| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Feb 2017 09:25:21 +0800
From: Wei Fang <fangwei1@...wei.com>
To: Ben Hutchings <ben@...adent.org.uk>,
<linux-kernel@...r.kernel.org>, <stable@...r.kernel.org>
CC: <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Christoph Hellwig <hch@...radead.org>,
"Al Viro" <viro@...iv.linux.org.uk>,
Dave Chinner <david@...morbit.com>
Subject: Re: [PATCH 3.16 105/306] vfs,mm: fix a dead loop in
truncate_inode_pages_range()
Hi, Ben,
Commit d05c5f7ba164 "vfs,mm: fix return value of read() at s_maxbytes"
need be backported with this patch, otherwise we'll get an error when
reading at the end of the file.
Thanks,
Wei
On 2017/2/16 6:41, Ben Hutchings wrote:
> 3.16.40-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Wei Fang <fangwei1@...wei.com>
>
> commit c2a9737f45e27d8263ff9643f994bda9bac0b944 upstream.
>
> We triggered a deadloop in truncate_inode_pages_range() on 32 bits
> architecture with the test case bellow:
>
> ...
> fd = open();
> write(fd, buf, 4096);
> preadv64(fd, &iovec, 1, 0xffffffff000);
> ftruncate(fd, 0);
> ...
>
> Then ftruncate() will not return forever.
>
> The filesystem used in this case is ubifs, but it can be triggered on
> many other filesystems.
>
> When preadv64() is called with offset=0xffffffff000, a page with
> index=0xffffffff will be added to the radix tree of ->mapping. Then
> this page can be found in ->mapping with pagevec_lookup(). After that,
> truncate_inode_pages_range(), which is called in ftruncate(), will fall
> into an infinite loop:
>
> - find a page with index=0xffffffff, since index>=end, this page won't
> be truncated
>
> - index++, and index become 0
>
> - the page with index=0xffffffff will be found again
>
> The data type of index is unsigned long, so index won't overflow to 0 on
> 64 bits architecture in this case, and the dead loop won't happen.
>
> Since truncate_inode_pages_range() is executed with holding lock of
> inode->i_rwsem, any operation related with this lock will be blocked,
> and a hung task will happen, e.g.:
>
> INFO: task truncate_test:3364 blocked for more than 120 seconds.
> ...
> call_rwsem_down_write_failed+0x17/0x30
> generic_file_write_iter+0x32/0x1c0
> ubifs_write_iter+0xcc/0x170
> __vfs_write+0xc4/0x120
> vfs_write+0xb2/0x1b0
> SyS_write+0x46/0xa0
>
> The page with index=0xffffffff added to ->mapping is useless. Fix this
> by checking the read position before allocating pages.
>
> Link: http://lkml.kernel.org/r/1475151010-40166-1-git-send-email-fangwei1@huawei.com
> Signed-off-by: Wei Fang <fangwei1@...wei.com>
> Cc: Christoph Hellwig <hch@...radead.org>
> Cc: Dave Chinner <david@...morbit.com>
> Cc: Al Viro <viro@...iv.linux.org.uk>
> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
> [bwh: Backported to 3.16: adjust context]
> Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
> ---
> mm/filemap.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> --- a/mm/filemap.c
> +++ b/mm/filemap.c
> @@ -1464,6 +1464,10 @@ static ssize_t do_generic_file_read(stru
> unsigned int prev_offset;
> int error = 0;
>
> + if (unlikely(*ppos >= inode->i_sb->s_maxbytes))
> + return -EINVAL;
> + iov_iter_truncate(iter, inode->i_sb->s_maxbytes);
> +
> index = *ppos >> PAGE_CACHE_SHIFT;
> prev_index = ra->prev_pos >> PAGE_CACHE_SHIFT;
> prev_offset = ra->prev_pos & (PAGE_CACHE_SIZE-1);
>
Powered by blists - more mailing lists