lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Mar 2023 15:03:30 +0800 From: Zhihao Cheng <chengzhihao1@...wei.com> To: Jan Kara <jack@...e.cz> CC: <tytso@....edu>, <adilger.kernel@...ger.ca>, <jack@...e.com>, <tudor.ambarus@...aro.org>, <linux-ext4@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <yi.zhang@...wei.com> Subject: Re: [PATCH] ext4: Fix i_disksize exceeding i_size problem in paritally written case Hi, Jan > On Fri 17-03-23 09:35:53, Zhihao Cheng wrote: >> Following process makes i_disksize exceed i_size: >> >> generic_perform_write >> copied = iov_iter_copy_from_user_atomic(len) // copied < len >> ext4_da_write_end >> | ext4_update_i_disksize >> | new_i_size = pos + copied; >> | WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize >> | generic_write_end >> | copied = block_write_end(copied, len) // copied = 0 >> | if (unlikely(copied < len)) >> | if (!PageUptodate(page)) >> | copied = 0; >> | if (pos + copied > inode->i_size) // return false >> if (unlikely(copied == 0)) >> goto again; >> if (unlikely(iov_iter_fault_in_readable(i, bytes))) { >> status = -EFAULT; >> break; >> } >> >> We get i_disksize greater than i_size here, which could trigger WARNING >> check 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio: >> >> ext4_dio_write_iter >> iomap_dio_rw >> __iomap_dio_rw // return err, length is not aligned to 512 >> ext4_handle_inode_extension >> WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops >> >> WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319 >> CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2 >> RIP: 0010:ext4_file_write_iter+0xbc7 >> Call Trace: >> vfs_write+0x3b1 >> ksys_write+0x77 >> do_syscall_64+0x39 >> >> Fix it by putting block_write_end() before i_disksize updating just >> like ext4_write_end() does. >> >> Fetch a reproducer in [Link]. >> >> Link: https://bugzilla.kernel.org/show_bug.cgi?id=217209 >> Fixes: 64769240bd07f ("ext4: Add delayed allocation support in data=writeback mode") >> Signed-off-by: Zhihao Cheng <chengzhihao1@...wei.com> > > Good catch (although practically this will hardly have any negative > effect). But rather than opencoding generic_write_end() I'd do: > > if (unlikely(copied < len) && !PageUptodate(page)) > copied = 0; > > at the beginning of ext4_da_write_end() and that should solve these > problems as well? > Yes, your suggestion looks good, and I think we can put the checking just after ext4_write_inline_data_end(Line 3150)? On the one hand, we can pass original 'copied' value in trace_ext4_da_write_end(), one the other hand, ext4_write_inline_data_end() already has this checking.
Powered by blists - more mailing lists