Re: KASAN: stack-out-of-bounds in iov_iter_revert

From: Pavel Begunkov <asml.silence@gmail.com>
To: Sudip Mukherjee <sudipm.mukherjee@gmail.com>,
	Jens Axboe <axboe@kernel.dk>
Cc: io-uring@vger.kernel.org, linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: KASAN: stack-out-of-bounds in iov_iter_revert
Date: Sun, 1 Aug 2021 09:52:24 +0100	[thread overview]
Message-ID: <4c339bea-87ff-cb41-732f-05fc5aff18fa@gmail.com> (raw)
In-Reply-To: <f38b93f3-4cdb-1f9b-bd81-51d32275555e@gmail.com>

On 8/1/21 1:10 AM, Pavel Begunkov wrote:
> On 7/31/21 7:21 PM, Sudip Mukherjee wrote:
>> Hi Jens, Pavel,
>>
>> We had been running syzkaller on v5.10.y and a "KASAN:
>> stack-out-of-bounds in iov_iter_revert" was being reported on it. I
>> got some time to check that today and have managed to get a syzkaller
>> reproducer. I dont have a C reproducer which I can share but I can use
>> the syz-reproducer to reproduce this with v5.14-rc3 and also with
>> next-20210730.
> 
> Can you try out the diff below? Not a full-fledged fix, but need to
> check a hunch.
> 
> If that's important, I was using this branch:
> git://git.kernel.dk/linux-block io_uring-5.14

Or better this one, just in case it ooopses on warnings.

diff --git a/fs/io_uring.c b/fs/io_uring.c
index bf548af0426c..12284616854b 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3316,6 +3316,11 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags)
 		/* no retry on NONBLOCK nor RWF_NOWAIT */
 		if (req->flags & REQ_F_NOWAIT)
 			goto done;
+		if (iter->truncated) {
+			printk("truncated rd: %i\n", (int)iter->truncated);
+			iov_iter_reexpand(iter, iov_iter_count(iter) + iter->truncated);
+			iter->truncated = 0;
+		}
 		/* some cases will consume bytes even on error returns */
 		iov_iter_revert(iter, io_size - iov_iter_count(iter));
 		ret = 0;
@@ -3455,6 +3460,11 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
 		kiocb_done(kiocb, ret2, issue_flags);
 	} else {
 copy_iov:
+		if (iter->truncated) {
+			printk("truncated wr: %i\n", (int)iter->truncated);
+			iov_iter_reexpand(iter, iov_iter_count(iter) + iter->truncated);
+			iter->truncated = 0;
+		}
 		/* some cases will consume bytes even on error returns */
 		iov_iter_revert(iter, io_size - iov_iter_count(iter));
 		ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
diff --git a/include/linux/uio.h b/include/linux/uio.h
index 82c3c3e819e0..eff06d139fd4 100644
--- a/include/linux/uio.h
+++ b/include/linux/uio.h
@@ -30,6 +30,7 @@ enum iter_type {
 struct iov_iter {
 	u8 iter_type;
 	bool data_source;
+	u16 truncated;
 	size_t iov_offset;
 	size_t count;
 	union {
@@ -254,8 +255,10 @@ static inline void iov_iter_truncate(struct iov_iter *i, u64 count)
 	 * conversion in assignement is by definition greater than all
 	 * values of size_t, including old i->count.
 	 */
-	if (i->count > count)
+	if (i->count > count) {
+		i->truncated += i->count - count;
 		i->count = count;
+	}
 }
 
 /*
@@ -264,6 +267,8 @@ static inline void iov_iter_truncate(struct iov_iter *i, u64 count)
  */
 static inline void iov_iter_reexpand(struct iov_iter *i, size_t count)
 {
+	WARN_ON_ONCE(i->count > count);
+	i->truncated -= count - i->count;
 	i->count = count;
 }
 

