XATTR_NEXT_ENTRY(last);
> +	}
>  
>  	newsize = XATTR_ALIGN(sizeof(struct f2fs_xattr_entry) + len + size);

It looks this commit while it was applied to several stable series
(TTBOMK in 5.15.12, 5.10.89, 5.4.169, 4.19.223 and 4.14.260) it is
still missing from mainline, Chao, or anyone else, do you know what
happened here?

Regards,
Salvatore

  reply	other threads:[~2022-01-03 21:11 UTC|newest]

Thread overview: 94+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-27 15:30 [PATCH 5.10 00/76] 5.10.89-rc1 review Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 01/76] arm64: vdso32: drop -no-integrated-as flag Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 02/76] arm64: vdso32: require CROSS_COMPILE_COMPAT for gcc+bfd Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 03/76] net: usb: lan78xx: add Allied Telesis AT29M2-AF Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 04/76] ext4: prevent partial update of the extent blocks Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 05/76] ext4: check for out-of-order index extents in ext4_valid_extent_entries() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 06/76] ext4: check for inconsistent extents between index and leaf block Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 07/76] HID: holtek: fix mouse probing Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 08/76] HID: potential dereference of null pointer Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 09/76] arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 10/76] spi: change clk_disable_unprepare to clk_unprepare Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 11/76] ASoC: meson: aiu: fifo: Add missing dma_coerce_mask_and_coherent() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 12/76] IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 13/76] RDMA/hns: Replace kfree() with kvfree() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 14/76] netfilter: fix regression in looped (broad|multi)casts MAC handling Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 15/76] ARM: dts: imx6qdl-wandboard: Fix Ethernet support Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 16/76] net: marvell: prestera: fix incorrect return of port_find Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 17/76] qlcnic: potential dereference null pointer of rx_queue->page_ring Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 18/76] net: accept UFOv6 packages in virtio_net_hdr_to_skb Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 19/76] net: skip virtio_net_hdr_set_proto if protocol already set Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 20/76] igb: fix deadlock caused by taking RTNL in RPM resume path Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 21/76] ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 22/76] bonding: fix ad_actor_system option setting to default Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 23/76] fjes: Check for error irq Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 24/76] drivers: net: smc911x: " Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 25/76] net: ks8851: " Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 26/76] sfc: Check null pointer of rx_queue->page_ring Greg Kroah-Hartman
2021-12-29 11:17   ` Pavel Machek
2022-01-01 11:54     ` Martin Habets
2021-12-27 15:30 ` [PATCH 5.10 27/76] sfc: falcon: " Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 28/76] Input: elantech - fix stack out of bound access in elantech_change_report_id() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 29/76] pinctrl: bcm2835: Change init order for gpio hogs Greg Kroah-Hartman
2021-12-31  9:52   ` Pavel Machek
2021-12-27 15:30 ` [PATCH 5.10 30/76] hwmon: (lm90) Fix usage of CONFIG2 register in detect function Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 31/76] hwmon: (lm90) Add basic support for TI TMP461 Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 32/76] hwmon: (lm90) Introduce flag indicating extended temperature support Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 33/76] hwmon: (lm90) Drop critical attribute support for MAX6654 Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 34/76] ALSA: jack: Check the return value of kstrdup() Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 35/76] ALSA: drivers: opl3: Fix incorrect use of vp->state Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 36/76] ALSA: hda/realtek: Amp init fixup for HP ZBook 15 G6 Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 37/76] ALSA: hda/realtek: Add new alc285-hp-amp-init model Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 38/76] ALSA: hda/realtek: Fix quirk for Clevo NJ51CU Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 39/76] ASoC: meson: aiu: Move AIU_I2S_MISC hold setting to aiu-fifo-i2s Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 40/76] Input: atmel_mxt_ts - fix double free in mxt_read_info_block Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 41/76] ipmi: bail out if init_srcu_struct fails Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 42/76] ipmi: ssif: initialize ssif_info->client early Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 43/76] ipmi: fix initialization when workqueue allocation fails Greg Kroah-Hartman
2021-12-27 15:30 ` [PATCH 5.10 44/76] parisc: Correct completer in lws start Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 45/76] parisc: Fix mask used to select futex spinlock Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 46/76] tee: handle lookup of shm with reference count 0 Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 47/76] x86/pkey: Fix undefined behaviour with PKRU_WD_BIT Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 48/76] platform/x86: intel_pmc_core: fix memleak on registration failure Greg Kroah-Hartman
2021-12-31 10:04   ` Pavel Machek
2021-12-31 10:18     ` Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 49/76] KVM: VMX: Wake vCPU when delivering posted IRQ even if vCPU == this vCPU Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 50/76] pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 51/76] gpio: dln2: Fix interrupts when replugging the device Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 52/76] mmc: sdhci-tegra: Fix switch to HS400ES mode Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 53/76] mmc: meson-mx-sdhc: Set MANUAL_STOP for multi-block SDIO commands Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 54/76] mmc: core: Disable card detect during shutdown Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 55/76] mmc: mmci: stm32: clear DLYB_CR after sending tuning command Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 56/76] ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 57/76] mac80211: fix locking in ieee80211_start_ap error path Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 58/76] mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 59/76] tee: optee: Fix incorrect page free bug Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 60/76] f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr() Greg Kroah-Hartman
2022-01-03 21:11   ` Salvatore Bonaccorso [this message]
2022-01-04  9:29     ` Chao Yu
2022-01-04  9:56       ` Salvatore Bonaccorso
2022-01-04 10:22         ` Greg Kroah-Hartman
2022-01-04 21:10           ` Jaegeuk Kim
2022-01-05  8:10             ` Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 61/76] ceph: fix up non-directory creation in SGID directories Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 62/76] usb: gadget: u_ether: fix race in setting MAC address in setup phase Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 63/76] KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 64/76] mm: mempolicy: fix THP allocations escaping mempolicy restrictions Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 65/76] Input: elants_i2c - do not check Remark ID on eKTH3900/eKTH5312 Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 66/76] Input: i8042 - enable deferred probe quirk for ASUS UM325UA Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 67/76] Input: goodix - add id->model mapping for the "9111" model Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 68/76] ASoC: tas2770: Fix setting of high sample rates Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 69/76] ASoC: rt5682: fix the wrong jack type detected Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 70/76] pinctrl: mediatek: fix global-out-of-bounds issue Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 71/76] hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681 Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 72/76] hwmon: (lm90) Do not report busy status bit as alarm Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 73/76] ax25: NPD bug when detaching AX25 device Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 74/76] hamradio: defer ax25 kfree after unregister_netdev Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 75/76] hamradio: improve the incomplete fix to avoid NPD Greg Kroah-Hartman
2021-12-27 15:31 ` [PATCH 5.10 76/76] phonet/pep: refuse to enable an unbound pipe Greg Kroah-Hartman
2021-12-27 18:02 ` [PATCH 5.10 00/76] 5.10.89-rc1 review Florian Fainelli
2021-12-28  8:12 ` Naresh Kamboju
2021-12-28 13:22 ` Sudip Mukherjee
2021-12-28 17:07 ` Guenter Roeck
2021-12-28 21:27 ` Shuah Khan
2021-12-29  1:33 ` Samuel Zou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YdNmdhsKS5ZWHOlB@eldamar.lan \
    --to=carnil@debian.org \
    --cc=chao@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jaegeuk@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=wenqingliu0120@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.