| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Jul 2014 17:38:52 +0800
From: Wang Shilong <wangsl.fnst@...fujitsu.com>
To: Takashi Iwai <tiwai@...e.de>, Chris Mason <clm@...com>
CC: Josef Bacik <jbacik@...com>, <linux-btrfs@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] Btrfs: Fix memory corruption by ulist_add_merge() on
32bit arch
Hi Takashi,
This seems like a promising fix, i just have a little question:
ulist_add() logic is we firstly cast a pointer to u64(see ptr_to_u64()),
and then
cast u64 to pointer back(u64_to_ptr()). So normally, arg u64 is actually
a pointer.
If the below overflow happens, that means casting can change original value?
Am i missing something here?
Thanks,
Wang
On 07/28/2014 04:57 PM, Takashi Iwai wrote:
> We've got bug reports that btrfs crashes when quota is enabled on
> 32bit kernel, typically with the Oops like below:
> BUG: unable to handle kernel NULL pointer dereference at 00000004
> IP: [<f9234590>] find_parent_nodes+0x360/0x1380 [btrfs]
> *pde = 00000000
> Oops: 0000 [#1] SMP
> CPU: 0 PID: 151 Comm: kworker/u8:2 Tainted: G S W 3.15.2-1.gd43d97e-default #1
> Workqueue: btrfs-qgroup-rescan normal_work_helper [btrfs]
> task: f1478130 ti: f147c000 task.ti: f147c000
> EIP: 0060:[<f9234590>] EFLAGS: 00010213 CPU: 0
> EIP is at find_parent_nodes+0x360/0x1380 [btrfs]
> EAX: f147dda8 EBX: f147ddb0 ECX: 00000011 EDX: 00000000
> ESI: 00000000 EDI: f147dda4 EBP: f147ddf8 ESP: f147dd38
> DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
> CR0: 8005003b CR2: 00000004 CR3: 00bf3000 CR4: 00000690
> Stack:
> 00000000 00000000 f147dda4 00000050 00000001 00000000 00000001 00000050
> 00000001 00000000 d3059000 00000001 00000022 000000a8 00000000 00000000
> 00000000 000000a1 00000000 00000000 00000001 00000000 00000000 11800000
> Call Trace:
> [<f923564d>] __btrfs_find_all_roots+0x9d/0xf0 [btrfs]
> [<f9237bb1>] btrfs_qgroup_rescan_worker+0x401/0x760 [btrfs]
> [<f9206148>] normal_work_helper+0xc8/0x270 [btrfs]
> [<c025e38b>] process_one_work+0x11b/0x390
> [<c025eea1>] worker_thread+0x101/0x340
> [<c026432b>] kthread+0x9b/0xb0
> [<c0712a71>] ret_from_kernel_thread+0x21/0x30
> [<c0264290>] kthread_create_on_node+0x110/0x110
>
> This indicates a NULL corruption in prefs_delayed list. The further
> investigation and bisection pointed that the call of ulist_add_merge()
> results in the corruption.
>
> ulist_add_merge() takes u64 as aux and writes a 64bit value into
> old_aux. The callers of this function in backref.c, however, pass a
> pointer of a pointer to old_aux. That is, the function overwrites
> 64bit value on 32bit pointer. This caused a NULL in the adjacent
> variable, in this case, prefs_delayed.
>
> Here is a quick attempt to band-aid over this: a new function,
> ulist_add_merge_ptr() is introduced to pass/store properly a pointer
> value instead of u64. There are still ugly void ** cast remaining
> in the callers because void ** cannot be taken implicitly. But, it's
> safer than explicit cast to u64, anyway.
>
> Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=887046
> Cc: <stable@...r.kernel.org> [v3.11+]
> Signed-off-by: Takashi Iwai <tiwai@...e.de>
> ---
>
> Alternatively, we can change the argument of aux and old_aux to a
> pointer from u64, as backref.c is the only user of ulist_add_merge()
> function. I'll cook up another patch if it's the preferred way.
>
> fs/btrfs/backref.c | 11 +++++------
> fs/btrfs/ulist.h | 15 +++++++++++++++
> 2 files changed, 20 insertions(+), 6 deletions(-)
>
> diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
> index e25564bfcb46..d7a24620a963 100644
> --- a/fs/btrfs/backref.c
> +++ b/fs/btrfs/backref.c
> @@ -276,9 +276,8 @@ static int add_all_parents(struct btrfs_root *root, struct btrfs_path *path,
> }
> if (ret > 0)
> goto next;
> - ret = ulist_add_merge(parents, eb->start,
> - (uintptr_t)eie,
> - (u64 *)&old, GFP_NOFS);
> + ret = ulist_add_merge_ptr(parents, eb->start,
> + eie, (void **)&old, GFP_NOFS);
> if (ret < 0)
> break;
> if (!ret && extent_item_pos) {
> @@ -1008,9 +1007,9 @@ again:
> goto out;
> ref->inode_list = eie;
> }
> - ret = ulist_add_merge(refs, ref->parent,
> - (uintptr_t)ref->inode_list,
> - (u64 *)&eie, GFP_NOFS);
> + ret = ulist_add_merge_ptr(refs, ref->parent,
> + ref->inode_list,
> + (void **)&eie, GFP_NOFS);
> if (ret < 0)
> goto out;
> if (!ret && extent_item_pos) {
> diff --git a/fs/btrfs/ulist.h b/fs/btrfs/ulist.h
> index 7f78cbf5cf41..695fc2bac680 100644
> --- a/fs/btrfs/ulist.h
> +++ b/fs/btrfs/ulist.h
> @@ -57,6 +57,21 @@ void ulist_free(struct ulist *ulist);
> int ulist_add(struct ulist *ulist, u64 val, u64 aux, gfp_t gfp_mask);
> int ulist_add_merge(struct ulist *ulist, u64 val, u64 aux,
> u64 *old_aux, gfp_t gfp_mask);
> +
> +/* just like ulist_add_merge() but take a pointer for the aux data */
> +static inline int ulist_add_merge_ptr(struct ulist *ulist, u64 val, void *aux,
> + void **old_aux, gfp_t gfp_mask)
> +{
> +#if BITS_PER_LONG == 32
> + u64 old64 = (uintptr_t)*old_aux;
> + int ret = ulist_add_merge(ulist, val, (uintptr_t)aux, &old64, gfp_mask);
> + *old_aux = (void *)((uintptr_t)old64);
> + return ret;
> +#else
> + return ulist_add_merge(ulist, val, (u64)aux, (u64 *)old_aux, gfp_mask)
> +#endif
> +}
> +
> struct ulist_node *ulist_next(struct ulist *ulist,
> struct ulist_iterator *uiter);
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists