In gfs2_read_sb(), if the condition (d != sdp->sd_heightsize[x - 1] || m) isn't satisfied (in the first 11 iterations), the loop continues, and begins to perform out-of-bounds access. Fix this out-of-bounds access by introducing a condition in the for loop that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are accessed. In addition to this, if the above condition is satisfied when x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks out of the loop, then an out-of-bounds access is performed again while assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would fail. Fix this out-of-bounds access and ensure that the assertion doesn't fail by introducing another variable "index", which keeps track of the last valid value of x (pre-increment) that can be used. Reported-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com Tested-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> --- I have one question here (potentially a place where I suspect this patch could have a fatal flaw and might need some rework). sdp->sd_max_height = x; sdp->sd_heightsize[x] = ~0; Were these lines written with the logic that the value of x would be equal to (sdp->sd_heightsize[]'s last index filled in by the loop) + 1? Or, is the expected value of x at these lines equal to (sdp->sd_heightsize[]'s last index as filled in by the loop)? I would appreciate it if someone could clarify for me, how this would hold against the second potential out-of-bounds access I mentioned in my commit message. An additional comment (which I feel is of some significance) on this. Reproducing the crash locally, I could infer that sdp->sd_fsb2bb_shift sdp->sd_sb.sb_bsize, sdp->sd_sb.sb_bsize_shift, and sdp->sd_inptrs were all 0. This by extension also means that in gfs2_read_sb(), all the attributes whose values were determined by performing some sort of calculation involving any one of these variables all resulted in either 0 or a negative value. Simply doing the math will also show how this was also the primary reason this OOB access occured in the first place. However, I still feel that gfs2_read_sb() could do with this bit of checking, since it fundamentally prevents OOB accesses from occuring in gfs2_read_sb() in all scenarios. Anyways, coming back to my initial point. Can having values like that be considered unacceptable and as something that needs to be handled (at gfs2_fill_super() maybe?) or is this non-anomalous behaviour and okay? fs/gfs2/ops_fstype.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index 6d18d2c91add..66ee8fb06ab9 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -281,7 +281,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent) { u32 hash_blocks, ind_blocks, leaf_blocks; u32 tmp_blocks; - unsigned int x; + unsigned int x, index; int error; error = gfs2_read_super(sdp, GFS2_SB_ADDR >> sdp->sd_fsb2bb_shift, silent); @@ -329,20 +329,21 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent) sdp->sd_heightsize[0] = sdp->sd_sb.sb_bsize - sizeof(struct gfs2_dinode); sdp->sd_heightsize[1] = sdp->sd_sb.sb_bsize * sdp->sd_diptrs; - for (x = 2;; x++) { + for (x = 2; x <= GFS2_MAX_META_HEIGHT; x++) { u64 space, d; u32 m; - space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs; + index = x; + space = sdp->sd_heightsize[index - 1] * sdp->sd_inptrs; d = space; m = do_div(d, sdp->sd_inptrs); - if (d != sdp->sd_heightsize[x - 1] || m) + if (d != sdp->sd_heightsize[index - 1] || m) break; - sdp->sd_heightsize[x] = space; + sdp->sd_heightsize[index] = space; } - sdp->sd_max_height = x; - sdp->sd_heightsize[x] = ~0; + sdp->sd_max_height = index; + sdp->sd_heightsize[index] = ~0; gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT); sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize - -- 2.25.1 _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

On 13/10/2020 16:26, Anant Thazhemadam wrote: > In gfs2_read_sb(), if the condition > (d != sdp->sd_heightsize[x - 1] || m) > isn't satisfied (in the first 11 iterations), the loop continues, > and begins to perform out-of-bounds access. > Fix this out-of-bounds access by introducing a condition in the for loop > that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are > accessed. > > In addition to this, if the above condition is satisfied when > x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks > out of the loop, then an out-of-bounds access is performed again while > assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and > also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would > fail. > Fix this out-of-bounds access and ensure that the assertion doesn't fail > by introducing another variable "index", which keeps track of the last > valid value of x (pre-increment) that can be used. That's not quite the right approach. Your analysis below is correct: the problem stems from the block size in the superblock being zeroed by the fuzzer. So the correct fix would be to add a validation check for sb_bsize (gfs2_check_sb() is lacking somewhat). Valid values are powers of 2 between 512 and the page size. Just a heads-up to avoid duplication of effort: Fox Chen (CCed) has attempted to fix this also[1], but I don't know if they plan to send another patch. [1] https://www.redhat.com/archives/cluster-devel/2020-October/msg00006.html Thanks, Andy > Reported-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com > Tested-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com > Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> > --- > > I have one question here (potentially a place where I suspect this > patch could have a fatal flaw and might need some rework). > > sdp->sd_max_height = x; > sdp->sd_heightsize[x] = ~0; > > Were these lines written with the logic that the value of x would be > equal to (sdp->sd_heightsize[]'s last index filled in by the loop) + 1? > Or, is the expected value of x at these lines equal to > (sdp->sd_heightsize[]'s last index as filled in by the loop)? > I would appreciate it if someone could clarify for me, how this would > hold against the second potential out-of-bounds access I mentioned in my > commit message. > > An additional comment (which I feel is of some significance) on this. > Reproducing the crash locally, I could infer that sdp->sd_fsb2bb_shift > sdp->sd_sb.sb_bsize, sdp->sd_sb.sb_bsize_shift, and sdp->sd_inptrs > were all 0. > This by extension also means that in gfs2_read_sb(), all the attributes > whose values were determined by performing some sort of calculation > involving any one of these variables all resulted in either 0 or a > negative value. > Simply doing the math will also show how this was also the primary reason > this OOB access occured in the first place. > However, I still feel that gfs2_read_sb() could do with this bit of checking, > since it fundamentally prevents OOB accesses from occuring in gfs2_read_sb() > in all scenarios. > Anyways, coming back to my initial point. Can having values like that be > considered unacceptable and as something that needs to be handled (at > gfs2_fill_super() maybe?) or is this non-anomalous behaviour and okay? > > fs/gfs2/ops_fstype.c | 15 ++++++++------- > 1 file changed, 8 insertions(+), 7 deletions(-) > > diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c > index 6d18d2c91add..66ee8fb06ab9 100644 > --- a/fs/gfs2/ops_fstype.c > +++ b/fs/gfs2/ops_fstype.c > @@ -281,7 +281,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent) > { > u32 hash_blocks, ind_blocks, leaf_blocks; > u32 tmp_blocks; > - unsigned int x; > + unsigned int x, index; > int error; > > error = gfs2_read_super(sdp, GFS2_SB_ADDR >> sdp->sd_fsb2bb_shift, silent); > @@ -329,20 +329,21 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent) > sdp->sd_heightsize[0] = sdp->sd_sb.sb_bsize - > sizeof(struct gfs2_dinode); > sdp->sd_heightsize[1] = sdp->sd_sb.sb_bsize * sdp->sd_diptrs; > - for (x = 2;; x++) { > + for (x = 2; x <= GFS2_MAX_META_HEIGHT; x++) { > u64 space, d; > u32 m; > > - space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs; > + index = x; > + space = sdp->sd_heightsize[index - 1] * sdp->sd_inptrs; > d = space; > m = do_div(d, sdp->sd_inptrs); > > - if (d != sdp->sd_heightsize[x - 1] || m) > + if (d != sdp->sd_heightsize[index - 1] || m) > break; > - sdp->sd_heightsize[x] = space; > + sdp->sd_heightsize[index] = space; > } > - sdp->sd_max_height = x; > - sdp->sd_heightsize[x] = ~0; > + sdp->sd_max_height = index; > + sdp->sd_heightsize[index] = ~0; > gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT); > > sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize - > _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

On 14/10/20 6:34 pm, Andrew Price wrote: > On 13/10/2020 16:26, Anant Thazhemadam wrote: >> In gfs2_read_sb(), if the condition >> (d != sdp->sd_heightsize[x - 1] || m) >> isn't satisfied (in the first 11 iterations), the loop continues, >> and begins to perform out-of-bounds access. >> Fix this out-of-bounds access by introducing a condition in the for loop >> that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are >> accessed. >> >> In addition to this, if the above condition is satisfied when >> x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks >> out of the loop, then an out-of-bounds access is performed again while >> assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and >> also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would >> fail. >> Fix this out-of-bounds access and ensure that the assertion doesn't fail >> by introducing another variable "index", which keeps track of the last >> valid value of x (pre-increment) that can be used. > > That's not quite the right approach. Your analysis below is correct: the problem stems from the block size in the superblock being zeroed by the fuzzer. So the correct fix would be to add a validation check for sb_bsize (gfs2_check_sb() is lacking somewhat). Valid values are powers of 2 between 512 and the page size. > I see. Thanks for the review! I'll send in a v2 that implements this check soon enough. Thanks, Anant _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Hi Andrew, On Wed, Oct 14, 2020 at 9:04 PM Andrew Price <anprice@redhat.com> wrote: > Just a heads-up to avoid duplication of effort: Fox Chen (CCed) has > attempted to fix this also[1], but I don't know if they plan to send > another patch. Oh, I thought it was solved by someone else as you've pointed out the correct solution the other day. https://lkml.org/lkml/2020/10/5/538 I'm solving another bug right now, I will leave this to Anant. :) thanks, fox _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees