| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <915e56c1-3e87-ef0a-8bdf-26a3774b0a18@kernel.org>
Date: Sat, 21 Mar 2020 20:16:52 +0800
From: Chao Yu <chao@...nel.org>
To: Eric Biggers <ebiggers@...nel.org>, Chao Yu <yuchao0@...wei.com>
Cc: jaegeuk@...nel.org, linux-kernel@...r.kernel.org,
linux-f2fs-devel@...ts.sourceforge.net
Subject: Re: [f2fs-dev] [PATCH 3/4] f2fs: fix NULL pointer dereference in
f2fs_verity_work()
On 2020-3-21 3:11, Eric Biggers wrote:
> On Thu, Mar 19, 2020 at 07:57:59PM +0800, Chao Yu wrote:
>> If both compression and fsverity feature is on, generic/572 will
>> report below NULL pointer dereference bug.
>>
>> BUG: kernel NULL pointer dereference, address: 0000000000000018
>> RIP: 0010:f2fs_verity_work+0x60/0x90 [f2fs]
>> #PF: supervisor read access in kernel mode
>> Workqueue: fsverity_read_queue f2fs_verity_work [f2fs]
>> RIP: 0010:f2fs_verity_work+0x60/0x90 [f2fs]
>> Call Trace:
>> process_one_work+0x16c/0x3f0
>> worker_thread+0x4c/0x440
>> ? rescuer_thread+0x350/0x350
>> kthread+0xf8/0x130
>> ? kthread_unpark+0x70/0x70
>> ret_from_fork+0x35/0x40
>>
>> There are two issue in f2fs_verity_work():
>> - it needs to traverse and verify all pages in bio.
>> - if pages in bio belong to non-compressed cluster, accessing
>> decompress IO context stored in page private will cause NULL
>> pointer dereference.
>>
>> Fix them.
>>
>> Signed-off-by: Chao Yu <yuchao0@...wei.com>
>> ---
>> fs/f2fs/data.c | 35 ++++++++++++++++++++++++++++++-----
>> 1 file changed, 30 insertions(+), 5 deletions(-)
>>
>> diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
>> index 5c5db09324b7..66e49fc1056e 100644
>> --- a/fs/f2fs/data.c
>> +++ b/fs/f2fs/data.c
>> @@ -187,12 +187,37 @@ static void f2fs_verify_pages(struct page **rpages, unsigned int cluster_size)
>>
>> static void f2fs_verify_bio(struct bio *bio)
>> {
>> - struct page *page = bio_first_page_all(bio);
>> - struct decompress_io_ctx *dic =
>> - (struct decompress_io_ctx *)page_private(page);
>> + struct bio_vec *bv;
>> + struct bvec_iter_all iter_all;
>> + struct decompress_io_ctx *dic, *pdic = NULL;
>> +
>> + bio_for_each_segment_all(bv, bio, iter_all) {
>> + struct page *page = bv->bv_page;
>> +
>> + dic = (struct decompress_io_ctx *)page_private(page);
>> +
>> + if (dic) {
>> + if (dic != pdic) {
>> + f2fs_verify_pages(dic->rpages,
>> + dic->cluster_size);
>> + f2fs_free_dic(dic);
>> + pdic = dic;
>> + }
>> + continue;
>> + }
>> + pdic = dic;
>>
>> - f2fs_verify_pages(dic->rpages, dic->cluster_size);
>> - f2fs_free_dic(dic);
>> + if (bio->bi_status || PageError(page)) {
>> + ClearPageUptodate(page);
>> + ClearPageError(page);
>> + } else {
>> + if (fsverity_verify_page(page))
>> + SetPageUptodate(page);
>> + else
>> + SetPageError(page);
>> + }
>> + unlock_page(page);
>> + }
>
> I'm a bit confused why you added SetPageError() before unlocking the page.
> The other error paths actually clear the Error flag, not set it. I thought
> there's a reason for that?
These codes were copy&paste from f2fs_decompress_end_io(), I guess I missed to
check that logic, so anyway, we need another patch to fix that first.
Thanks for pointing out this.
Thanks,
>
> - Eric
>
>
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@...ts.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
>
Powered by blists - more mailing lists