* [PATCH v5] f2fs: fix to avoid accessing xattr across the boundary @ 2019-04-11 8:26 Randall Huang 2019-04-12 2:05 ` Chao Yu 2019-05-09 4:15 ` Jaegeuk Kim 0 siblings, 2 replies; 6+ messages in thread From: Randall Huang @ 2019-04-11 8:26 UTC (permalink / raw) To: jaegeuk, yuchao0, linux-f2fs-devel, linux-kernel; +Cc: huangrandall When we traverse xattr entries via __find_xattr(), if the raw filesystem content is faked or any hardware failure occurs, out-of-bound error can be detected by KASAN. Fix the issue by introducing boundary check. [ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c [ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task [ 38.402935] c7 1827 Call trace: [ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc [ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c [ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140 [ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8 [ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc [ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc [ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8 [ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c [ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0 [ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc [ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938 [ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38 [ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98 [ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348 [ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774 [ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc [ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520 [ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4 [ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8 [ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68 [ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c [ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38 Bug: 126558260 Signed-off-by: Randall Huang <huangrandall@google.com> --- v2: * return EFAULT if OOB error is detected v3: * fix typo in setxattr() v4: * change boundry definition v5: * revise boundry definition --- fs/f2fs/xattr.c | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c index 848a785abe25..587429e29a69 100644 --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -202,12 +202,18 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index) return handler; } -static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index, - size_t len, const char *name) +static struct f2fs_xattr_entry *__find_xattr(void *base_addr, + void *last_base_addr, int index, + size_t len, const char *name) { struct f2fs_xattr_entry *entry; list_for_each_xattr(entry, base_addr) { + if ((void *)(entry) + sizeof(__u32) > last_base_addr || + (void *)XATTR_NEXT_ENTRY(entry) + + sizeof(__u32) > last_base_addr) + return NULL; + if (entry->e_name_index != index) continue; if (entry->e_name_len != len) @@ -298,6 +304,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, void **base_addr, int *base_size) { void *cur_addr, *txattr_addr, *last_addr = NULL; + void *last_txattr_addr = NULL; nid_t xnid = F2FS_I(inode)->i_xattr_nid; unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; unsigned int inline_size = inline_xattr_size(inode); @@ -311,6 +318,8 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, if (!txattr_addr) return -ENOMEM; + last_txattr_addr = (void *)txattr_addr + inline_size + size; + /* read from inline xattr */ if (inline_size) { err = read_inline_xattr(inode, ipage, txattr_addr); @@ -337,7 +346,11 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, else cur_addr = txattr_addr; - *xe = __find_xattr(cur_addr, index, len, name); + *xe = __find_xattr(cur_addr, last_txattr_addr, index, len, name); + if (!*xe) { + err = -EFAULT; + goto out; + } check: if (IS_XATTR_LAST_ENTRY(*xe)) { err = -ENODATA; @@ -581,10 +594,14 @@ static int __f2fs_setxattr(struct inode *inode, int index, struct page *ipage, int flags) { struct f2fs_xattr_entry *here, *last; - void *base_addr; + void *base_addr, *last_base_addr = NULL; int found, newsize; size_t len; __u32 new_hsize; + nid_t xnid = F2FS_I(inode)->i_xattr_nid; + unsigned int xattr_nid_size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; + unsigned int inline_size = inline_xattr_size(inode); + int error = 0; if (name == NULL) @@ -604,9 +621,14 @@ static int __f2fs_setxattr(struct inode *inode, int index, error = read_all_xattrs(inode, ipage, &base_addr); if (error) return error; + last_base_addr = (void *)base_addr + xattr_nid_size + inline_size; /* find entry with wanted name. */ - here = __find_xattr(base_addr, index, len, name); + here = __find_xattr(base_addr, last_base_addr, index, len, name); + if (!here) { + error = -EFAULT; + goto exit; + } found = IS_XATTR_LAST_ENTRY(here) ? 0 : 1; -- 2.21.0.392.gf8f6787159e-goog ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v5] f2fs: fix to avoid accessing xattr across the boundary 2019-04-11 8:26 [PATCH v5] f2fs: fix to avoid accessing xattr across the boundary Randall Huang @ 2019-04-12 2:05 ` Chao Yu 2019-05-09 4:15 ` Jaegeuk Kim 1 sibling, 0 replies; 6+ messages in thread From: Chao Yu @ 2019-04-12 2:05 UTC (permalink / raw) To: Randall Huang, jaegeuk, linux-f2fs-devel, linux-kernel On 2019/4/11 16:26, Randall Huang wrote: > When we traverse xattr entries via __find_xattr(), > if the raw filesystem content is faked or any hardware failure occurs, > out-of-bound error can be detected by KASAN. > Fix the issue by introducing boundary check. > > [ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c > [ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task > [ 38.402935] c7 1827 Call trace: > [ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc > [ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c > [ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140 > [ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8 > [ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc > [ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc > [ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8 > [ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c > [ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0 > [ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc > [ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938 > [ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38 > [ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98 > [ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348 > [ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774 > [ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc > [ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520 > [ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4 > [ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8 > [ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68 > [ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c > [ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38 > > Bug: 126558260 > > Signed-off-by: Randall Huang <huangrandall@google.com> Looks good to me now. :) Reviewed-by: Chao Yu <yuchao0@huawei.com> > + unsigned int xattr_nid_size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; Nitpick, xnode_size or xattr_node_size will be better than xattr_nid_size? Maybe Jaegeuk can help to change this when merging this patch, no new version patch needed. Thanks, ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v5] f2fs: fix to avoid accessing xattr across the boundary 2019-04-11 8:26 [PATCH v5] f2fs: fix to avoid accessing xattr across the boundary Randall Huang 2019-04-12 2:05 ` Chao Yu @ 2019-05-09 4:15 ` Jaegeuk Kim 2019-05-09 7:07 ` Chao Yu 1 sibling, 1 reply; 6+ messages in thread From: Jaegeuk Kim @ 2019-05-09 4:15 UTC (permalink / raw) To: Randall Huang; +Cc: yuchao0, linux-f2fs-devel, linux-kernel On 04/11, Randall Huang wrote: > When we traverse xattr entries via __find_xattr(), > if the raw filesystem content is faked or any hardware failure occurs, > out-of-bound error can be detected by KASAN. > Fix the issue by introducing boundary check. > > [ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c > [ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task > [ 38.402935] c7 1827 Call trace: > [ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc > [ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c > [ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140 > [ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8 > [ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc > [ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc > [ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8 > [ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c > [ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0 > [ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc > [ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938 > [ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38 > [ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98 > [ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348 > [ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774 > [ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc > [ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520 > [ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4 > [ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8 > [ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68 > [ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c > [ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38 > > Bug: 126558260 > > Signed-off-by: Randall Huang <huangrandall@google.com> > --- > v2: > * return EFAULT if OOB error is detected > > v3: > * fix typo in setxattr() > > v4: > * change boundry definition > > v5: > * revise boundry definition > --- > fs/f2fs/xattr.c | 32 +++++++++++++++++++++++++++----- > 1 file changed, 27 insertions(+), 5 deletions(-) > > diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c > index 848a785abe25..587429e29a69 100644 > --- a/fs/f2fs/xattr.c > +++ b/fs/f2fs/xattr.c > @@ -202,12 +202,18 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index) > return handler; > } > > -static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index, > - size_t len, const char *name) > +static struct f2fs_xattr_entry *__find_xattr(void *base_addr, > + void *last_base_addr, int index, > + size_t len, const char *name) > { > struct f2fs_xattr_entry *entry; > > list_for_each_xattr(entry, base_addr) { > + if ((void *)(entry) + sizeof(__u32) > last_base_addr || > + (void *)XATTR_NEXT_ENTRY(entry) + > + sizeof(__u32) > last_base_addr) > + return NULL; > + > if (entry->e_name_index != index) > continue; > if (entry->e_name_len != len) > @@ -298,6 +304,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, > void **base_addr, int *base_size) > { > void *cur_addr, *txattr_addr, *last_addr = NULL; > + void *last_txattr_addr = NULL; > nid_t xnid = F2FS_I(inode)->i_xattr_nid; > unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; > unsigned int inline_size = inline_xattr_size(inode); > @@ -311,6 +318,8 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, > if (!txattr_addr) > return -ENOMEM; > > + last_txattr_addr = (void *)txattr_addr + inline_size + size; I just found this should be + XATTR_PADDING_SIZE. Otherwise, generic/026 fails. Let me know, if there is any other concern below. --- fs/f2fs/xattr.c | 12 ++++-------- fs/f2fs/xattr.h | 2 ++ 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c index 019778fb9a0d..cd199a09d436 100644 --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -306,19 +306,18 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, void *cur_addr, *txattr_addr, *last_addr = NULL; void *last_txattr_addr = NULL; nid_t xnid = F2FS_I(inode)->i_xattr_nid; - unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; unsigned int inline_size = inline_xattr_size(inode); int err = 0; - if (!size && !inline_size) + if (!xnid && !inline_size) return -ENODATA; - *base_size = inline_size + size + XATTR_PADDING_SIZE; + *base_size = XATTR_SIZE(xnid, inode); txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS); if (!txattr_addr) return -ENOMEM; - last_txattr_addr = (void *)txattr_addr + inline_size + size; + last_txattr_addr = (void *)txattr_addr + *base_size; /* read from inline xattr */ if (inline_size) { @@ -599,9 +598,6 @@ static int __f2fs_setxattr(struct inode *inode, int index, size_t len; __u32 new_hsize; nid_t xnid = F2FS_I(inode)->i_xattr_nid; - unsigned int xnode_size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; - unsigned int inline_size = inline_xattr_size(inode); - int error = 0; if (name == NULL) @@ -621,7 +617,7 @@ static int __f2fs_setxattr(struct inode *inode, int index, error = read_all_xattrs(inode, ipage, &base_addr); if (error) return error; - last_base_addr = (void *)base_addr + xnode_size + inline_size; + last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode); /* find entry with wanted name. */ here = __find_xattr(base_addr, last_base_addr, index, len, name); diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h index 9172ee082ca8..1eca1a2d996a 100644 --- a/fs/f2fs/xattr.h +++ b/fs/f2fs/xattr.h @@ -71,6 +71,8 @@ struct f2fs_xattr_entry { entry = XATTR_NEXT_ENTRY(entry)) #define VALID_XATTR_BLOCK_SIZE (PAGE_SIZE - sizeof(struct node_footer)) #define XATTR_PADDING_SIZE (sizeof(__u32)) +#define XATTR_SIZE(x,i) (((x) ? VALID_XATTR_BLOCK_SIZE : 0) + \ + (inline_xattr_size(i)) + XATTR_PADDING_SIZE) #define MIN_OFFSET(i) XATTR_ALIGN(inline_xattr_size(i) + \ VALID_XATTR_BLOCK_SIZE) -- 2.19.0.605.g01d371f741-goog ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v5] f2fs: fix to avoid accessing xattr across the boundary 2019-05-09 4:15 ` Jaegeuk Kim @ 2019-05-09 7:07 ` Chao Yu 2019-05-09 16:48 ` Jaegeuk Kim 0 siblings, 1 reply; 6+ messages in thread From: Chao Yu @ 2019-05-09 7:07 UTC (permalink / raw) To: Jaegeuk Kim, Randall Huang; +Cc: linux-f2fs-devel, linux-kernel On 2019/5/9 12:15, Jaegeuk Kim wrote: > On 04/11, Randall Huang wrote: >> When we traverse xattr entries via __find_xattr(), >> if the raw filesystem content is faked or any hardware failure occurs, >> out-of-bound error can be detected by KASAN. >> Fix the issue by introducing boundary check. >> >> [ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c >> [ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task >> [ 38.402935] c7 1827 Call trace: >> [ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc >> [ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c >> [ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140 >> [ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8 >> [ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc >> [ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc >> [ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8 >> [ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c >> [ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0 >> [ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc >> [ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938 >> [ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38 >> [ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98 >> [ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348 >> [ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774 >> [ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc >> [ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520 >> [ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4 >> [ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8 >> [ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68 >> [ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c >> [ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38 >> >> Bug: 126558260 >> >> Signed-off-by: Randall Huang <huangrandall@google.com> >> --- >> v2: >> * return EFAULT if OOB error is detected >> >> v3: >> * fix typo in setxattr() >> >> v4: >> * change boundry definition >> >> v5: >> * revise boundry definition >> --- >> fs/f2fs/xattr.c | 32 +++++++++++++++++++++++++++----- >> 1 file changed, 27 insertions(+), 5 deletions(-) >> >> diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c >> index 848a785abe25..587429e29a69 100644 >> --- a/fs/f2fs/xattr.c >> +++ b/fs/f2fs/xattr.c >> @@ -202,12 +202,18 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index) >> return handler; >> } >> >> -static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index, >> - size_t len, const char *name) >> +static struct f2fs_xattr_entry *__find_xattr(void *base_addr, >> + void *last_base_addr, int index, >> + size_t len, const char *name) >> { >> struct f2fs_xattr_entry *entry; >> >> list_for_each_xattr(entry, base_addr) { >> + if ((void *)(entry) + sizeof(__u32) > last_base_addr || >> + (void *)XATTR_NEXT_ENTRY(entry) + >> + sizeof(__u32) > last_base_addr) >> + return NULL; >> + >> if (entry->e_name_index != index) >> continue; >> if (entry->e_name_len != len) >> @@ -298,6 +304,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, >> void **base_addr, int *base_size) >> { >> void *cur_addr, *txattr_addr, *last_addr = NULL; >> + void *last_txattr_addr = NULL; >> nid_t xnid = F2FS_I(inode)->i_xattr_nid; >> unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; >> unsigned int inline_size = inline_xattr_size(inode); >> @@ -311,6 +318,8 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, >> if (!txattr_addr) >> return -ENOMEM; >> >> + last_txattr_addr = (void *)txattr_addr + inline_size + size; > > I just found this should be + XATTR_PADDING_SIZE. Otherwise, generic/026 fails. > Let me know, if there is any other concern below. We're trying to use [txattr_addr, last_txattr_addr] to indicate valid range of xattr datas, any valid entries across the boundary is not allowed, so I think it's correct to exclude padding space for last_txattr_addr. I added log and tested generic/026, found that: [365804.868431] base:ffff89e391f8e000, last:ffff89e391f8f0b0 [365804.868433] entry:ffff89e391f8e018, next:ffff89e391f8f0b0 The root cause of this issue is caused by below condition: (void *)XATTR_NEXT_ENTRY(entry) + sizeof(__u32) > last_base_addr) It occurs when the end address of last valid entry is located in range (last_base_addr - XATTR_PADDING_SIZE, last_base_addr], then next invalid entry's head will across last_base_addr, result in returning -EFAULT. So anyway, please try below diff instead. ;) diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c index 019778fb9a0d..217bf7c2bb7a 100644 --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -210,10 +210,8 @@ static struct f2fs_xattr_entry *__find_xattr(void *base_addr, list_for_each_xattr(entry, base_addr) { if ((void *)(entry) + sizeof(__u32) > last_base_addr || - (void *)XATTR_NEXT_ENTRY(entry) + - sizeof(__u32) > last_base_addr) + (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) return NULL; if (entry->e_name_index != index) Thanks, > > --- > fs/f2fs/xattr.c | 12 ++++-------- > fs/f2fs/xattr.h | 2 ++ > 2 files changed, 6 insertions(+), 8 deletions(-) > > diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c > index 019778fb9a0d..cd199a09d436 100644 > --- a/fs/f2fs/xattr.c > +++ b/fs/f2fs/xattr.c > @@ -306,19 +306,18 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, > void *cur_addr, *txattr_addr, *last_addr = NULL; > void *last_txattr_addr = NULL; > nid_t xnid = F2FS_I(inode)->i_xattr_nid; > - unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; > unsigned int inline_size = inline_xattr_size(inode); > int err = 0; > > - if (!size && !inline_size) > + if (!xnid && !inline_size) > return -ENODATA; > > - *base_size = inline_size + size + XATTR_PADDING_SIZE; > + *base_size = XATTR_SIZE(xnid, inode); > txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS); > if (!txattr_addr) > return -ENOMEM; > > - last_txattr_addr = (void *)txattr_addr + inline_size + size; > + last_txattr_addr = (void *)txattr_addr + *base_size; > > /* read from inline xattr */ > if (inline_size) { > @@ -599,9 +598,6 @@ static int __f2fs_setxattr(struct inode *inode, int index, > size_t len; > __u32 new_hsize; > nid_t xnid = F2FS_I(inode)->i_xattr_nid; > - unsigned int xnode_size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; > - unsigned int inline_size = inline_xattr_size(inode); > - > int error = 0; > > if (name == NULL) > @@ -621,7 +617,7 @@ static int __f2fs_setxattr(struct inode *inode, int index, > error = read_all_xattrs(inode, ipage, &base_addr); > if (error) > return error; > - last_base_addr = (void *)base_addr + xnode_size + inline_size; > + last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode); > > /* find entry with wanted name. */ > here = __find_xattr(base_addr, last_base_addr, index, len, name); > diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h > index 9172ee082ca8..1eca1a2d996a 100644 > --- a/fs/f2fs/xattr.h > +++ b/fs/f2fs/xattr.h > @@ -71,6 +71,8 @@ struct f2fs_xattr_entry { > entry = XATTR_NEXT_ENTRY(entry)) > #define VALID_XATTR_BLOCK_SIZE (PAGE_SIZE - sizeof(struct node_footer)) > #define XATTR_PADDING_SIZE (sizeof(__u32)) > +#define XATTR_SIZE(x,i) (((x) ? VALID_XATTR_BLOCK_SIZE : 0) + \ > + (inline_xattr_size(i)) + XATTR_PADDING_SIZE) > #define MIN_OFFSET(i) XATTR_ALIGN(inline_xattr_size(i) + \ > VALID_XATTR_BLOCK_SIZE) > > ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v5] f2fs: fix to avoid accessing xattr across the boundary 2019-05-09 7:07 ` Chao Yu @ 2019-05-09 16:48 ` Jaegeuk Kim 2019-05-10 1:14 ` Chao Yu 0 siblings, 1 reply; 6+ messages in thread From: Jaegeuk Kim @ 2019-05-09 16:48 UTC (permalink / raw) To: Chao Yu; +Cc: Randall Huang, linux-f2fs-devel, linux-kernel On 05/09, Chao Yu wrote: > On 2019/5/9 12:15, Jaegeuk Kim wrote: > > On 04/11, Randall Huang wrote: > >> When we traverse xattr entries via __find_xattr(), > >> if the raw filesystem content is faked or any hardware failure occurs, > >> out-of-bound error can be detected by KASAN. > >> Fix the issue by introducing boundary check. > >> > >> [ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c > >> [ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task > >> [ 38.402935] c7 1827 Call trace: > >> [ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc > >> [ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c > >> [ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140 > >> [ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8 > >> [ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc > >> [ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc > >> [ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8 > >> [ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c > >> [ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0 > >> [ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc > >> [ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938 > >> [ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38 > >> [ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98 > >> [ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348 > >> [ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774 > >> [ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc > >> [ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520 > >> [ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4 > >> [ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8 > >> [ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68 > >> [ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c > >> [ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38 > >> > >> Bug: 126558260 > >> > >> Signed-off-by: Randall Huang <huangrandall@google.com> > >> --- > >> v2: > >> * return EFAULT if OOB error is detected > >> > >> v3: > >> * fix typo in setxattr() > >> > >> v4: > >> * change boundry definition > >> > >> v5: > >> * revise boundry definition > >> --- > >> fs/f2fs/xattr.c | 32 +++++++++++++++++++++++++++----- > >> 1 file changed, 27 insertions(+), 5 deletions(-) > >> > >> diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c > >> index 848a785abe25..587429e29a69 100644 > >> --- a/fs/f2fs/xattr.c > >> +++ b/fs/f2fs/xattr.c > >> @@ -202,12 +202,18 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index) > >> return handler; > >> } > >> > >> -static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index, > >> - size_t len, const char *name) > >> +static struct f2fs_xattr_entry *__find_xattr(void *base_addr, > >> + void *last_base_addr, int index, > >> + size_t len, const char *name) > >> { > >> struct f2fs_xattr_entry *entry; > >> > >> list_for_each_xattr(entry, base_addr) { > >> + if ((void *)(entry) + sizeof(__u32) > last_base_addr || > >> + (void *)XATTR_NEXT_ENTRY(entry) + > >> + sizeof(__u32) > last_base_addr) > >> + return NULL; > >> + > >> if (entry->e_name_index != index) > >> continue; > >> if (entry->e_name_len != len) > >> @@ -298,6 +304,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, > >> void **base_addr, int *base_size) > >> { > >> void *cur_addr, *txattr_addr, *last_addr = NULL; > >> + void *last_txattr_addr = NULL; > >> nid_t xnid = F2FS_I(inode)->i_xattr_nid; > >> unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; > >> unsigned int inline_size = inline_xattr_size(inode); > >> @@ -311,6 +318,8 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, > >> if (!txattr_addr) > >> return -ENOMEM; > >> > >> + last_txattr_addr = (void *)txattr_addr + inline_size + size; > > > > I just found this should be + XATTR_PADDING_SIZE. Otherwise, generic/026 fails. > > Let me know, if there is any other concern below. > > We're trying to use [txattr_addr, last_txattr_addr] to indicate valid range of > xattr datas, any valid entries across the boundary is not allowed, so I think > it's correct to exclude padding space for last_txattr_addr. Okay, how about this? From 2777e654371dd4207a3a7f4fb5fa39550053a080 Mon Sep 17 00:00:00 2001 From: Randall Huang <huangrandall@google.com> Date: Thu, 11 Apr 2019 16:26:46 +0800 Subject: [PATCH] f2fs: fix to avoid accessing xattr across the boundary When we traverse xattr entries via __find_xattr(), if the raw filesystem content is faked or any hardware failure occurs, out-of-bound error can be detected by KASAN. Fix the issue by introducing boundary check. [ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c [ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task [ 38.402935] c7 1827 Call trace: [ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc [ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c [ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140 [ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8 [ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc [ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc [ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8 [ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c [ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0 [ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc [ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938 [ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38 [ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98 [ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348 [ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774 [ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc [ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520 [ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4 [ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8 [ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68 [ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c [ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38 Signed-off-by: Randall Huang <huangrandall@google.com> [Jaegeuk Kim: Fix wrong ending boundary] Reviewed-by: Chao Yu <yuchao0@huawei.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> --- fs/f2fs/xattr.c | 36 +++++++++++++++++++++++++++--------- fs/f2fs/xattr.h | 2 ++ 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c index 848a785abe25..e791741d193b 100644 --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -202,12 +202,17 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index) return handler; } -static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index, - size_t len, const char *name) +static struct f2fs_xattr_entry *__find_xattr(void *base_addr, + void *last_base_addr, int index, + size_t len, const char *name) { struct f2fs_xattr_entry *entry; list_for_each_xattr(entry, base_addr) { + if ((void *)(entry) + sizeof(__u32) > last_base_addr || + (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) + return NULL; + if (entry->e_name_index != index) continue; if (entry->e_name_len != len) @@ -297,20 +302,22 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, const char *name, struct f2fs_xattr_entry **xe, void **base_addr, int *base_size) { - void *cur_addr, *txattr_addr, *last_addr = NULL; + void *cur_addr, *txattr_addr, *last_txattr_addr; + void *last_addr = NULL; nid_t xnid = F2FS_I(inode)->i_xattr_nid; - unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0; unsigned int inline_size = inline_xattr_size(inode); int err = 0; - if (!size && !inline_size) + if (!xnid && !inline_size) return -ENODATA; - *base_size = inline_size + size + XATTR_PADDING_SIZE; + *base_size = XATTR_SIZE(xnid, inode) + XATTR_PADDING_SIZE; txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS); if (!txattr_addr) return -ENOMEM; + last_txattr_addr = (void *)txattr_addr + XATTR_SIZE(xnid, inode); + /* read from inline xattr */ if (inline_size) { err = read_inline_xattr(inode, ipage, txattr_addr); @@ -337,7 +344,11 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, else cur_addr = txattr_addr; - *xe = __find_xattr(cur_addr, index, len, name); + *xe = __find_xattr(cur_addr, last_txattr_addr, index, len, name); + if (!*xe) { + err = -EFAULT; + goto out; + } check: if (IS_XATTR_LAST_ENTRY(*xe)) { err = -ENODATA; @@ -581,7 +592,8 @@ static int __f2fs_setxattr(struct inode *inode, int index, struct page *ipage, int flags) { struct f2fs_xattr_entry *here, *last; - void *base_addr; + void *base_addr, *last_base_addr; + nid_t xnid = F2FS_I(inode)->i_xattr_nid; int found, newsize; size_t len; __u32 new_hsize; @@ -605,8 +617,14 @@ static int __f2fs_setxattr(struct inode *inode, int index, if (error) return error; + last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode); + /* find entry with wanted name. */ - here = __find_xattr(base_addr, index, len, name); + here = __find_xattr(base_addr, last_base_addr, index, len, name); + if (!here) { + error = -EFAULT; + goto exit; + } found = IS_XATTR_LAST_ENTRY(here) ? 0 : 1; diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h index 9172ee082ca8..a90920e2f949 100644 --- a/fs/f2fs/xattr.h +++ b/fs/f2fs/xattr.h @@ -71,6 +71,8 @@ struct f2fs_xattr_entry { entry = XATTR_NEXT_ENTRY(entry)) #define VALID_XATTR_BLOCK_SIZE (PAGE_SIZE - sizeof(struct node_footer)) #define XATTR_PADDING_SIZE (sizeof(__u32)) +#define XATTR_SIZE(x,i) (((x) ? VALID_XATTR_BLOCK_SIZE : 0) + \ + (inline_xattr_size(i))) #define MIN_OFFSET(i) XATTR_ALIGN(inline_xattr_size(i) + \ VALID_XATTR_BLOCK_SIZE) -- 2.19.0.605.g01d371f741-goog ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v5] f2fs: fix to avoid accessing xattr across the boundary 2019-05-09 16:48 ` Jaegeuk Kim @ 2019-05-10 1:14 ` Chao Yu 0 siblings, 0 replies; 6+ messages in thread From: Chao Yu @ 2019-05-10 1:14 UTC (permalink / raw) To: Jaegeuk Kim; +Cc: Randall Huang, linux-f2fs-devel, linux-kernel On 2019/5/10 0:48, Jaegeuk Kim wrote: > Okay, how about this? > >>From 2777e654371dd4207a3a7f4fb5fa39550053a080 Mon Sep 17 00:00:00 2001 > From: Randall Huang <huangrandall@google.com> > Date: Thu, 11 Apr 2019 16:26:46 +0800 > Subject: [PATCH] f2fs: fix to avoid accessing xattr across the boundary Looks good to me, and more clean. :) Thanks, ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-05-10 1:14 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-04-11 8:26 [PATCH v5] f2fs: fix to avoid accessing xattr across the boundary Randall Huang 2019-04-12 2:05 ` Chao Yu 2019-05-09 4:15 ` Jaegeuk Kim 2019-05-09 7:07 ` Chao Yu 2019-05-09 16:48 ` Jaegeuk Kim 2019-05-10 1:14 ` Chao Yu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).