linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Wen Xu <wen.xu@gatech.edu>,
	Chao Yu <yuchao0@huawei.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
	Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.9 50/70] f2fs: fix to do sanity check with reserved blkaddr of inline inode
Date: Tue, 18 Sep 2018 00:42:23 +0200	[thread overview]
Message-ID: <20180917211653.119924302@linuxfoundation.org> (raw)
In-Reply-To: <20180917211649.099135838@linuxfoundation.org>

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chao Yu <yuchao0@huawei.com>

[ Upstream commit 4dbe38dc386910c668c75ae616b99b823b59f3eb ]

As Wen Xu reported in bugzilla, after image was injected with random data
by fuzzing, inline inode would contain invalid reserved blkaddr, then
during inline conversion, we will encounter illegal memory accessing
reported by KASAN, the root cause of this is when writing out converted
inline page, we will use invalid reserved blkaddr to update sit bitmap,
result in accessing memory beyond sit bitmap boundary.

In order to fix this issue, let's do sanity check with reserved block
address of inline inode to avoid above condition.

https://bugzilla.kernel.org/show_bug.cgi?id=200179

[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741

[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.846860] Call Trace:
[ 1428.846868]  dump_stack+0x71/0xab
[ 1428.846875]  print_address_description+0x6b/0x290
[ 1428.846881]  kasan_report+0x28e/0x390
[ 1428.846888]  ? update_sit_entry+0x80/0x7f0
[ 1428.846898]  update_sit_entry+0x80/0x7f0
[ 1428.846906]  f2fs_allocate_data_block+0x6db/0xc70
[ 1428.846914]  ? f2fs_get_node_info+0x14f/0x590
[ 1428.846920]  do_write_page+0xc8/0x150
[ 1428.846928]  f2fs_outplace_write_data+0xfe/0x210
[ 1428.846935]  ? f2fs_do_write_node_page+0x170/0x170
[ 1428.846941]  ? radix_tree_tag_clear+0xff/0x130
[ 1428.846946]  ? __mod_node_page_state+0x22/0xa0
[ 1428.846951]  ? inc_zone_page_state+0x54/0x100
[ 1428.846956]  ? __test_set_page_writeback+0x336/0x5d0
[ 1428.846964]  f2fs_convert_inline_page+0x407/0x6d0
[ 1428.846971]  ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.846978]  ? __get_node_page+0x335/0x6b0
[ 1428.846987]  f2fs_convert_inline_inode+0x41b/0x500
[ 1428.846994]  ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.847000]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.847005]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.847024]  f2fs_file_mmap+0x79/0xc0
[ 1428.847029]  mmap_region+0x58b/0x880
[ 1428.847037]  ? arch_get_unmapped_area+0x370/0x370
[ 1428.847042]  do_mmap+0x55b/0x7a0
[ 1428.847048]  vm_mmap_pgoff+0x16f/0x1c0
[ 1428.847055]  ? vma_is_stack_for_current+0x50/0x50
[ 1428.847062]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.847068]  ? do_sys_open+0x206/0x2a0
[ 1428.847073]  ? __fget+0xb4/0x100
[ 1428.847079]  ksys_mmap_pgoff+0x278/0x360
[ 1428.847085]  ? find_mergeable_anon_vma+0x50/0x50
[ 1428.847091]  do_syscall_64+0x73/0x160
[ 1428.847098]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.847102] RIP: 0033:0x7fb1430766ba
[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000

[ 1428.847252] Allocated by task 2683:
[ 1428.847372]  kasan_kmalloc+0xa6/0xd0
[ 1428.847380]  kmem_cache_alloc+0xc8/0x1e0
[ 1428.847385]  getname_flags+0x73/0x2b0
[ 1428.847390]  user_path_at_empty+0x1d/0x40
[ 1428.847395]  vfs_statx+0xc1/0x150
[ 1428.847401]  __do_sys_newlstat+0x7e/0xd0
[ 1428.847405]  do_syscall_64+0x73/0x160
[ 1428.847411]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[ 1428.847466] Freed by task 2683:
[ 1428.847566]  __kasan_slab_free+0x137/0x190
[ 1428.847571]  kmem_cache_free+0x85/0x1e0
[ 1428.847575]  filename_lookup+0x191/0x280
[ 1428.847580]  vfs_statx+0xc1/0x150
[ 1428.847585]  __do_sys_newlstat+0x7e/0xd0
[ 1428.847590]  do_syscall_64+0x73/0x160
[ 1428.847596]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[ 1428.847648] The buggy address belongs to the object at ffff880194483300
                which belongs to the cache names_cache of size 4096
[ 1428.847946] The buggy address is located 576 bytes inside of
                4096-byte region [ffff880194483300, ffff880194484300)
[ 1428.848234] The buggy address belongs to the page:
[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
[ 1428.848606] flags: 0x17fff8000008100(slab|head)
[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 1428.849122] page dumped because: kasan: bad access detected

[ 1428.849305] Memory state around the buggy address:
[ 1428.849436]  ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849620]  ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849985]                                            ^
[ 1428.850120]  ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.850303]  ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.850498] ==================================================================

Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/inline.c |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -124,6 +124,16 @@ int f2fs_convert_inline_page(struct dnod
 	if (err)
 		return err;
 
+	if (unlikely(dn->data_blkaddr != NEW_ADDR)) {
+		f2fs_put_dnode(dn);
+		set_sbi_flag(fio.sbi, SBI_NEED_FSCK);
+		f2fs_msg(fio.sbi->sb, KERN_WARNING,
+			"%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
+			"run fsck to fix.",
+			__func__, dn->inode->i_ino, dn->data_blkaddr);
+		return -EINVAL;
+	}
+
 	f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page));
 
 	read_inline_data(page, dn->inode_page);
@@ -351,6 +361,17 @@ static int f2fs_move_inline_dirents(stru
 	if (err)
 		goto out;
 
+	if (unlikely(dn.data_blkaddr != NEW_ADDR)) {
+		f2fs_put_dnode(&dn);
+		set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK);
+		f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING,
+			"%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
+			"run fsck to fix.",
+			__func__, dir->i_ino, dn.data_blkaddr);
+		err = -EINVAL;
+		goto out;
+	}
+
 	f2fs_wait_on_page_writeback(page, DATA, true);
 	zero_user_segment(page, MAX_INLINE_DATA, PAGE_SIZE);
 



  parent reply	other threads:[~2018-09-17 22:59 UTC|newest]

Thread overview: 74+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-17 22:41 [PATCH 4.9 00/70] 4.9.128-stable review Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 01/70] i2c: xiic: Make the start and the byte count write atomic Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 02/70] i2c: i801: fix DNVs SMBCTRL register offset Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 03/70] KVM: s390: vsie: copy wrapping keys to right place Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 04/70] ALSA: hda - Fix cancel_work_sync() stall from jackpoll work Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 05/70] cfq: Give a chance for arming slice idle timer in case of group_idle Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 06/70] kthread: Fix use-after-free if kthread fork fails Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 07/70] kthread: fix boot hang (regression) on MIPS/OpenRISC Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 08/70] staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 09/70] staging/rts5208: Fix read overflow in memcpy Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 10/70] IB/rxe: do not copy extra stack memory to skb Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 11/70] block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 12/70] nl80211: fix null-ptr dereference on invalid mesh configuration Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 13/70] locking/rwsem-xadd: Fix missed wakeup due to reordering of load Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 14/70] selinux: use GFP_NOWAIT in the AVC kmem_caches Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 15/70] locking/osq_lock: Fix osq_lock queue corruption Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 16/70] mm, vmscan: clear PGDAT_WRITEBACK when zone is balanced Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 17/70] mm: remove seemingly spurious reclaimability check from laptop_mode gating Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 18/70] ARC: [plat-axs*]: Enable SWAP Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 19/70] misc: mic: SCIF Fix scif_get_new_port() error handling Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 20/70] ethtool: Remove trailing semicolon for static inline Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 21/70] Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 22/70] gpio: tegra: Move driver registration to subsys_init level Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 23/70] net: phy: Fix the register offsets in Broadcom iProc mdio mux driver Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 24/70] scsi: target: fix __transport_register_session locking Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 25/70] md/raid5: fix data corruption of replacements after originals dropped Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 26/70] timers: Clear timer_base::must_forward_clk with timer_base::lock held Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 27/70] misc: ti-st: Fix memory leak in the error path of probe() Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 28/70] uio: potential double frees if __uio_register_device() fails Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 29/70] tty: rocket: Fix possible buffer overwrite on register_PCI Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 30/70] f2fs: do not set free of current section Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 31/70] perf tools: Allow overriding MAX_NR_CPUS at compile time Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 32/70] NFSv4.0 fix client reference leak in callback Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 33/70] macintosh/via-pmu: Add missing mmio accessors Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 34/70] ath9k: report tx status on EOSP Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 35/70] ath9k_hw: fix channel maximum power level test Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 36/70] ath10k: prevent active scans on potential unusable channels Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 37/70] wlcore: Set rx_status boottime_ns field on rx Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 38/70] MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 39/70] ata: libahci: Correct setting of DEVSLP register Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 40/70] scsi: 3ware: fix return 0 on the error path of probe Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 41/70] ath10k: disable bundle mgmt tx completion event support Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 42/70] Bluetooth: hidp: Fix handling of strncpy for hid->name information Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 43/70] x86/mm: Remove in_nmi() warning from vmalloc_fault() Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 44/70] gpio: ml-ioh: Fix buffer underwrite on probe error path Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 45/70] net: mvneta: fix mtu change on port without link Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 46/70] f2fs: try grabbing node page lock aggressively in sync scenario Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 47/70] f2fs: fix to skip GC if type in SSA and SIT is inconsistent Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 48/70] tpm_tis_spi: Pass the SPI IRQ down to the driver Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 49/70] tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) Greg Kroah-Hartman
2018-09-17 22:42 ` Greg Kroah-Hartman [this message]
2018-09-17 22:42 ` [PATCH 4.9 51/70] MIPS: Octeon: add missing of_node_put() Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 52/70] MIPS: generic: fix " Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 53/70] net: dcb: For wild-card lookups, use priority -1, not 0 Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 54/70] Input: atmel_mxt_ts - only use first T9 instance Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 55/70] media: s5p-mfc: Fix buffer look up in s5p_mfc_handle_frame_{new, copy_time} functions Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 56/70] partitions/aix: append null character to print data from disk Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 57/70] partitions/aix: fix usage of uninitialized lv_info and lvname structures Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 58/70] media: helene: fix xtal frequency setting at power on Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 59/70] f2fs: Fix uninitialized return in f2fs_ioc_shutdown() Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 60/70] iommu/ipmmu-vmsa: Fix allocation in atomic context Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 61/70] mfd: ti_am335x_tscadc: Fix struct clk memory leak Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 62/70] f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 63/70] NFSv4.1: Fix a potential layoutget/layoutrecall deadlock Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 64/70] MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 65/70] RDMA/cma: Do not ignore net namespace for unbound cm_id Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 66/70] xhci: Fix use-after-free in xhci_free_virt_device Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 67/70] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 68/70] mtd: ubi: wl: Fix error return code in ubi_wl_init() Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 69/70] autofs: fix autofs_sbi() does not check super block type Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 70/70] mm: get rid of vmacache_flush_all() entirely Greg Kroah-Hartman
2018-09-17 23:59 ` [PATCH 4.9 00/70] 4.9.128-stable review Nathan Chancellor
2018-09-18 16:20 ` Guenter Roeck
2018-09-18 16:54 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180917211653.119924302@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=alexander.levin@microsoft.com \
    --cc=jaegeuk@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=wen.xu@gatech.edu \
    --cc=yuchao0@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).