[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d75dc535-00be-3aa7-addb-c2615b202b56@redhat.com>
Date: Wed, 14 Oct 2020 14:04:10 +0100
From: Andrew Price <anprice@...hat.com>
To: Anant Thazhemadam <anant.thazhemadam@...il.com>
Cc: rpeterso@...hat.com, agruenba@...hat.com, cluster-devel@...hat.com,
linux-kernel-mentees@...ts.linuxfoundation.org,
linux-kernel@...r.kernel.org,
syzbot+a5e2482a693e6b1e444b@...kaller.appspotmail.com,
Fox Chen <foxhlchen@...il.com>
Subject: Re: [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in
gfs2_read_sb()
On 13/10/2020 16:26, Anant Thazhemadam wrote:
> In gfs2_read_sb(), if the condition
> (d != sdp->sd_heightsize[x - 1] || m)
> isn't satisfied (in the first 11 iterations), the loop continues,
> and begins to perform out-of-bounds access.
> Fix this out-of-bounds access by introducing a condition in the for loop
> that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are
> accessed.
>
> In addition to this, if the above condition is satisfied when
> x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks
> out of the loop, then an out-of-bounds access is performed again while
> assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and
> also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would
> fail.
> Fix this out-of-bounds access and ensure that the assertion doesn't fail
> by introducing another variable "index", which keeps track of the last
> valid value of x (pre-increment) that can be used.
That's not quite the right approach. Your analysis below is correct: the
problem stems from the block size in the superblock being zeroed by the
fuzzer. So the correct fix would be to add a validation check for
sb_bsize (gfs2_check_sb() is lacking somewhat). Valid values are powers
of 2 between 512 and the page size.
Just a heads-up to avoid duplication of effort: Fox Chen (CCed) has
attempted to fix this also[1], but I don't know if they plan to send
another patch.
[1] https://www.redhat.com/archives/cluster-devel/2020-October/msg00006.html
Thanks,
Andy
> Reported-by: syzbot+a5e2482a693e6b1e444b@...kaller.appspotmail.com
> Tested-by: syzbot+a5e2482a693e6b1e444b@...kaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com>
> ---
>
> I have one question here (potentially a place where I suspect this
> patch could have a fatal flaw and might need some rework).
>
> sdp->sd_max_height = x;
> sdp->sd_heightsize[x] = ~0;
>
> Were these lines written with the logic that the value of x would be
> equal to (sdp->sd_heightsize[]'s last index filled in by the loop) + 1?
> Or, is the expected value of x at these lines equal to
> (sdp->sd_heightsize[]'s last index as filled in by the loop)?
> I would appreciate it if someone could clarify for me, how this would
> hold against the second potential out-of-bounds access I mentioned in my
> commit message.
>
> An additional comment (which I feel is of some significance) on this.
> Reproducing the crash locally, I could infer that sdp->sd_fsb2bb_shift
> sdp->sd_sb.sb_bsize, sdp->sd_sb.sb_bsize_shift, and sdp->sd_inptrs
> were all 0.
> This by extension also means that in gfs2_read_sb(), all the attributes
> whose values were determined by performing some sort of calculation
> involving any one of these variables all resulted in either 0 or a
> negative value.
> Simply doing the math will also show how this was also the primary reason
> this OOB access occured in the first place.
> However, I still feel that gfs2_read_sb() could do with this bit of checking,
> since it fundamentally prevents OOB accesses from occuring in gfs2_read_sb()
> in all scenarios.
> Anyways, coming back to my initial point. Can having values like that be
> considered unacceptable and as something that needs to be handled (at
> gfs2_fill_super() maybe?) or is this non-anomalous behaviour and okay?
>
> fs/gfs2/ops_fstype.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
> index 6d18d2c91add..66ee8fb06ab9 100644
> --- a/fs/gfs2/ops_fstype.c
> +++ b/fs/gfs2/ops_fstype.c
> @@ -281,7 +281,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
> {
> u32 hash_blocks, ind_blocks, leaf_blocks;
> u32 tmp_blocks;
> - unsigned int x;
> + unsigned int x, index;
> int error;
>
> error = gfs2_read_super(sdp, GFS2_SB_ADDR >> sdp->sd_fsb2bb_shift, silent);
> @@ -329,20 +329,21 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
> sdp->sd_heightsize[0] = sdp->sd_sb.sb_bsize -
> sizeof(struct gfs2_dinode);
> sdp->sd_heightsize[1] = sdp->sd_sb.sb_bsize * sdp->sd_diptrs;
> - for (x = 2;; x++) {
> + for (x = 2; x <= GFS2_MAX_META_HEIGHT; x++) {
> u64 space, d;
> u32 m;
>
> - space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs;
> + index = x;
> + space = sdp->sd_heightsize[index - 1] * sdp->sd_inptrs;
> d = space;
> m = do_div(d, sdp->sd_inptrs);
>
> - if (d != sdp->sd_heightsize[x - 1] || m)
> + if (d != sdp->sd_heightsize[index - 1] || m)
> break;
> - sdp->sd_heightsize[x] = space;
> + sdp->sd_heightsize[index] = space;
> }
> - sdp->sd_max_height = x;
> - sdp->sd_heightsize[x] = ~0;
> + sdp->sd_max_height = index;
> + sdp->sd_heightsize[index] = ~0;
> gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT);
>
> sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize -
>
Powered by blists - more mailing lists