On 4/20/23 16:44, Donald Buczek wrote: > Subject: > Re: [PATCH v3 03/11] documentation: Block Devices Snapshots Module > From: > Donald Buczek > Date: > 4/20/23, 16:44 > > To: > Sergei Shtepa , axboe@kernel.dk, hch@infradead.org, corbet@lwn.net, snitzer@kernel.org > CC: > viro@zeniv.linux.org.uk, brauner@kernel.org, willy@infradead.org, kch@nvidia.com, martin.petersen@oracle.com, vkoul@kernel.org, ming.lei@redhat.com, gregkh@linuxfoundation.org, linux-block@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org > > > On 4/19/23 21:42, Donald Buczek wrote: >> Dear Sergei, >> >> On 4/19/23 15:05, Sergei Shtepa wrote: >>> [...] >>> >>> Patches in attach and https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSergeiShtepa%2Flinux%2Ftree%2Fblksnap-master&data=05%7C01%7Csergei.shtepa%40veeam.com%7Cccc78e2cdf7845c6c0cd08db41add281%7Cba07baab431b49edadd7cbc3542f5140%7C1%7C0%7C638175987085694967%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RdrWqUwvk7gjfSRYvrPfz2E0%2BIOY6IQxK4xvpzJqcnk%3D&reserved=0 >> >> Thanks. I can confirm that this fixes the reported problem and I no longer can trigger the UAF. 😄 >> >> Tested-Bny: Donald Buczek >> >> Maybe you can add me to the cc list for v4 as I'm not subscribed to the lists. > > > Sorry, found another one. Reproducer: > > ===== > #! /bin/bash > set -xe > modprobe blksnap > test -e /scratch/local/test.dat || fallocate -l 1G /scratch/local/test.dat > s=$(blksnap snapshot_create -d /dev/vdb) > blksnap snapshot_appendstorage -i $s -f /scratch/local/test.dat > blksnap snapshot_take -i $s > s2=$(blksnap snapshot_create -d /dev/vdb) > blksnap snapshot_destroy -i $s2 > blksnap snapshot_destroy -i $s > ===== > > > [20382.402921] blksnap-snapshot: Snapshot ff1c54f1-3e8c-4c99-bb26-35e82dc1c9fa was created > [20382.535933] blksnap-image: Create snapshot image device for original device [253:16] > [20382.542405] blksnap-snapshot: Snapshot ff1c54f1-3e8c-4c99-bb26-35e82dc1c9fa was taken successfully > [20382.572564] blksnap-snapshot: Snapshot 4b2d571d-9a24-419d-96c2-8d64a07c4966 was created > [20382.600521] blksnap-snapshot: Destroy snapshot 4b2d571d-9a24-419d-96c2-8d64a07c4966 > [20382.602373] blksnap-snapshot: Release snapshot 4b2d571d-9a24-419d-96c2-8d64a07c4966 > [20382.722137] blksnap-snapshot: Destroy snapshot ff1c54f1-3e8c-4c99-bb26-35e82dc1c9fa > [20382.724033] blksnap-snapshot: Release snapshot ff1c54f1-3e8c-4c99-bb26-35e82dc1c9fa > [20382.725850] ================================================================== > [20382.727641] BUG: KASAN: wild-memory-access in snapshot_free+0x73/0x170 [blksnap] > [20382.729326] Write of size 8 at addr dead000000000108 by task blksnap/8297 > ... Great! Thanks. There is no protection against re-adding a block device to the snapshot. I'll take care of it. And small update. I have made a correction to the bio allocation algorithm for saving and loading chunks. Please, see attach and commit. Link: https://github.com/SergeiShtepa/linux/commit/2628dd193fd3d563d26d5ccc82d35b2e11bbda38 But cases of large chunks or very large disks have not yet been covered by tests, yet. I also had concerns that the snapshot writing algorithm was not working correctly. But the concerns were in vain. The new test is working. Link: https://github.com/veeam/blksnap/blob/stable-v2.0/tests/6000-snapimage_write.sh