lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 14 Oct 2020 22:01:09 +0530
From:   Anant Thazhemadam <anant.thazhemadam@...il.com>
To:     anprice@...hat.com, agruenba@...hat.com, rpeterso@...hat.com
Cc:     syzbot+a5e2482a693e6b1e444b@...kaller.appspotmail.com,
        linux-kernel@...r.kernel.org,
        linux-kernel-mentees@...ts.linuxfoundation.org,
        cluster-devel@...hat.com, anant.thazhemadam@...il.com,
        foxhlchen@...il.com,
        syzbot+af90d47a37376844e731@...kaller.appspotmail.com
Subject: [PATCH v2] fs: gfs2: add validation checks for size of superblock

In gfs2_check_sb(), no validation checks are performed with regards to
the size of the superblock.
syzkaller detected a slab-out-of-bounds bug that was primarily caused
because the block size for a superblock was set to zero.
A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE.
Performing validation checks and ensuring that the size of the superblock
is valid fixes this bug.

Reported-by: syzbot+af90d47a37376844e731@...kaller.appspotmail.com
Tested-by: syzbot+af90d47a37376844e731@...kaller.appspotmail.com
Suggested-by: Andrew Price <anprice@...hat.com>
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com>
---

Changes in v2:

	* Completely dropped the changes proposed in v1. Instead,
	  validity checks for superblock size have been introduced. 
	  (Suggested by Andrew Price<anprice@...hat.com>)

	* Addded a "Suggested-by" tag accrediting the patch idea to
	  Andrew. If there's any issue with that, please let me know.

	* Changed the commit header and commit message appropriately.

	* Updated "Reported-by" and "Tested-by" tags to the same instance
	  of the bug that was detected earlier (non consequential change).


 fs/gfs2/ops_fstype.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 6d18d2c91add..f0605fae2c4c 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -169,6 +169,13 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent)
 		return -EINVAL;
 	}
 
+	/* Check if the size of the block is valid - a power of 2 between 512 and  PAGE_SIZE */
+	if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE || (sb->sb_bsize & (sb->sb_bsize - 1))) {
+		if (!silent)
+			pr_warn("Invalid superblock size\n");
+		return -EINVAL;
+	}
+
 	/*  If format numbers match exactly, we're done.  */
 
 	if (sb->sb_fs_format == GFS2_FORMAT_FS &&
-- 
2.25.1

Powered by blists - more mailing lists