lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 16 Apr 2020 13:08:55 +0530
From:   Ritesh Harjani <riteshh@...ux.ibm.com>
To:     Jan Kara <jack@...e.cz>
Cc:     tytso@....edu, linux-ext4@...r.kernel.org, adilger@...ger.ca,
        darrick.wong@...cle.com, hch@...radead.org,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-xfs@...r.kernel.org, willy@...radead.org,
        linux-unionfs@...r.kernel.org,
        syzbot+77fa5bdb65cc39711820@...kaller.appspotmail.com
Subject: Re: [RFC 1/1] ext4: Fix overflow case for map.m_len in
 ext4_iomap_begin_*


Sorry Jan and others. Please ignore this patch.
I will resend a proper one after making sure it is tested via syzbot.

On 4/14/20 9:20 PM, Jan Kara wrote:
> On Sun 12-04-20 14:54:35, Ritesh Harjani wrote:
>> EXT4_MAX_LOGICAL_BLOCK - map.m_lblk + 1 in case when
>> map.m_lblk (offset) is 0 could overflow an unsigned int
>> and become 0.
>>
>> Fix this.
>>
>> Signed-off-by: Ritesh Harjani <riteshh@...ux.ibm.com>
>> Reported-by: syzbot+77fa5bdb65cc39711820@...kaller.appspotmail.com
>> Fixes: d3b6f23f7167 ("ext4: move ext4_fiemap to use iomap framework")
> 
> The patch looks good to me. You can add:
> 
> Reviewed-by: Jan Kara <jack@...e.cz>
> 
> 								Honza
> 
>> ---
>>   fs/ext4/inode.c | 12 ++++++++++--
>>   1 file changed, 10 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
>> index e416096fc081..d630ec7a9c8e 100644
>> --- a/fs/ext4/inode.c
>> +++ b/fs/ext4/inode.c
>> @@ -3424,6 +3424,7 @@ static int ext4_iomap_begin(struct inode *inode, loff_t offset, loff_t length,
>>   	int ret;
>>   	struct ext4_map_blocks map;
>>   	u8 blkbits = inode->i_blkbits;
>> +	loff_t len;
>>   
>>   	if ((offset >> blkbits) > EXT4_MAX_LOGICAL_BLOCK)
>>   		return -EINVAL;
>> @@ -3435,8 +3436,11 @@ static int ext4_iomap_begin(struct inode *inode, loff_t offset, loff_t length,
>>   	 * Calculate the first and last logical blocks respectively.
>>   	 */
>>   	map.m_lblk = offset >> blkbits;
>> -	map.m_len = min_t(loff_t, (offset + length - 1) >> blkbits,
>> +	len = min_t(loff_t, (offset + length - 1) >> blkbits,
>>   			  EXT4_MAX_LOGICAL_BLOCK) - map.m_lblk + 1;
>> +	if (len > EXT4_MAX_LOGICAL_BLOCK)
>> +		len = EXT4_MAX_LOGICAL_BLOCK;
>> +	map.m_len = len;
>>   
>>   	if (flags & IOMAP_WRITE)
>>   		ret = ext4_iomap_alloc(inode, &map, flags);
>> @@ -3524,6 +3528,7 @@ static int ext4_iomap_begin_report(struct inode *inode, loff_t offset,
>>   	bool delalloc = false;
>>   	struct ext4_map_blocks map;
>>   	u8 blkbits = inode->i_blkbits;
>> +	loff_t len
>>   
>>   	if ((offset >> blkbits) > EXT4_MAX_LOGICAL_BLOCK)
>>   		return -EINVAL;
>> @@ -3541,8 +3546,11 @@ static int ext4_iomap_begin_report(struct inode *inode, loff_t offset,
>>   	 * Calculate the first and last logical block respectively.
>>   	 */
>>   	map.m_lblk = offset >> blkbits;
>> -	map.m_len = min_t(loff_t, (offset + length - 1) >> blkbits,
>> +	len = min_t(loff_t, (offset + length - 1) >> blkbits,
>>   			  EXT4_MAX_LOGICAL_BLOCK) - map.m_lblk + 1;
>> +	if (len > EXT4_MAX_LOGICAL_BLOCK)
>> +		len = EXT4_MAX_LOGICAL_BLOCK;
>> +	map.m_len = len;
>>   
>>   	/*
>>   	 * Fiemap callers may call for offset beyond s_bitmap_maxbytes.
>> -- 
>> 2.21.0
>>

Powered by blists - more mailing lists