From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
To: rpeterso@redhat.com, agruenba@redhat.com
Cc: cluster-devel@redhat.com, linux-kernel@vger.kernel.org,
linux-kernel-mentees@lists.linuxfoundation.org,
anant.thazhemadam@gmail.com,
syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
Subject: [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()
Date: Tue, 13 Oct 2020 20:56:48 +0530 [thread overview]
Message-ID: <20201013152648.438887-1-anant.thazhemadam@gmail.com> (raw)
In gfs2_read_sb(), if the condition
(d != sdp->sd_heightsize[x - 1] || m)
isn't satisfied (in the first 11 iterations), the loop continues,
and begins to perform out-of-bounds access.
Fix this out-of-bounds access by introducing a condition in the for loop
that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are
accessed.
In addition to this, if the above condition is satisfied when
x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks
out of the loop, then an out-of-bounds access is performed again while
assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and
also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would
fail.
Fix this out-of-bounds access and ensure that the assertion doesn't fail
by introducing another variable "index", which keeps track of the last
valid value of x (pre-increment) that can be used.
Reported-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
Tested-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
---
I have one question here (potentially a place where I suspect this
patch could have a fatal flaw and might need some rework).
sdp->sd_max_height = x;
sdp->sd_heightsize[x] = ~0;
Were these lines written with the logic that the value of x would be
equal to (sdp->sd_heightsize[]'s last index filled in by the loop) + 1?
Or, is the expected value of x at these lines equal to
(sdp->sd_heightsize[]'s last index as filled in by the loop)?
I would appreciate it if someone could clarify for me, how this would
hold against the second potential out-of-bounds access I mentioned in my
commit message.
An additional comment (which I feel is of some significance) on this.
Reproducing the crash locally, I could infer that sdp->sd_fsb2bb_shift
sdp->sd_sb.sb_bsize, sdp->sd_sb.sb_bsize_shift, and sdp->sd_inptrs
were all 0.
This by extension also means that in gfs2_read_sb(), all the attributes
whose values were determined by performing some sort of calculation
involving any one of these variables all resulted in either 0 or a
negative value.
Simply doing the math will also show how this was also the primary reason
this OOB access occured in the first place.
However, I still feel that gfs2_read_sb() could do with this bit of checking,
since it fundamentally prevents OOB accesses from occuring in gfs2_read_sb()
in all scenarios.
Anyways, coming back to my initial point. Can having values like that be
considered unacceptable and as something that needs to be handled (at
gfs2_fill_super() maybe?) or is this non-anomalous behaviour and okay?
fs/gfs2/ops_fstype.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 6d18d2c91add..66ee8fb06ab9 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -281,7 +281,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
{
u32 hash_blocks, ind_blocks, leaf_blocks;
u32 tmp_blocks;
- unsigned int x;
+ unsigned int x, index;
int error;
error = gfs2_read_super(sdp, GFS2_SB_ADDR >> sdp->sd_fsb2bb_shift, silent);
@@ -329,20 +329,21 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
sdp->sd_heightsize[0] = sdp->sd_sb.sb_bsize -
sizeof(struct gfs2_dinode);
sdp->sd_heightsize[1] = sdp->sd_sb.sb_bsize * sdp->sd_diptrs;
- for (x = 2;; x++) {
+ for (x = 2; x <= GFS2_MAX_META_HEIGHT; x++) {
u64 space, d;
u32 m;
- space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs;
+ index = x;
+ space = sdp->sd_heightsize[index - 1] * sdp->sd_inptrs;
d = space;
m = do_div(d, sdp->sd_inptrs);
- if (d != sdp->sd_heightsize[x - 1] || m)
+ if (d != sdp->sd_heightsize[index - 1] || m)
break;
- sdp->sd_heightsize[x] = space;
+ sdp->sd_heightsize[index] = space;
}
- sdp->sd_max_height = x;
- sdp->sd_heightsize[x] = ~0;
+ sdp->sd_max_height = index;
+ sdp->sd_heightsize[index] = ~0;
gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT);
sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize -
--
2.25.1
next reply other threads:[~2020-10-13 15:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-13 15:26 Anant Thazhemadam [this message]
2020-10-14 13:04 ` [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb() Andrew Price
2020-10-14 13:14 ` Anant Thazhemadam
2020-10-14 13:25 ` Fox Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201013152648.438887-1-anant.thazhemadam@gmail.com \
--to=anant.thazhemadam@gmail.com \
--cc=agruenba@redhat.com \
--cc=cluster-devel@redhat.com \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rpeterso@redhat.com \
--cc=syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).