Re: [BUG?]Set XIP mount option on ext2 bypass check.

Re: [BUG?]Set XIP mount option on ext2 bypass check.

[Yan Zheng]

I mount an ext2 fs , then remount it with xip option set.
I get message below when do write operation in the fs.

--------
kernel BUG at fs/ext2/xip.c:21!
invalid opcode: 0000 [#1]
SMP
last sysfs file: /class/net/eth0/carrier
Modules linked in: ext2 autofs4 hidp rfcomm l2cap bluetooth sunrpc ipv6 dm_mirro
r dm_multipath video sbs i2c_ec button dock battery ac lp floppy snd_ens1371 gam
eport snd_rawmidi snd_ac97_codec pcnet32 ac97_bus snd_seq_dummy snd_seq_oss snd_
seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_time
r snd soundcore snd_page_alloc mii serio_raw parport_pc parport pcspkr BusLogic
i2c_piix4 i2c_core sg ext3 jbd mbcache squashfs dm_snapshot dm_mod loop sd_mod e
hci_hcd uhci_hcd ata_piix ata_generic libata sr_mod scsi_mod cdrom
CPU:    0
EIP:    0060:[<d8cba143>]    Not tainted VLI
EFLAGS: 00010246   (2.6.21-1.3194.fc7 #1)
EIP is at ext2_clear_xip_target+0x1e/0x47 [ext2]
eax: d887da00   ebx: d310e3c0   ecx: d0648bd4   edx: 00001e01
esi: d0648b4c   edi: 00000000   ebp: cc863e44   esp: cc863df8
ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068
Process dd (pid: 3231, ti=cc863000 task=cd61b710 task.ti=cc863000)
Stack: 000000d8 ffffff10 00000200 00001e01 d8cb5b5b cc863e44 cc863e8c 00000c9f
       cd61b710 00000001 d0648bd4 00000000 cc863e50 00000001 00000001 00000400
       cc863e74 cc863e50 c043c220 d0648b4c 00001e01 00000000 00000f8c 00000e34
Call Trace:
 [<d8cb5b5b>] ext2_get_block+0x3f4/0x52b [ext2]
 [<c043c220>] clockevents_program_event+0xb2/0xb9
 [<c04bed36>] avc_has_perm+0x4e/0x58
 [<d8cba05d>] ext2_get_xip_page+0x65/0xde [ext2]
 [<c0473972>] xip_file_write+0x232/0x38d
 [<c0473740>] xip_file_write+0x0/0x38d
 [<c0475d33>] vfs_write+0xa8/0x154
 [<c0476342>] sys_write+0x41/0x67
 [<c0404f70>] syscall_call+0x7/0xb
 =======================
Code: 89 0c 24 e8 88 cd ff ff 83 c4 0c 5b c3 57 53 83 ec 08 8b 80 9c 00 00 00 8b
 98 98 00 00 00 8b 43 5c 8b 40 34 8b 78 14 85 ff 75 04 <0f> 0b eb fe 8d 44 24 04
 31 c9 c1 e2 03 89 04 24 89 d8 ff d7 85
EIP: [<d8cba143>] ext2_clear_xip_target+0x1e/0x47 [ext2] SS:ESP 0068:cc863df8

Re: [BUG?]Set XIP mount option on ext2 bypass check.

[Carsten Otte]

Yan Zheng wrote:
> I mount an ext2 fs , then remount it with xip option set.
> I get message below when do write operation in the fs.
Ouch. Like on mount, we should refuse -o xip on remount. The patch 
below fixes this issue.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.6.22-rc4-mm/fs/ext2/super.c
===================================================================
--- linux-2.6.22-rc4-mm.orig/fs/ext2/super.c
+++ linux-2.6.22-rc4-mm/fs/ext2/super.c
@@ -1071,6 +1071,9 @@ static int ext2_remount (struct super_bl
  	sb->s_flags = (sb->s_flags & ~MS_POSIXACL) |
  		((sbi->s_mount_opt & EXT2_MOUNT_POSIX_ACL) ? MS_POSIXACL : 0);

+	ext2_xip_verify_sb(sb); /* see if bdev supports xip, unset
+				    EXT2_MOUNT_XIP if not */
+
  	es = sbi->s_es;
  	if (((sbi->s_mount_opt & EXT2_MOUNT_XIP) !=
  	    (old_mount_opt & EXT2_MOUNT_XIP)) &&

Re: [BUG?]Set XIP mount option on ext2 bypass check.

[Carsten Otte]

This is an updated version of my bugfix patch. Yan Zheng pointed out,
that ext2_remount lacks checking if -o xip should be enabled or not.
This patch checks for presence of direct_access on the backing block
device and if the blocksize meets the requirements.
Andrew, please consider adding this patch to -mm.

Signed-off-by: Carsten Otte <cotte@de.ibm.com>
---
Index: linux-2.6.22-rc4-mm/fs/ext2/super.c
===================================================================
--- linux-2.6.22-rc4-mm.orig/fs/ext2/super.c
+++ linux-2.6.22-rc4-mm/fs/ext2/super.c
@@ -1071,6 +1071,14 @@ static int ext2_remount (struct super_bl
 	sb->s_flags = (sb->s_flags & ~MS_POSIXACL) |
 		((sbi->s_mount_opt & EXT2_MOUNT_POSIX_ACL) ? MS_POSIXACL : 0);
 
+	ext2_xip_verify_sb(sb); /* see if bdev supports xip, unset
+				    EXT2_MOUNT_XIP if not */
+
+	if ((ext2_use_xip(sb)) && (sb->s_blocksize != PAGE_SIZE)) {
+		printk("XIP: Unsupported blocksize\n");
+		goto restore_opts; 
+	}
+
 	es = sbi->s_es;
 	if (((sbi->s_mount_opt & EXT2_MOUNT_XIP) !=
 	    (old_mount_opt & EXT2_MOUNT_XIP)) &&

Re: [BUG?]Set XIP mount option on ext2 bypass check.

[Arnd Bergmann]

On Thursday 21 June 2007, Carsten Otte wrote:
> 
> This is an updated version of my bugfix patch. Yan Zheng pointed out,
> that ext2_remount lacks checking if -o xip should be enabled or not.
> This patch checks for presence of direct_access on the backing block
> device and if the blocksize meets the requirements.
> Andrew, please consider adding this patch to -mm.
> 
> Signed-off-by: Carsten Otte <cotte@de.ibm.com>

It looks to me like a local denial of service attack in case of
user-mountable ext2 file systems in /etc/fstab.

Shouldn't that make it go into 2.6.22?

	Arnd <><

Re: [BUG?]Set XIP mount option on ext2 bypass check.

[Satyam Sharma]

Hi,

On 6/22/07, Arnd Bergmann <arnd@arndb.de> wrote:
> On Thursday 21 June 2007, Carsten Otte wrote:
> >
> > This is an updated version of my bugfix patch. Yan Zheng pointed out,
> > that ext2_remount lacks checking if -o xip should be enabled or not.
> > This patch checks for presence of direct_access on the backing block
> > device and if the blocksize meets the requirements.
> > Andrew, please consider adding this patch to -mm.
> >
> > Signed-off-by: Carsten Otte <cotte@de.ibm.com>
>
> It looks to me like a local denial of service attack in case of
> user-mountable ext2 file systems in /etc/fstab.
>
> Shouldn't that make it go into 2.6.22?

I agree. I would go on to suggest that all trivially-triggered oopsen /
panics from userspace (even if they require privileges, such as the
cat /dev/snapshot == oops issue posted last week) in fact ought to
be CVE's, and the corresponding fixes for such issues be considered
as candidates for -stable, if applicable to the current stable kernel.

Satyam