* [PATCH v3] f2fs: fix to avoid accessing xattr across the boundary
@ 2019-04-09 8:53 Randall Huang
2019-04-09 10:22 ` Chao Yu
0 siblings, 1 reply; 3+ messages in thread
From: Randall Huang @ 2019-04-09 8:53 UTC (permalink / raw)
To: jaegeuk, yuchao0, linux-f2fs-devel, linux-kernel; +Cc: huangrandall
When we traverse xattr entries via __find_xattr(),
if the raw filesystem content is faked or any hardware failure occurs,
out-of-bound error can be detected by KASAN.
Fix the issue by introducing boundary check.
[ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c
[ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task
[ 38.402935] c7 1827 Call trace:
[ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc
[ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c
[ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140
[ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8
[ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc
[ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc
[ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8
[ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c
[ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0
[ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc
[ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938
[ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38
[ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98
[ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348
[ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774
[ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc
[ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520
[ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4
[ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8
[ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68
[ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c
[ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38
Bug: 126558260
Signed-off-by: Randall Huang <huangrandall@google.com>
---
v2:
* return EFAULT if OOB error is detected
v3:
* fix typo in setxattr()
---
fs/f2fs/xattr.c | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)
diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
index 848a785abe25..381f14b02a78 100644
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -202,12 +202,17 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index)
return handler;
}
-static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index,
- size_t len, const char *name)
+static struct f2fs_xattr_entry *__find_xattr(void *base_addr,
+ unsigned int max_size, int index,
+ size_t len, const char *name)
{
struct f2fs_xattr_entry *entry;
+ void *max_addr = base_addr + ENTRY_SIZE(XATTR_ENTRY(base_addr)) +
+ max_size - 1;
list_for_each_xattr(entry, base_addr) {
+ if ((void *)entry + sizeof(__u32) > max_addr)
+ return NULL;
if (entry->e_name_index != index)
continue;
if (entry->e_name_len != len)
@@ -301,6 +306,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
nid_t xnid = F2FS_I(inode)->i_xattr_nid;
unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0;
unsigned int inline_size = inline_xattr_size(inode);
+ unsigned int max_size = inline_size + size + XATTR_PADDING_SIZE;
int err = 0;
if (!size && !inline_size)
@@ -323,6 +329,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
*base_size = inline_size;
goto check;
}
+ max_size -= inline_size;
}
/* read from xattr node block */
@@ -330,6 +337,8 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
err = read_xattr_block(inode, txattr_addr);
if (err)
goto out;
+
+ max_size -= size;
}
if (last_addr)
@@ -337,7 +346,12 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
else
cur_addr = txattr_addr;
- *xe = __find_xattr(cur_addr, index, len, name);
+ *xe = __find_xattr(cur_addr, max_size, index, len, name);
+ if (!*xe) {
+ err = -EFAULT;
+ goto out;
+ }
+
check:
if (IS_XATTR_LAST_ENTRY(*xe)) {
err = -ENODATA;
@@ -585,6 +599,11 @@ static int __f2fs_setxattr(struct inode *inode, int index,
int found, newsize;
size_t len;
__u32 new_hsize;
+ nid_t xnid = F2FS_I(inode)->i_xattr_nid;
+ unsigned int xattr_nid_size = xnid ? VALID_XATTR_BLOCK_SIZE : 0;
+ unsigned int inline_size = inline_xattr_size(inode);
+ unsigned int max_size = inline_size + xattr_nid_size +
+ XATTR_PADDING_SIZE;
int error = 0;
if (name == NULL)
@@ -606,7 +625,11 @@ static int __f2fs_setxattr(struct inode *inode, int index,
return error;
/* find entry with wanted name. */
- here = __find_xattr(base_addr, index, len, name);
+ here = __find_xattr(base_addr, max_size, index, len, name);
+ if (!here) {
+ error = -EFAULT;
+ goto exit;
+ }
found = IS_XATTR_LAST_ENTRY(here) ? 0 : 1;
--
2.21.0.392.gf8f6787159e-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v3] f2fs: fix to avoid accessing xattr across the boundary
2019-04-09 8:53 [PATCH v3] f2fs: fix to avoid accessing xattr across the boundary Randall Huang
@ 2019-04-09 10:22 ` Chao Yu
2019-04-10 9:27 ` Randall Huang
0 siblings, 1 reply; 3+ messages in thread
From: Chao Yu @ 2019-04-09 10:22 UTC (permalink / raw)
To: Randall Huang, jaegeuk, linux-f2fs-devel, linux-kernel
On 2019/4/9 16:53, Randall Huang wrote:
> When we traverse xattr entries via __find_xattr(),
> if the raw filesystem content is faked or any hardware failure occurs,
> out-of-bound error can be detected by KASAN.
> Fix the issue by introducing boundary check.
>
> [ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c
> [ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task
> [ 38.402935] c7 1827 Call trace:
> [ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc
> [ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c
> [ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140
> [ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8
> [ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc
> [ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc
> [ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8
> [ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c
> [ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0
> [ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc
> [ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938
> [ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38
> [ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98
> [ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348
> [ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774
> [ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc
> [ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520
> [ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4
> [ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8
> [ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68
> [ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c
> [ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38
>
> Bug: 126558260
>
> Signed-off-by: Randall Huang <huangrandall@google.com>
> ---
> v2:
> * return EFAULT if OOB error is detected
>
> v3:
> * fix typo in setxattr()
> ---
> fs/f2fs/xattr.c | 31 +++++++++++++++++++++++++++----
> 1 file changed, 27 insertions(+), 4 deletions(-)
>
> diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
> index 848a785abe25..381f14b02a78 100644
> --- a/fs/f2fs/xattr.c
> +++ b/fs/f2fs/xattr.c
> @@ -202,12 +202,17 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index)
> return handler;
> }
>
> -static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index,
> - size_t len, const char *name)
> +static struct f2fs_xattr_entry *__find_xattr(void *base_addr,
> + unsigned int max_size, int index,
> + size_t len, const char *name)
> {
> struct f2fs_xattr_entry *entry;
> + void *max_addr = base_addr + ENTRY_SIZE(XATTR_ENTRY(base_addr)) +
> + max_size - 1;
Hi Randall,
I think this is not right, I enable noinline_xattr mount option, and add
printk to see the status here, it shows
__find_xattr, base_addr:ffff8e709ba92000, max_addr:ffff8e709baa131f, max_size:4
ffff8e709baa131f - ffff8e709ba92000 = F31F
>
> list_for_each_xattr(entry, base_addr) {
> + if ((void *)entry + sizeof(__u32) > max_addr)
> + return NULL;
> if (entry->e_name_index != index)
> continue;
> if (entry->e_name_len != len)
> @@ -301,6 +306,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
> nid_t xnid = F2FS_I(inode)->i_xattr_nid;
> unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0;
> unsigned int inline_size = inline_xattr_size(inode);
> + unsigned int max_size = inline_size + size + XATTR_PADDING_SIZE;
> int err = 0;
>
> if (!size && !inline_size)
> @@ -323,6 +329,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
> *base_size = inline_size;
> goto check;
> }
> + max_size -= inline_size;
The cur_addr pointer may point to middle of inline xattr space due to below code? we
should consider such case here.
if (last_addr)
cur_addr = XATTR_HDR(last_addr) - 1;
> }
>
> /* read from xattr node block */
> @@ -330,6 +337,8 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
> err = read_xattr_block(inode, txattr_addr);
> if (err)
> goto out;
> +
> + max_size -= size;
We should not shrink max_size after loading xattr block's data.
Thanks,
> }
>
> if (last_addr)
> @@ -337,7 +346,12 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
> else
> cur_addr = txattr_addr;
>
> - *xe = __find_xattr(cur_addr, index, len, name);
> + *xe = __find_xattr(cur_addr, max_size, index, len, name);
> + if (!*xe) {
> + err = -EFAULT;
> + goto out;
> + }
> +
> check:
> if (IS_XATTR_LAST_ENTRY(*xe)) {
> err = -ENODATA;
> @@ -585,6 +599,11 @@ static int __f2fs_setxattr(struct inode *inode, int index,
> int found, newsize;
> size_t len;
> __u32 new_hsize;
> + nid_t xnid = F2FS_I(inode)->i_xattr_nid;
> + unsigned int xattr_nid_size = xnid ? VALID_XATTR_BLOCK_SIZE : 0;
> + unsigned int inline_size = inline_xattr_size(inode);
> + unsigned int max_size = inline_size + xattr_nid_size +
> + XATTR_PADDING_SIZE;
> int error = 0;
>
> if (name == NULL)
> @@ -606,7 +625,11 @@ static int __f2fs_setxattr(struct inode *inode, int index,
> return error;
>
> /* find entry with wanted name. */
> - here = __find_xattr(base_addr, index, len, name);
> + here = __find_xattr(base_addr, max_size, index, len, name);
> + if (!here) {
> + error = -EFAULT;
> + goto exit;
> + }
>
> found = IS_XATTR_LAST_ENTRY(here) ? 0 : 1;
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v3] f2fs: fix to avoid accessing xattr across the boundary
2019-04-09 10:22 ` Chao Yu
@ 2019-04-10 9:27 ` Randall Huang
0 siblings, 0 replies; 3+ messages in thread
From: Randall Huang @ 2019-04-10 9:27 UTC (permalink / raw)
To: Chao Yu, jaegeuk, linux-f2fs-devel, linux-kernel; +Cc: huangrandall
On Tue, Apr 09, 2019 at 06:22:55PM +0800, Chao Yu wrote:
> On 2019/4/9 16:53, Randall Huang wrote:
> > When we traverse xattr entries via __find_xattr(),
> > if the raw filesystem content is faked or any hardware failure occurs,
> > out-of-bound error can be detected by KASAN.
> > Fix the issue by introducing boundary check.
> >
> > [ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c
> > [ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task
> > [ 38.402935] c7 1827 Call trace:
> > [ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc
> > [ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c
> > [ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140
> > [ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8
> > [ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc
> > [ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc
> > [ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8
> > [ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c
> > [ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0
> > [ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc
> > [ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938
> > [ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38
> > [ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98
> > [ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348
> > [ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774
> > [ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc
> > [ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520
> > [ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4
> > [ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8
> > [ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68
> > [ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c
> > [ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38
> >
> > Bug: 126558260
> >
> > Signed-off-by: Randall Huang <huangrandall@google.com>
> > ---
> > v2:
> > * return EFAULT if OOB error is detected
> >
> > v3:
> > * fix typo in setxattr()
> > ---
> > fs/f2fs/xattr.c | 31 +++++++++++++++++++++++++++----
> > 1 file changed, 27 insertions(+), 4 deletions(-)
> >
> > diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
> > index 848a785abe25..381f14b02a78 100644
> > --- a/fs/f2fs/xattr.c
> > +++ b/fs/f2fs/xattr.c
> > @@ -202,12 +202,17 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index)
> > return handler;
> > }
> >
> > -static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index,
> > - size_t len, const char *name)
> > +static struct f2fs_xattr_entry *__find_xattr(void *base_addr,
> > + unsigned int max_size, int index,
> > + size_t len, const char *name)
> > {
> > struct f2fs_xattr_entry *entry;
> > + void *max_addr = base_addr + ENTRY_SIZE(XATTR_ENTRY(base_addr)) +
> > + max_size - 1;
>
> Hi Randall,
>
> I think this is not right, I enable noinline_xattr mount option, and add
> printk to see the status here, it shows
>
> __find_xattr, base_addr:ffff8e709ba92000, max_addr:ffff8e709baa131f, max_size:4
>
> ffff8e709baa131f - ffff8e709ba92000 = F31F
>
I would like to try another way.
The key is the pointer of entry should never run over the boundary of txattr
allocated in lookup_all_xattrs().
I will send v4.
> >
> > list_for_each_xattr(entry, base_addr) {
> > + if ((void *)entry + sizeof(__u32) > max_addr)
> > + return NULL;
> > if (entry->e_name_index != index)
> > continue;
> > if (entry->e_name_len != len)
> > @@ -301,6 +306,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
> > nid_t xnid = F2FS_I(inode)->i_xattr_nid;
> > unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0;
> > unsigned int inline_size = inline_xattr_size(inode);
> > + unsigned int max_size = inline_size + size + XATTR_PADDING_SIZE;
> > int err = 0;
> >
> > if (!size && !inline_size)
> > @@ -323,6 +329,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
> > *base_size = inline_size;
> > goto check;
> > }
> > + max_size -= inline_size;
>
> The cur_addr pointer may point to middle of inline xattr space due to below code? we
> should consider such case here.
>
> if (last_addr)
> cur_addr = XATTR_HDR(last_addr) - 1;
>
> > }
> >
> > /* read from xattr node block */
> > @@ -330,6 +337,8 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
> > err = read_xattr_block(inode, txattr_addr);
> > if (err)
> > goto out;
> > +
> > + max_size -= size;
>
> We should not shrink max_size after loading xattr block's data.
>
> Thanks,
>
> > }
> >
> > if (last_addr)
> > @@ -337,7 +346,12 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
> > else
> > cur_addr = txattr_addr;
> >
> > - *xe = __find_xattr(cur_addr, index, len, name);
> > + *xe = __find_xattr(cur_addr, max_size, index, len, name);
> > + if (!*xe) {
> > + err = -EFAULT;
> > + goto out;
> > + }
> > +
> > check:
> > if (IS_XATTR_LAST_ENTRY(*xe)) {
> > err = -ENODATA;
> > @@ -585,6 +599,11 @@ static int __f2fs_setxattr(struct inode *inode, int index,
> > int found, newsize;
> > size_t len;
> > __u32 new_hsize;
> > + nid_t xnid = F2FS_I(inode)->i_xattr_nid;
> > + unsigned int xattr_nid_size = xnid ? VALID_XATTR_BLOCK_SIZE : 0;
> > + unsigned int inline_size = inline_xattr_size(inode);
> > + unsigned int max_size = inline_size + xattr_nid_size +
> > + XATTR_PADDING_SIZE;
> > int error = 0;
> >
> > if (name == NULL)
> > @@ -606,7 +625,11 @@ static int __f2fs_setxattr(struct inode *inode, int index,
> > return error;
> >
> > /* find entry with wanted name. */
> > - here = __find_xattr(base_addr, index, len, name);
> > + here = __find_xattr(base_addr, max_size, index, len, name);
> > + if (!here) {
> > + error = -EFAULT;
> > + goto exit;
> > + }
> >
> > found = IS_XATTR_LAST_ENTRY(here) ? 0 : 1;
> >
> >
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-04-10 9:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-09 8:53 [PATCH v3] f2fs: fix to avoid accessing xattr across the boundary Randall Huang
2019-04-09 10:22 ` Chao Yu
2019-04-10 9:27 ` Randall Huang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).