Re: [PATCH] jffs2: fix kasan slab-out-of-bounds problem

From: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
To: Zhe Li <lizhe67@huawei.com>, "richard@nod.at" <richard@nod.at>,
	"dwmw2@infradead.org" <dwmw2@infradead.org>,
	"linux-mtd@lists.infradead.org" <linux-mtd@lists.infradead.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: "wangfangpeng1@huawei.com" <wangfangpeng1@huawei.com>,
	"xukunkun1@huawei.com" <xukunkun1@huawei.com>,
	"zhongjubin@huawei.com" <zhongjubin@huawei.com>,
	"chenjie6@huawei.com" <chenjie6@huawei.com>
Subject: Re: [PATCH] jffs2: fix kasan slab-out-of-bounds problem
Date: Mon, 22 Mar 2021 20:07:37 +0000	[thread overview]
Message-ID: <CY4PR1001MB2389E99ECB5B04A65BE35E22F4659@CY4PR1001MB2389.namprd10.prod.outlook.com> (raw)
In-Reply-To: <20210318030657.22840-1-lizhe67@huawei.com>

Reviewe-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>

It would be interesting to known how you managed to create such a dir entry as that is a bug too.
________________________________________
From: linux-mtd <linux-mtd-bounces@lists.infradead.org> on behalf of Zhe Li <lizhe67@huawei.com>
Sent: 18 March 2021 04:06
To: richard@nod.at; dwmw2@infradead.org; linux-mtd@lists.infradead.org; linux-kernel@vger.kernel.org
Cc: lizhe67@huawei.com; wangfangpeng1@huawei.com; xukunkun1@huawei.com; zhongjubin@huawei.com; chenjie6@huawei.com
Subject: [PATCH] jffs2: fix kasan slab-out-of-bounds problem

From: lizhe <lizhe67@huawei.com>

KASAN report a slab-out-of-bounds problem. The logs are listed below.
It is because in function jffs2_scan_dirent_node, we alloc "checkedlen+1"
bytes for fd->name and we check crc with length rd->nsize. If checkedlen
is less than rd->nsize, it will cause the slab-out-of-bounds problem.

jffs2: Dirent at *** has zeroes in name. Truncating to %d char
==================================================================
BUG: KASAN: slab-out-of-bounds in crc32_le+0x1ce/0x260 at addr ffff8800842cf2d1
Read of size 1 by task test_JFFS2/915
=============================================================================
BUG kmalloc-64 (Tainted: G    B      O   ): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in jffs2_alloc_full_dirent+0x2a/0x40 age=0 cpu=1 pid=915
        ___slab_alloc+0x580/0x5f0
        __slab_alloc.isra.24+0x4e/0x64
        __kmalloc+0x170/0x300
        jffs2_alloc_full_dirent+0x2a/0x40
        jffs2_scan_eraseblock+0x1ca4/0x3b64
        jffs2_scan_medium+0x285/0xfe0
        jffs2_do_mount_fs+0x5fb/0x1bbc
        jffs2_do_fill_super+0x245/0x6f0
        jffs2_fill_super+0x287/0x2e0
        mount_mtd_aux.isra.0+0x9a/0x144
        mount_mtd+0x222/0x2f0
        jffs2_mount+0x41/0x60
        mount_fs+0x63/0x230
        vfs_kern_mount.part.6+0x6c/0x1f4
        do_mount+0xae8/0x1940
        SyS_mount+0x105/0x1d0
INFO: Freed in jffs2_free_full_dirent+0x22/0x40 age=27 cpu=1 pid=915
        __slab_free+0x372/0x4e4
        kfree+0x1d4/0x20c
        jffs2_free_full_dirent+0x22/0x40
        jffs2_build_remove_unlinked_inode+0x17a/0x1e4
        jffs2_do_mount_fs+0x1646/0x1bbc
        jffs2_do_fill_super+0x245/0x6f0
        jffs2_fill_super+0x287/0x2e0
        mount_mtd_aux.isra.0+0x9a/0x144
        mount_mtd+0x222/0x2f0
        jffs2_mount+0x41/0x60
        mount_fs+0x63/0x230
        vfs_kern_mount.part.6+0x6c/0x1f4
        do_mount+0xae8/0x1940
        SyS_mount+0x105/0x1d0
        entry_SYSCALL_64_fastpath+0x1e/0x97
Call Trace:
 [<ffffffff815befef>] dump_stack+0x59/0x7e
 [<ffffffff812d1d65>] print_trailer+0x125/0x1b0
 [<ffffffff812d82c8>] object_err+0x34/0x40
 [<ffffffff812dadef>] kasan_report.part.1+0x21f/0x534
 [<ffffffff81132401>] ? vprintk+0x2d/0x40
 [<ffffffff815f1ee2>] ? crc32_le+0x1ce/0x260
 [<ffffffff812db41a>] kasan_report+0x26/0x30
 [<ffffffff812d9fc1>] __asan_load1+0x3d/0x50
 [<ffffffff815f1ee2>] crc32_le+0x1ce/0x260
 [<ffffffff814764ae>] ? jffs2_alloc_full_dirent+0x2a/0x40
 [<ffffffff81485cec>] jffs2_scan_eraseblock+0x1d0c/0x3b64
 [<ffffffff81488813>] ? jffs2_scan_medium+0xccf/0xfe0
 [<ffffffff81483fe0>] ? jffs2_scan_make_ino_cache+0x14c/0x14c
 [<ffffffff812da3e9>] ? kasan_unpoison_shadow+0x35/0x50
 [<ffffffff812da3e9>] ? kasan_unpoison_shadow+0x35/0x50
 [<ffffffff812da462>] ? kasan_kmalloc+0x5e/0x70
 [<ffffffff812d5d90>] ? kmem_cache_alloc_trace+0x10c/0x2cc
 [<ffffffff818169fb>] ? mtd_point+0xf7/0x130
 [<ffffffff81487dc9>] jffs2_scan_medium+0x285/0xfe0
 [<ffffffff81487b44>] ? jffs2_scan_eraseblock+0x3b64/0x3b64
 [<ffffffff812da3e9>] ? kasan_unpoison_shadow+0x35/0x50
 [<ffffffff812da3e9>] ? kasan_unpoison_shadow+0x35/0x50
 [<ffffffff812da462>] ? kasan_kmalloc+0x5e/0x70
 [<ffffffff812d57df>] ? __kmalloc+0x12b/0x300
 [<ffffffff812da462>] ? kasan_kmalloc+0x5e/0x70
 [<ffffffff814a2753>] ? jffs2_sum_init+0x9f/0x240
 [<ffffffff8148b2ff>] jffs2_do_mount_fs+0x5fb/0x1bbc
 [<ffffffff8148ad04>] ? jffs2_del_noinode_dirent+0x640/0x640
 [<ffffffff812da462>] ? kasan_kmalloc+0x5e/0x70
 [<ffffffff81127c5b>] ? __init_rwsem+0x97/0xac
 [<ffffffff81492349>] jffs2_do_fill_super+0x245/0x6f0
 [<ffffffff81493c5b>] jffs2_fill_super+0x287/0x2e0
 [<ffffffff814939d4>] ? jffs2_parse_options+0x594/0x594
 [<ffffffff81819bea>] mount_mtd_aux.isra.0+0x9a/0x144
 [<ffffffff81819eb6>] mount_mtd+0x222/0x2f0
 [<ffffffff814939d4>] ? jffs2_parse_options+0x594/0x594
 [<ffffffff81819c94>] ? mount_mtd_aux.isra.0+0x144/0x144
 [<ffffffff81258757>] ? free_pages+0x13/0x1c
 [<ffffffff814fa0ac>] ? selinux_sb_copy_data+0x278/0x2e0
 [<ffffffff81492b35>] jffs2_mount+0x41/0x60
 [<ffffffff81302fb7>] mount_fs+0x63/0x230
 [<ffffffff8133755f>] ? alloc_vfsmnt+0x32f/0x3b0
 [<ffffffff81337f2c>] vfs_kern_mount.part.6+0x6c/0x1f4
 [<ffffffff8133ceec>] do_mount+0xae8/0x1940
 [<ffffffff811b94e0>] ? audit_filter_rules.constprop.6+0x1d10/0x1d10
 [<ffffffff8133c404>] ? copy_mount_string+0x40/0x40
 [<ffffffff812cbf78>] ? alloc_pages_current+0xa4/0x1bc
 [<ffffffff81253a89>] ? __get_free_pages+0x25/0x50
 [<ffffffff81338993>] ? copy_mount_options.part.17+0x183/0x264
 [<ffffffff8133e3a9>] SyS_mount+0x105/0x1d0
 [<ffffffff8133e2a4>] ? copy_mnt_ns+0x560/0x560
 [<ffffffff810e8391>] ? msa_space_switch_handler+0x13d/0x190
 [<ffffffff81be184a>] entry_SYSCALL_64_fastpath+0x1e/0x97
 [<ffffffff810e9274>] ? msa_space_switch+0xb0/0xe0
Memory state around the buggy address:
 ffff8800842cf180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800842cf200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800842cf280: fc fc fc fc fc fc 00 00 00 00 01 fc fc fc fc fc
                                                 ^
 ffff8800842cf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800842cf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Reported-by: Kunkun Xu <xukunkun1@huawei.com>
Signed-off-by: lizhe <lizhe67@huawei.com>
---
 fs/jffs2/scan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c
index db72a9d..b676056 100644
--- a/fs/jffs2/scan.c
+++ b/fs/jffs2/scan.c
@@ -1079,7 +1079,7 @@ static int jffs2_scan_dirent_node(struct jffs2_sb_info *c, struct jffs2_eraseblo
        memcpy(&fd->name, rd->name, checkedlen);
        fd->name[checkedlen] = 0;

-       crc = crc32(0, fd->name, rd->nsize);
+       crc = crc32(0, fd->name, checkedlen);
        if (crc != je32_to_cpu(rd->name_crc)) {
                pr_notice("%s(): Name CRC failed on node at 0x%08x: Read 0x%08x, calculated 0x%08x\n",
                          __func__, ofs, je32_to_cpu(rd->name_crc), crc);
--
2.7.4


______________________________________________________
Linux MTD discussion mailing list
https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.infradead.org%2Fmailman%2Flistinfo%2Flinux-mtd%2F&amp;data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7C7ec1d950724f4995dc9c08d8e9bc0e35%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C1%7C637516341206870320%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=V0RwumJqxPlGWG6qBjSfu%2FDk5lon3vjB23S2h4w0DDg%3D&amp;reserved=0
