* [PATCH] fscache: Fix cookie key uninit mem / out of bound read
@ 2018-09-06 15:31 Eric Sandeen
2018-09-25 19:25 ` Eric Sandeen
0 siblings, 1 reply; 2+ messages in thread
From: Eric Sandeen @ 2018-09-06 15:31 UTC (permalink / raw)
To: fsdevel; +Cc: David Howells
fscache_set_key() seems to have 2 issues related to the memory
read for hashing in fscache_set_key.
The first reported was a KASAN error,
BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x5b3/0x680 [fscache]
Read of size 4 at addr ffff88084ff056d4 by task mount.nfs/32615
also reported by syzbot at https://lkml.org/lkml/2018/7/8/236
BUG: KASAN: slab-out-of-bounds in fscache_set_key fs/fscache/cookie.c:120 [inline]
BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880 fs/fscache/cookie.c:171
Read of size 4 at addr ffff8801d3cc8bb4 by task syz-executor907/4466
This happens for any index_key_len which is not divisible by 4, and is
larger than the size of the inline key, because the code allocates exactly
index_key_len for the key buffer, but the hashing loop is stepping through
it 4 bytes (u32) at a time in the buf[] array.
When looking over this, it also appears that the inline key is
insufficiently initialized, zeroing only 3 of the 4 slots. Hence
an index_key_len between 13 and 15 bytes will end up hashing uninitialized
memory because the memcpy only partially fills the last buf[] element.
Fix this by calculating how many u32 buffers we'll need by using
DIV_ROUND_UP, and memset them all to zero before copying in the index_key,
then using that same count as the hashing index limit.
Reported-by: syzbot+a95b989b2dde8e806af8@syzkaller.appspotmail.com
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---
nb: compile-tested only, sorry.
diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
index 83bfe04..bc74ae3 100644
--- a/fs/fscache/cookie.c
+++ b/fs/fscache/cookie.c
@@ -83,7 +83,7 @@ void fscache_cookie_init_once(void *_cookie)
}
/*
- * Set the index key in a cookie. The cookie struct has space for a 12-byte
+ * Set the index key in a cookie. The cookie struct has space for a 16-byte
* key plus length and hash, but if that's not big enough, it's instead a
* pointer to a buffer containing 3 bytes of hash, 1 byte of length and then
* the key data.
@@ -93,22 +93,22 @@ static int fscache_set_key(struct fscache_cookie *cookie,
{
unsigned long long h;
u32 *buf;
+ int bufs;
int i;
cookie->key_len = index_key_len;
+ bufs = DIV_ROUND_UP(index_key_len, sizeof(*buf));
if (index_key_len > sizeof(cookie->inline_key)) {
- buf = kzalloc(index_key_len, GFP_KERNEL);
+ buf = kmalloc_array(bufs, sizeof(*buf), GFP_KERNEL);
if (!buf)
return -ENOMEM;
cookie->key = buf;
} else {
buf = (u32 *)cookie->inline_key;
- buf[0] = 0;
- buf[1] = 0;
- buf[2] = 0;
}
+ memset(buf, 0, bufs * sizeof(*buf));
memcpy(buf, index_key, index_key_len);
/* Calculate a hash and combine this with the length in the first word
@@ -116,7 +116,8 @@ static int fscache_set_key(struct fscache_cookie *cookie,
*/
h = (unsigned long)cookie->parent;
h += index_key_len + cookie->type;
- for (i = 0; i < (index_key_len + sizeof(u32) - 1) / sizeof(u32); i++)
+
+ for (i = 0; i < bufs; i++)
h += buf[i];
cookie->key_hash = h ^ (h >> 32);
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] fscache: Fix cookie key uninit mem / out of bound read
2018-09-06 15:31 [PATCH] fscache: Fix cookie key uninit mem / out of bound read Eric Sandeen
@ 2018-09-25 19:25 ` Eric Sandeen
0 siblings, 0 replies; 2+ messages in thread
From: Eric Sandeen @ 2018-09-25 19:25 UTC (permalink / raw)
To: Eric Sandeen, fsdevel; +Cc: David Howells
On 9/6/18 10:31 AM, Eric Sandeen wrote:
> fscache_set_key() seems to have 2 issues related to the memory
> read for hashing in fscache_set_key.
>
> The first reported was a KASAN error,
>
> BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x5b3/0x680 [fscache]
> Read of size 4 at addr ffff88084ff056d4 by task mount.nfs/32615
>
> also reported by syzbot at https://lkml.org/lkml/2018/7/8/236
>
> BUG: KASAN: slab-out-of-bounds in fscache_set_key fs/fscache/cookie.c:120 [inline]
> BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880 fs/fscache/cookie.c:171
> Read of size 4 at addr ffff8801d3cc8bb4 by task syz-executor907/4466
>
> This happens for any index_key_len which is not divisible by 4, and is
> larger than the size of the inline key, because the code allocates exactly
> index_key_len for the key buffer, but the hashing loop is stepping through
> it 4 bytes (u32) at a time in the buf[] array.
>
> When looking over this, it also appears that the inline key is
> insufficiently initialized, zeroing only 3 of the 4 slots. Hence
> an index_key_len between 13 and 15 bytes will end up hashing uninitialized
> memory because the memcpy only partially fills the last buf[] element.
>
> Fix this by calculating how many u32 buffers we'll need by using
> DIV_ROUND_UP, and memset them all to zero before copying in the index_key,
> then using that same count as the hashing index limit.
>
> Reported-by: syzbot+a95b989b2dde8e806af8@syzkaller.appspotmail.com
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>
> ---
Seems like a real bug to me. Any thoughts?
-Eric
> nb: compile-tested only, sorry.
>
> diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
> index 83bfe04..bc74ae3 100644
> --- a/fs/fscache/cookie.c
> +++ b/fs/fscache/cookie.c
> @@ -83,7 +83,7 @@ void fscache_cookie_init_once(void *_cookie)
> }
>
> /*
> - * Set the index key in a cookie. The cookie struct has space for a 12-byte
> + * Set the index key in a cookie. The cookie struct has space for a 16-byte
> * key plus length and hash, but if that's not big enough, it's instead a
> * pointer to a buffer containing 3 bytes of hash, 1 byte of length and then
> * the key data.
> @@ -93,22 +93,22 @@ static int fscache_set_key(struct fscache_cookie *cookie,
> {
> unsigned long long h;
> u32 *buf;
> + int bufs;
> int i;
>
> cookie->key_len = index_key_len;
> + bufs = DIV_ROUND_UP(index_key_len, sizeof(*buf));
>
> if (index_key_len > sizeof(cookie->inline_key)) {
> - buf = kzalloc(index_key_len, GFP_KERNEL);
> + buf = kmalloc_array(bufs, sizeof(*buf), GFP_KERNEL);
> if (!buf)
> return -ENOMEM;
> cookie->key = buf;
> } else {
> buf = (u32 *)cookie->inline_key;
> - buf[0] = 0;
> - buf[1] = 0;
> - buf[2] = 0;
> }
>
> + memset(buf, 0, bufs * sizeof(*buf));
> memcpy(buf, index_key, index_key_len);
>
> /* Calculate a hash and combine this with the length in the first word
> @@ -116,7 +116,8 @@ static int fscache_set_key(struct fscache_cookie *cookie,
> */
> h = (unsigned long)cookie->parent;
> h += index_key_len + cookie->type;
> - for (i = 0; i < (index_key_len + sizeof(u32) - 1) / sizeof(u32); i++)
> +
> + for (i = 0; i < bufs; i++)
> h += buf[i];
>
> cookie->key_hash = h ^ (h >> 32);
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-09-26 1:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-06 15:31 [PATCH] fscache: Fix cookie key uninit mem / out of bound read Eric Sandeen
2018-09-25 19:25 ` Eric Sandeen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).