From: Andrew Price <anprice@redhat.com>
To: Anant Thazhemadam <anant.thazhemadam@gmail.com>
Cc: rpeterso@redhat.com, agruenba@redhat.com,
cluster-devel@redhat.com,
linux-kernel-mentees@lists.linuxfoundation.org,
linux-kernel@vger.kernel.org,
syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com,
Fox Chen <foxhlchen@gmail.com>
Subject: Re: [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb()
Date: Wed, 14 Oct 2020 14:04:10 +0100 [thread overview]
Message-ID: <d75dc535-00be-3aa7-addb-c2615b202b56@redhat.com> (raw)
In-Reply-To: <20201013152648.438887-1-anant.thazhemadam@gmail.com>
On 13/10/2020 16:26, Anant Thazhemadam wrote:
> In gfs2_read_sb(), if the condition
> (d != sdp->sd_heightsize[x - 1] || m)
> isn't satisfied (in the first 11 iterations), the loop continues,
> and begins to perform out-of-bounds access.
> Fix this out-of-bounds access by introducing a condition in the for loop
> that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are
> accessed.
>
> In addition to this, if the above condition is satisfied when
> x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks
> out of the loop, then an out-of-bounds access is performed again while
> assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and
> also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would
> fail.
> Fix this out-of-bounds access and ensure that the assertion doesn't fail
> by introducing another variable "index", which keeps track of the last
> valid value of x (pre-increment) that can be used.
That's not quite the right approach. Your analysis below is correct: the
problem stems from the block size in the superblock being zeroed by the
fuzzer. So the correct fix would be to add a validation check for
sb_bsize (gfs2_check_sb() is lacking somewhat). Valid values are powers
of 2 between 512 and the page size.
Just a heads-up to avoid duplication of effort: Fox Chen (CCed) has
attempted to fix this also[1], but I don't know if they plan to send
another patch.
[1] https://www.redhat.com/archives/cluster-devel/2020-October/msg00006.html
Thanks,
Andy
> Reported-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
> Tested-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
> ---
>
> I have one question here (potentially a place where I suspect this
> patch could have a fatal flaw and might need some rework).
>
> sdp->sd_max_height = x;
> sdp->sd_heightsize[x] = ~0;
>
> Were these lines written with the logic that the value of x would be
> equal to (sdp->sd_heightsize[]'s last index filled in by the loop) + 1?
> Or, is the expected value of x at these lines equal to
> (sdp->sd_heightsize[]'s last index as filled in by the loop)?
> I would appreciate it if someone could clarify for me, how this would
> hold against the second potential out-of-bounds access I mentioned in my
> commit message.
>
> An additional comment (which I feel is of some significance) on this.
> Reproducing the crash locally, I could infer that sdp->sd_fsb2bb_shift
> sdp->sd_sb.sb_bsize, sdp->sd_sb.sb_bsize_shift, and sdp->sd_inptrs
> were all 0.
> This by extension also means that in gfs2_read_sb(), all the attributes
> whose values were determined by performing some sort of calculation
> involving any one of these variables all resulted in either 0 or a
> negative value.
> Simply doing the math will also show how this was also the primary reason
> this OOB access occured in the first place.
> However, I still feel that gfs2_read_sb() could do with this bit of checking,
> since it fundamentally prevents OOB accesses from occuring in gfs2_read_sb()
> in all scenarios.
> Anyways, coming back to my initial point. Can having values like that be
> considered unacceptable and as something that needs to be handled (at
> gfs2_fill_super() maybe?) or is this non-anomalous behaviour and okay?
>
> fs/gfs2/ops_fstype.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
> index 6d18d2c91add..66ee8fb06ab9 100644
> --- a/fs/gfs2/ops_fstype.c
> +++ b/fs/gfs2/ops_fstype.c
> @@ -281,7 +281,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
> {
> u32 hash_blocks, ind_blocks, leaf_blocks;
> u32 tmp_blocks;
> - unsigned int x;
> + unsigned int x, index;
> int error;
>
> error = gfs2_read_super(sdp, GFS2_SB_ADDR >> sdp->sd_fsb2bb_shift, silent);
> @@ -329,20 +329,21 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
> sdp->sd_heightsize[0] = sdp->sd_sb.sb_bsize -
> sizeof(struct gfs2_dinode);
> sdp->sd_heightsize[1] = sdp->sd_sb.sb_bsize * sdp->sd_diptrs;
> - for (x = 2;; x++) {
> + for (x = 2; x <= GFS2_MAX_META_HEIGHT; x++) {
> u64 space, d;
> u32 m;
>
> - space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs;
> + index = x;
> + space = sdp->sd_heightsize[index - 1] * sdp->sd_inptrs;
> d = space;
> m = do_div(d, sdp->sd_inptrs);
>
> - if (d != sdp->sd_heightsize[x - 1] || m)
> + if (d != sdp->sd_heightsize[index - 1] || m)
> break;
> - sdp->sd_heightsize[x] = space;
> + sdp->sd_heightsize[index] = space;
> }
> - sdp->sd_max_height = x;
> - sdp->sd_heightsize[x] = ~0;
> + sdp->sd_max_height = index;
> + sdp->sd_heightsize[index] = ~0;
> gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT);
>
> sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize -
>
next prev parent reply other threads:[~2020-10-14 13:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-13 15:26 [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb() Anant Thazhemadam
2020-10-14 13:04 ` Andrew Price [this message]
2020-10-14 13:14 ` [Cluster-devel] " Anant Thazhemadam
2020-10-14 13:25 ` Fox Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d75dc535-00be-3aa7-addb-c2615b202b56@redhat.com \
--to=anprice@redhat.com \
--cc=agruenba@redhat.com \
--cc=anant.thazhemadam@gmail.com \
--cc=cluster-devel@redhat.com \
--cc=foxhlchen@gmail.com \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rpeterso@redhat.com \
--cc=syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).