lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <55b4adb7-59dc-5465-a99a-8ff0a9d7c450@gmx.com>
Date:   Fri, 14 Jun 2019 21:52:47 +0800
From:   Qu Wenruo <quwenruo.btrfs@....com>
To:     Young Xiao <92siuyang@...il.com>, clm@...com, josef@...icpanda.com,
        dsterba@...e.com, linux-btrfs@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] btrfs: fix out of bounds array access while reading
 extent buffer



On 2019/6/14 下午7:51, Young Xiao wrote:
> There is a corner case that slips through the checkers in functions
> reading extent buffer, ie.
> 
> if (start < eb->len) and (start + len > eb->len), then:
> the checkers in read_extent_buffer_to_user(), and memcmp_extent_buffer()
> WARN_ON(start > eb->len) and WARN_ON(start + len > eb->start + eb->len),
> both are OK in this corner case, but it'd actually try to access the eb->pages
> out of bounds because of (start + len > eb->len).
> 
> This is adding proper checks in order to avoid invalid memory access,
> ie. 'general protection fault', before it's too late.
> 
> See commit f716abd55d1e ("Btrfs: fix out of bounds array access while
> reading extent buffer") for details.
> 
> Signed-off-by: Young Xiao <92siuyang@...il.com>
> ---
>  fs/btrfs/extent_io.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index db337e5..dcf3b2e 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -5476,8 +5476,12 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb,
>  	unsigned long i = (start_offset + start) >> PAGE_SHIFT;
>  	int ret = 0;
>  
> -	WARN_ON(start > eb->len);
> -	WARN_ON(start + len > eb->start + eb->len);
> +	if (start + len > eb->len) {
The original (start + len > eb->start + eb->len) check is so wrong from
the very beginning. eb->start makes no sense in the context.
So your patch makes sense.

But it's not 100% fixed.

If @start and @len overflow u64, e.g @start = 1 << 63 + 8k, @len = 1<<
63 + 8K. it can still skip the check.

So, we still need to check @start against eb->len, then @start + @len
against eb->len.

Also, shouldn't we include the equal case for @start? (although start +
len == eb->len should be OK)

> +		WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> +		     eb->start, eb->len, start, len);
> +		memset(dst, 0, len);

I'd prefer not to do the memset, as @start and @len is already wrong, I
doubt the @dst could be completely some wild pointer, and set them could
easily screw up the whole kernel.

Thanks,
Qu

> +		return;
> +	}
>  
>  	offset = offset_in_page(start_offset + start);
>  
> @@ -5554,8 +5558,12 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
>  	unsigned long i = (start_offset + start) >> PAGE_SHIFT;
>  	int ret = 0;
>  
> -	WARN_ON(start > eb->len);
> -	WARN_ON(start + len > eb->start + eb->len);
> +	if (start + len > eb->len) {
> +		WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> +		     eb->start, eb->len, start, len);
> +		memset(ptr, 0, len);
> +		return;
> +	}
>  
>  	offset = offset_in_page(start_offset + start);
>  
> 



Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ