[Linux-kernel-mentees] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()

[Linux-kernel-mentees] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()

[Anant Thazhemadam]

In gfs2_read_sb(), if the condition
	(d != sdp->sd_heightsize[x - 1] || m)
isn't satisfied (in the first 11 iterations), the loop continues,
and begins to perform out-of-bounds access.
Fix this out-of-bounds access by introducing a condition in the for loop
that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are
accessed.

In addition to this, if the above condition is satisfied when
x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks
out of the loop, then an out-of-bounds access is performed again while
assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and
also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would
fail.
Fix this out-of-bounds access and ensure that the assertion doesn't fail
by introducing another variable "index", which keeps track of the last
valid value of x (pre-increment) that can be used.

Reported-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
Tested-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
---

I have one question here (potentially a place where I suspect this
patch could have a fatal flaw and might need some rework).

	sdp->sd_max_height = x;
	sdp->sd_heightsize[x] = ~0;

Were these lines written with the logic that the value of x would be
equal to (sdp->sd_heightsize[]'s last index filled in by the loop) + 1?
Or, is the expected value of x at these lines equal to 
(sdp->sd_heightsize[]'s last index as filled in by the loop)?
I would appreciate it if someone could clarify for me, how this would 
hold against the second potential out-of-bounds access I mentioned in my
commit message.

An additional comment (which I feel is of some significance) on this.
Reproducing the crash locally, I could infer that sdp->sd_fsb2bb_shift
sdp->sd_sb.sb_bsize, sdp->sd_sb.sb_bsize_shift, and sdp->sd_inptrs
were all 0.
This by extension also means that in gfs2_read_sb(), all the attributes
whose values were determined by performing some sort of calculation 
involving any one of these variables all resulted in either 0 or a 
negative value.
Simply doing the math will also show how this was also the primary reason
this OOB access occured in the first place. 
However, I still feel that gfs2_read_sb() could do with this bit of checking, 
since it fundamentally prevents OOB accesses from occuring in gfs2_read_sb()
in all scenarios.
Anyways, coming back to my initial point. Can having values like that be 
considered unacceptable and as something that needs to be handled (at 
gfs2_fill_super() maybe?) or is this non-anomalous behaviour and okay?

 fs/gfs2/ops_fstype.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 6d18d2c91add..66ee8fb06ab9 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -281,7 +281,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
 {
 	u32 hash_blocks, ind_blocks, leaf_blocks;
 	u32 tmp_blocks;
-	unsigned int x;
+	unsigned int x, index;
 	int error;
 
 	error = gfs2_read_super(sdp, GFS2_SB_ADDR >> sdp->sd_fsb2bb_shift, silent);
@@ -329,20 +329,21 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
 	sdp->sd_heightsize[0] = sdp->sd_sb.sb_bsize -
 				sizeof(struct gfs2_dinode);
 	sdp->sd_heightsize[1] = sdp->sd_sb.sb_bsize * sdp->sd_diptrs;
-	for (x = 2;; x++) {
+	for (x = 2; x <= GFS2_MAX_META_HEIGHT; x++) {
 		u64 space, d;
 		u32 m;
 
-		space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs;
+		index = x;
+		space = sdp->sd_heightsize[index - 1] * sdp->sd_inptrs;
 		d = space;
 		m = do_div(d, sdp->sd_inptrs);
 
-		if (d != sdp->sd_heightsize[x - 1] || m)
+		if (d != sdp->sd_heightsize[index - 1] || m)
 			break;
-		sdp->sd_heightsize[x] = space;
+		sdp->sd_heightsize[index] = space;
 	}
-	sdp->sd_max_height = x;
-	sdp->sd_heightsize[x] = ~0;
+	sdp->sd_max_height = index;
+	sdp->sd_heightsize[index] = ~0;
 	gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT);
 
 	sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize -
-- 
2.25.1

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [Linux-kernel-mentees] [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()

[Andrew Price]

On 13/10/2020 16:26, Anant Thazhemadam wrote:
> In gfs2_read_sb(), if the condition
> 	(d != sdp->sd_heightsize[x - 1] || m)
> isn't satisfied (in the first 11 iterations), the loop continues,
> and begins to perform out-of-bounds access.
> Fix this out-of-bounds access by introducing a condition in the for loop
> that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are
> accessed.
> 
> In addition to this, if the above condition is satisfied when
> x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks
> out of the loop, then an out-of-bounds access is performed again while
> assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and
> also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would
> fail.
> Fix this out-of-bounds access and ensure that the assertion doesn't fail
> by introducing another variable "index", which keeps track of the last
> valid value of x (pre-increment) that can be used.

That's not quite the right approach. Your analysis below is correct: the 
problem stems from the block size in the superblock being zeroed by the 
fuzzer. So the correct fix would be to add a validation check for 
sb_bsize (gfs2_check_sb() is lacking somewhat). Valid values are powers 
of 2 between 512 and the page size.

Just a heads-up to avoid duplication of effort: Fox Chen (CCed) has 
attempted to fix this also[1], but I don't know if they plan to send 
another patch.

[1] https://www.redhat.com/archives/cluster-devel/2020-October/msg00006.html

Thanks,
Andy

> Reported-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
> Tested-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
> ---
> 
> I have one question here (potentially a place where I suspect this
> patch could have a fatal flaw and might need some rework).
> 
> 	sdp->sd_max_height = x;
> 	sdp->sd_heightsize[x] = ~0;
> 
> Were these lines written with the logic that the value of x would be
> equal to (sdp->sd_heightsize[]'s last index filled in by the loop) + 1?
> Or, is the expected value of x at these lines equal to
> (sdp->sd_heightsize[]'s last index as filled in by the loop)?
> I would appreciate it if someone could clarify for me, how this would
> hold against the second potential out-of-bounds access I mentioned in my
> commit message.
> 
> An additional comment (which I feel is of some significance) on this.
> Reproducing the crash locally, I could infer that sdp->sd_fsb2bb_shift
> sdp->sd_sb.sb_bsize, sdp->sd_sb.sb_bsize_shift, and sdp->sd_inptrs
> were all 0.
> This by extension also means that in gfs2_read_sb(), all the attributes
> whose values were determined by performing some sort of calculation
> involving any one of these variables all resulted in either 0 or a
> negative value.
> Simply doing the math will also show how this was also the primary reason
> this OOB access occured in the first place.
> However, I still feel that gfs2_read_sb() could do with this bit of checking,
> since it fundamentally prevents OOB accesses from occuring in gfs2_read_sb()
> in all scenarios.
> Anyways, coming back to my initial point. Can having values like that be
> considered unacceptable and as something that needs to be handled (at
> gfs2_fill_super() maybe?) or is this non-anomalous behaviour and okay?
> 
>   fs/gfs2/ops_fstype.c | 15 ++++++++-------
>   1 file changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
> index 6d18d2c91add..66ee8fb06ab9 100644
> --- a/fs/gfs2/ops_fstype.c
> +++ b/fs/gfs2/ops_fstype.c
> @@ -281,7 +281,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
>   {
>   	u32 hash_blocks, ind_blocks, leaf_blocks;
>   	u32 tmp_blocks;
> -	unsigned int x;
> +	unsigned int x, index;
>   	int error;
>   
>   	error = gfs2_read_super(sdp, GFS2_SB_ADDR >> sdp->sd_fsb2bb_shift, silent);
> @@ -329,20 +329,21 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
>   	sdp->sd_heightsize[0] = sdp->sd_sb.sb_bsize -
>   				sizeof(struct gfs2_dinode);
>   	sdp->sd_heightsize[1] = sdp->sd_sb.sb_bsize * sdp->sd_diptrs;
> -	for (x = 2;; x++) {
> +	for (x = 2; x <= GFS2_MAX_META_HEIGHT; x++) {
>   		u64 space, d;
>   		u32 m;
>   
> -		space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs;
> +		index = x;
> +		space = sdp->sd_heightsize[index - 1] * sdp->sd_inptrs;
>   		d = space;
>   		m = do_div(d, sdp->sd_inptrs);
>   
> -		if (d != sdp->sd_heightsize[x - 1] || m)
> +		if (d != sdp->sd_heightsize[index - 1] || m)
>   			break;
> -		sdp->sd_heightsize[x] = space;
> +		sdp->sd_heightsize[index] = space;
>   	}
> -	sdp->sd_max_height = x;
> -	sdp->sd_heightsize[x] = ~0;
> +	sdp->sd_max_height = index;
> +	sdp->sd_heightsize[index] = ~0;
>   	gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT);
>   
>   	sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize -
> 

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [Linux-kernel-mentees] [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()

[Anant Thazhemadam]

On 14/10/20 6:34 pm, Andrew Price wrote:
> On 13/10/2020 16:26, Anant Thazhemadam wrote:
>> In gfs2_read_sb(), if the condition
>>     (d != sdp->sd_heightsize[x - 1] || m)
>> isn't satisfied (in the first 11 iterations), the loop continues,
>> and begins to perform out-of-bounds access.
>> Fix this out-of-bounds access by introducing a condition in the for loop
>> that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are
>> accessed.
>>
>> In addition to this, if the above condition is satisfied when
>> x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks
>> out of the loop, then an out-of-bounds access is performed again while
>> assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and
>> also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would
>> fail.
>> Fix this out-of-bounds access and ensure that the assertion doesn't fail
>> by introducing another variable "index", which keeps track of the last
>> valid value of x (pre-increment) that can be used.
>
> That's not quite the right approach. Your analysis below is correct: the problem stems from the block size in the superblock being zeroed by the fuzzer. So the correct fix would be to add a validation check for sb_bsize (gfs2_check_sb() is lacking somewhat). Valid values are powers of 2 between 512 and the page size.
>

I see. Thanks for the review! I'll send in a v2 that implements this check soon enough.

Thanks,
Anant

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [Linux-kernel-mentees] [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()

[Fox Chen]

Hi Andrew,

On Wed, Oct 14, 2020 at 9:04 PM Andrew Price <anprice@redhat.com> wrote:
> Just a heads-up to avoid duplication of effort: Fox Chen (CCed) has
> attempted to fix this also[1], but I don't know if they plan to send
> another patch.

Oh, I thought it was solved by someone else as you've pointed out the
correct solution the other day. https://lkml.org/lkml/2020/10/5/538

I'm solving another bug right now, I will leave this to Anant. :)


thanks,
fox
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees