* [Linux-kernel-mentees] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()
@ 2020-10-13 15:26 Anant Thazhemadam
2020-10-14 13:04 ` [Linux-kernel-mentees] [Cluster-devel] " Andrew Price
0 siblings, 1 reply; 4+ messages in thread
From: Anant Thazhemadam @ 2020-10-13 15:26 UTC (permalink / raw)
To: rpeterso, agruenba
Cc: cluster-devel, anant.thazhemadam, linux-kernel-mentees,
linux-kernel, syzbot+a5e2482a693e6b1e444b
In gfs2_read_sb(), if the condition
(d != sdp->sd_heightsize[x - 1] || m)
isn't satisfied (in the first 11 iterations), the loop continues,
and begins to perform out-of-bounds access.
Fix this out-of-bounds access by introducing a condition in the for loop
that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are
accessed.
In addition to this, if the above condition is satisfied when
x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks
out of the loop, then an out-of-bounds access is performed again while
assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and
also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would
fail.
Fix this out-of-bounds access and ensure that the assertion doesn't fail
by introducing another variable "index", which keeps track of the last
valid value of x (pre-increment) that can be used.
Reported-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
Tested-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
---
I have one question here (potentially a place where I suspect this
patch could have a fatal flaw and might need some rework).
sdp->sd_max_height = x;
sdp->sd_heightsize[x] = ~0;
Were these lines written with the logic that the value of x would be
equal to (sdp->sd_heightsize[]'s last index filled in by the loop) + 1?
Or, is the expected value of x at these lines equal to
(sdp->sd_heightsize[]'s last index as filled in by the loop)?
I would appreciate it if someone could clarify for me, how this would
hold against the second potential out-of-bounds access I mentioned in my
commit message.
An additional comment (which I feel is of some significance) on this.
Reproducing the crash locally, I could infer that sdp->sd_fsb2bb_shift
sdp->sd_sb.sb_bsize, sdp->sd_sb.sb_bsize_shift, and sdp->sd_inptrs
were all 0.
This by extension also means that in gfs2_read_sb(), all the attributes
whose values were determined by performing some sort of calculation
involving any one of these variables all resulted in either 0 or a
negative value.
Simply doing the math will also show how this was also the primary reason
this OOB access occured in the first place.
However, I still feel that gfs2_read_sb() could do with this bit of checking,
since it fundamentally prevents OOB accesses from occuring in gfs2_read_sb()
in all scenarios.
Anyways, coming back to my initial point. Can having values like that be
considered unacceptable and as something that needs to be handled (at
gfs2_fill_super() maybe?) or is this non-anomalous behaviour and okay?
fs/gfs2/ops_fstype.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 6d18d2c91add..66ee8fb06ab9 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -281,7 +281,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
{
u32 hash_blocks, ind_blocks, leaf_blocks;
u32 tmp_blocks;
- unsigned int x;
+ unsigned int x, index;
int error;
error = gfs2_read_super(sdp, GFS2_SB_ADDR >> sdp->sd_fsb2bb_shift, silent);
@@ -329,20 +329,21 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
sdp->sd_heightsize[0] = sdp->sd_sb.sb_bsize -
sizeof(struct gfs2_dinode);
sdp->sd_heightsize[1] = sdp->sd_sb.sb_bsize * sdp->sd_diptrs;
- for (x = 2;; x++) {
+ for (x = 2; x <= GFS2_MAX_META_HEIGHT; x++) {
u64 space, d;
u32 m;
- space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs;
+ index = x;
+ space = sdp->sd_heightsize[index - 1] * sdp->sd_inptrs;
d = space;
m = do_div(d, sdp->sd_inptrs);
- if (d != sdp->sd_heightsize[x - 1] || m)
+ if (d != sdp->sd_heightsize[index - 1] || m)
break;
- sdp->sd_heightsize[x] = space;
+ sdp->sd_heightsize[index] = space;
}
- sdp->sd_max_height = x;
- sdp->sd_heightsize[x] = ~0;
+ sdp->sd_max_height = index;
+ sdp->sd_heightsize[index] = ~0;
gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT);
sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize -
--
2.25.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Linux-kernel-mentees] [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()
2020-10-13 15:26 [Linux-kernel-mentees] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb() Anant Thazhemadam
@ 2020-10-14 13:04 ` Andrew Price
2020-10-14 13:14 ` Anant Thazhemadam
2020-10-14 13:25 ` Fox Chen
0 siblings, 2 replies; 4+ messages in thread
From: Andrew Price @ 2020-10-14 13:04 UTC (permalink / raw)
To: Anant Thazhemadam
Cc: agruenba, Fox Chen, linux-kernel, syzbot+a5e2482a693e6b1e444b,
cluster-devel, rpeterso, linux-kernel-mentees
On 13/10/2020 16:26, Anant Thazhemadam wrote:
> In gfs2_read_sb(), if the condition
> (d != sdp->sd_heightsize[x - 1] || m)
> isn't satisfied (in the first 11 iterations), the loop continues,
> and begins to perform out-of-bounds access.
> Fix this out-of-bounds access by introducing a condition in the for loop
> that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are
> accessed.
>
> In addition to this, if the above condition is satisfied when
> x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks
> out of the loop, then an out-of-bounds access is performed again while
> assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and
> also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would
> fail.
> Fix this out-of-bounds access and ensure that the assertion doesn't fail
> by introducing another variable "index", which keeps track of the last
> valid value of x (pre-increment) that can be used.
That's not quite the right approach. Your analysis below is correct: the
problem stems from the block size in the superblock being zeroed by the
fuzzer. So the correct fix would be to add a validation check for
sb_bsize (gfs2_check_sb() is lacking somewhat). Valid values are powers
of 2 between 512 and the page size.
Just a heads-up to avoid duplication of effort: Fox Chen (CCed) has
attempted to fix this also[1], but I don't know if they plan to send
another patch.
[1] https://www.redhat.com/archives/cluster-devel/2020-October/msg00006.html
Thanks,
Andy
> Reported-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
> Tested-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
> ---
>
> I have one question here (potentially a place where I suspect this
> patch could have a fatal flaw and might need some rework).
>
> sdp->sd_max_height = x;
> sdp->sd_heightsize[x] = ~0;
>
> Were these lines written with the logic that the value of x would be
> equal to (sdp->sd_heightsize[]'s last index filled in by the loop) + 1?
> Or, is the expected value of x at these lines equal to
> (sdp->sd_heightsize[]'s last index as filled in by the loop)?
> I would appreciate it if someone could clarify for me, how this would
> hold against the second potential out-of-bounds access I mentioned in my
> commit message.
>
> An additional comment (which I feel is of some significance) on this.
> Reproducing the crash locally, I could infer that sdp->sd_fsb2bb_shift
> sdp->sd_sb.sb_bsize, sdp->sd_sb.sb_bsize_shift, and sdp->sd_inptrs
> were all 0.
> This by extension also means that in gfs2_read_sb(), all the attributes
> whose values were determined by performing some sort of calculation
> involving any one of these variables all resulted in either 0 or a
> negative value.
> Simply doing the math will also show how this was also the primary reason
> this OOB access occured in the first place.
> However, I still feel that gfs2_read_sb() could do with this bit of checking,
> since it fundamentally prevents OOB accesses from occuring in gfs2_read_sb()
> in all scenarios.
> Anyways, coming back to my initial point. Can having values like that be
> considered unacceptable and as something that needs to be handled (at
> gfs2_fill_super() maybe?) or is this non-anomalous behaviour and okay?
>
> fs/gfs2/ops_fstype.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
> index 6d18d2c91add..66ee8fb06ab9 100644
> --- a/fs/gfs2/ops_fstype.c
> +++ b/fs/gfs2/ops_fstype.c
> @@ -281,7 +281,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
> {
> u32 hash_blocks, ind_blocks, leaf_blocks;
> u32 tmp_blocks;
> - unsigned int x;
> + unsigned int x, index;
> int error;
>
> error = gfs2_read_super(sdp, GFS2_SB_ADDR >> sdp->sd_fsb2bb_shift, silent);
> @@ -329,20 +329,21 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
> sdp->sd_heightsize[0] = sdp->sd_sb.sb_bsize -
> sizeof(struct gfs2_dinode);
> sdp->sd_heightsize[1] = sdp->sd_sb.sb_bsize * sdp->sd_diptrs;
> - for (x = 2;; x++) {
> + for (x = 2; x <= GFS2_MAX_META_HEIGHT; x++) {
> u64 space, d;
> u32 m;
>
> - space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs;
> + index = x;
> + space = sdp->sd_heightsize[index - 1] * sdp->sd_inptrs;
> d = space;
> m = do_div(d, sdp->sd_inptrs);
>
> - if (d != sdp->sd_heightsize[x - 1] || m)
> + if (d != sdp->sd_heightsize[index - 1] || m)
> break;
> - sdp->sd_heightsize[x] = space;
> + sdp->sd_heightsize[index] = space;
> }
> - sdp->sd_max_height = x;
> - sdp->sd_heightsize[x] = ~0;
> + sdp->sd_max_height = index;
> + sdp->sd_heightsize[index] = ~0;
> gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT);
>
> sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize -
>
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Linux-kernel-mentees] [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()
2020-10-14 13:04 ` [Linux-kernel-mentees] [Cluster-devel] " Andrew Price
@ 2020-10-14 13:14 ` Anant Thazhemadam
2020-10-14 13:25 ` Fox Chen
1 sibling, 0 replies; 4+ messages in thread
From: Anant Thazhemadam @ 2020-10-14 13:14 UTC (permalink / raw)
To: Andrew Price
Cc: agruenba, Fox Chen, linux-kernel, syzbot+a5e2482a693e6b1e444b,
cluster-devel, rpeterso, linux-kernel-mentees
On 14/10/20 6:34 pm, Andrew Price wrote:
> On 13/10/2020 16:26, Anant Thazhemadam wrote:
>> In gfs2_read_sb(), if the condition
>> (d != sdp->sd_heightsize[x - 1] || m)
>> isn't satisfied (in the first 11 iterations), the loop continues,
>> and begins to perform out-of-bounds access.
>> Fix this out-of-bounds access by introducing a condition in the for loop
>> that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are
>> accessed.
>>
>> In addition to this, if the above condition is satisfied when
>> x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks
>> out of the loop, then an out-of-bounds access is performed again while
>> assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and
>> also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would
>> fail.
>> Fix this out-of-bounds access and ensure that the assertion doesn't fail
>> by introducing another variable "index", which keeps track of the last
>> valid value of x (pre-increment) that can be used.
>
> That's not quite the right approach. Your analysis below is correct: the problem stems from the block size in the superblock being zeroed by the fuzzer. So the correct fix would be to add a validation check for sb_bsize (gfs2_check_sb() is lacking somewhat). Valid values are powers of 2 between 512 and the page size.
>
I see. Thanks for the review! I'll send in a v2 that implements this check soon enough.
Thanks,
Anant
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Linux-kernel-mentees] [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()
2020-10-14 13:04 ` [Linux-kernel-mentees] [Cluster-devel] " Andrew Price
2020-10-14 13:14 ` Anant Thazhemadam
@ 2020-10-14 13:25 ` Fox Chen
1 sibling, 0 replies; 4+ messages in thread
From: Fox Chen @ 2020-10-14 13:25 UTC (permalink / raw)
To: Andrew Price
Cc: Anant Thazhemadam, agruenba, linux-kernel,
syzbot+a5e2482a693e6b1e444b, cluster-devel, rpeterso,
linux-kernel-mentees
Hi Andrew,
On Wed, Oct 14, 2020 at 9:04 PM Andrew Price <anprice@redhat.com> wrote:
> Just a heads-up to avoid duplication of effort: Fox Chen (CCed) has
> attempted to fix this also[1], but I don't know if they plan to send
> another patch.
Oh, I thought it was solved by someone else as you've pointed out the
correct solution the other day. https://lkml.org/lkml/2020/10/5/538
I'm solving another bug right now, I will leave this to Anant. :)
thanks,
fox
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-14 13:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-13 15:26 [Linux-kernel-mentees] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb() Anant Thazhemadam
2020-10-14 13:04 ` [Linux-kernel-mentees] [Cluster-devel] " Andrew Price
2020-10-14 13:14 ` Anant Thazhemadam
2020-10-14 13:25 ` Fox Chen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).