lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 2 Jul 2021 18:20:33 +0800
From:   Qu Wenruo <quwenruo.btrfs@....com>
To:     "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        Chris Mason <clm@...com>, Josef Bacik <josef@...icpanda.com>,
        David Sterba <dsterba@...e.com>
Cc:     linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-hardening@...r.kernel.org
Subject: Re: [PATCH][next] btrfs: Fix multiple out-of-bounds warnings



On 2021/7/2 上午9:06, Gustavo A. R. Silva wrote:
> Fix the following out-of-bounds warnings by using a flexible-array
> member *pages[] at the bottom of struct extent_buffer:
>
> fs/btrfs/disk-io.c:225:34: warning: array subscript 1 is above array bounds of ‘struct page *[1]’ [-Warray-bounds]

The involved code looks like:

static void csum_tree_block(struct extent_buffer *buf, u8 *result)
{
         struct btrfs_fs_info *fs_info = buf->fs_info;
         const int num_pages = fs_info->nodesize >> PAGE_SHIFT;
	...
         for (i = 1; i < num_pages; i++) {
                 kaddr = page_address(buf->pages[i]);
                 crypto_shash_update(shash, kaddr, PAGE_SIZE);
         }

For Power case, the page size is 64K and nodesize is at most 64K for
btrfs, thus num_pages will either be 0 or 1.

In that case, the for loop should never get reached, thus it's not
possible to really get beyond the boundary.

To me, the real problem is we have no way to tell compiler that
fs_info->nodesize is ensured to be no larger than 64K.


Although using flex array can mask the problem, but it's really masking
the problem as now compiler has no idea how large the array can really be.

David still has the final say on how to fix it, but I'm really wondering
is there any way to give compiler some hint about the possible value
range for things like fs_info->nodesize?

(BTW, at mount time we have super block sanity checker to ensure all
those basic values from on-disk super block is sane, before populating
the in memory btrfs_fs_info structure, thus unless runtime memory
corruption, fs_info->nodesize/sectorsize should be untouched)

Thanks,
Qu
> fs/btrfs/struct-funcs.c:80:46: warning: array subscript 1 is above array bounds of ‘struct page *[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:101:32: warning: array subscript 1 is above array bounds of ‘struct page * const[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:133:46: warning: array subscript 1 is above array bounds of ‘struct page *[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:156:32: warning: array subscript 1 is above array bounds of ‘struct page * const[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:80:46: warning: array subscript 1 is above array bounds of ‘struct page *[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:101:32: warning: array subscript 1 is above array bounds of ‘struct page * const[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:133:46: warning: array subscript 1 is above array bounds of ‘struct page *[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:156:32: warning: array subscript 1 is above array bounds of ‘struct page * const[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:80:46: warning: array subscript 1 is above array bounds of ‘struct page *[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:101:32: warning: array subscript 1 is above array bounds of ‘struct page * const[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:133:46: warning: array subscript 1 is above array bounds of ‘struct page *[1]’ [-Warray-bounds]
> fs/btrfs/struct-funcs.c:156:32: warning: array subscript 1 is above array bounds of ‘struct page * const[1]’ [-Warray-bounds]
>
> Also, make use of the struct_size() helper to properly calculate the
> total size of struct extent_buffer for the kmem cache allocation.
>
> This is part of the ongoing efforts to globally enable -Warray-bounds.
>
> The code was built with ppc64_defconfig and -Warray-bounds enabled by
> default in the main Makefile.
>
> Link: https://github.com/KSPP/linux/issues/109
> Cc: Qu Wenruo <quwenruo.btrfs@....com>
> Cc: David Sterba <dsterba@...e.com>
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
> ---
>   fs/btrfs/extent_io.c | 5 +++--
>   fs/btrfs/extent_io.h | 2 +-
>   2 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index 9e81d25dea70..4cf0b72fdd9f 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -232,8 +232,9 @@ int __init extent_state_cache_init(void)
>   int __init extent_io_init(void)
>   {
>   	extent_buffer_cache = kmem_cache_create("btrfs_extent_buffer",
> -			sizeof(struct extent_buffer), 0,
> -			SLAB_MEM_SPREAD, NULL);
> +			struct_size((struct extent_buffer *)0, pages,
> +				    INLINE_EXTENT_BUFFER_PAGES),
> +			0, SLAB_MEM_SPREAD, NULL);
>   	if (!extent_buffer_cache)
>   		return -ENOMEM;
>
> diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h
> index 62027f551b44..b82e8b694a3b 100644
> --- a/fs/btrfs/extent_io.h
> +++ b/fs/btrfs/extent_io.h
> @@ -94,11 +94,11 @@ struct extent_buffer {
>
>   	struct rw_semaphore lock;
>
> -	struct page *pages[INLINE_EXTENT_BUFFER_PAGES];
>   	struct list_head release_list;
>   #ifdef CONFIG_BTRFS_DEBUG
>   	struct list_head leak_list;
>   #endif
> +	struct page *pages[];
>   };
>
>   /*
>

Powered by blists - more mailing lists