lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87mtzptle4.fsf@suse.com>
Date:   Tue, 10 Nov 2020 14:02:43 +0100
From:   Aurélien Aptel <aaptel@...e.com>
To:     Konstantin Komarov <almaz.alexandrovich@...agon-software.com>,
        linux-fsdevel@...r.kernel.org
Cc:     viro@...iv.linux.org.uk, linux-kernel@...r.kernel.org,
        pali@...nel.org, dsterba@...e.cz, willy@...radead.org,
        rdunlap@...radead.org, joe@...ches.com, mark@...mstone.com,
        nborisov@...e.com, linux-ntfs-dev@...ts.sourceforge.net,
        anton@...era.com, dan.carpenter@...cle.com, hch@....de,
        ebiggers@...nel.org,
        Konstantin Komarov <almaz.alexandrovich@...agon-software.com>
Subject: Re: [PATCH v12 00/10] NTFS read-write driver GPL implementation by
 Paragon Software

Hi Konstantin,

Have you looked at Eric Biggers last comments regarding KASAN and
lockdep? You can enable KASAN in menuconfig in Kernel hacking > Memory
debugging > KASAN.

With v12 I'm still seeing the out-of-bound read and potential deadlock.


The bad read:

[   69.496132] BUG: KASAN: stack-out-of-bounds in hdr_insert_de+0x130/0x1b0
[   69.496137] Read of size 32 at addr ffff88800b4ffb48 by task ln/1246

[   69.496146] CPU: 0 PID: 1246 Comm: ln Not tainted 5.10.0-rc3+ #8
[   69.496150] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812d-rebuilt.opensuse.org 04/01/2014
[   69.496154] Call Trace:
[   69.496161]  dump_stack+0x9a/0xcc
[   69.496168]  ? hdr_insert_de+0x130/0x1b0
[   69.496173]  print_address_description.constprop.0+0x1c/0x210
[   69.496179]  ? memcmp+0x38/0x60
[   69.496193]  ? hdr_insert_de+0x130/0x1b0
[   69.496198]  ? hdr_insert_de+0x130/0x1b0
[   69.496203]  kasan_report.cold+0x37/0x7c
[   69.496211]  ? mark_lock+0x13d0/0x1450
[   69.496216]  ? hdr_insert_de+0x130/0x1b0
[   69.496224]  check_memory_region+0xf9/0x1e0
[   69.496231]  memcpy+0x20/0x60
[   69.496238]  hdr_insert_de+0x130/0x1b0
[   69.496247]  ? hdr_find_e+0x3b0/0x3b0
[   69.496251]  ? lockdep_hardirqs_on_prepare+0x13d/0x200
[   69.496256]  ? quarantine_put+0x7d/0x190
[   69.496261]  ? trace_hardirqs_on+0x1c/0x100
[   69.496274]  indx_insert_into_root+0x398/0xdb0
[   69.496295]  ? indx_insert_entry+0x300/0x300
[   69.496299]  ? get_order+0x20/0x20
[   69.496305]  ? fnd_clear+0x133/0x190
[   69.496316]  ? indx_find+0x1ac/0x470
[   69.496329]  ? indx_free_children.isra.0+0x300/0x300
[   69.496335]  ? indx_init+0x210/0x210
[   69.496342]  ? kasan_unpoison_shadow+0x33/0x40
[   69.496354]  indx_insert_entry+0x1ab/0x300
[   69.496364]  ? indx_find_raw+0x880/0x880
[   69.496371]  ? down_write+0xd7/0x130
[   69.496381]  ? ktime_get_coarse_real_ts64+0xf6/0x120
[   69.496385]  ? trace_hardirqs_on+0x1c/0x100
[   69.496395]  ntfs_insert_reparse+0xf7/0x160
[   69.496401]  ? ntfs_objid_remove+0x90/0x90
[   69.496412]  ? kasan_unpoison_shadow+0x33/0x40
[   69.496418]  ? __kasan_kmalloc.constprop.0+0xc2/0xd0
[   69.496428]  ntfs_create_inode+0x177d/0x1af0
[   69.496454]  ? inode_write_data+0x280/0x280
[   69.496459]  ? inode_security+0x6b/0x90
[   69.496472]  ? may_create+0x203/0x210
[   69.496484]  ? ntfs_symlink+0xa7/0xf0
[   69.496488]  ntfs_symlink+0xa7/0xf0
[   69.496497]  ? ntfs_unlink+0x40/0x40
[   69.496513]  vfs_symlink+0x175/0x280
[   69.496522]  do_symlinkat+0xe1/0x190
[   69.496530]  ? __ia32_sys_mknod+0xa0/0xa0
[   69.496538]  ? lockdep_hardirqs_on_prepare+0x13d/0x200
[   69.496544]  ? syscall_enter_from_user_mode+0x1d/0x50
[   69.496553]  do_syscall_64+0x33/0x40
[   69.496559]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   69.496564] RIP: 0033:0x7f1436b4ed07
[   69.496569] Code: 73 01 c3 48 8b 0d 91 51 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0a 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 61 51 2c 00 f7 d8 64 89 01 48
[   69.496573] RSP: 002b:00007ffc280c9af8 EFLAGS: 00000202 ORIG_RAX: 000000000000010a
[   69.496581] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1436b4ed07
[   69.496585] RDX: 00007ffc280cb7b2 RSI: 00000000ffffff9c RDI: 00007ffc280cb7ab
[   69.496589] RBP: 00000000ffffff9c R08: 0000000000000001 R09: 0000000000000000
[   69.496593] R10: 0000000000000496 R11: 0000000000000202 R12: 00007ffc280cb7b2
[   69.496597] R13: 00007ffc280cb7ab R14: 0000000000000000 R15: 0000000000000000

[   69.496619] The buggy address belongs to the page:
[   69.496624] page:00000000167d0d9a refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb4ff
[   69.496628] flags: 0x100000000000000()
[   69.496634] raw: 0100000000000000 0000000000000000 ffffea00002d3fc8 0000000000000000
[   69.496639] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   69.496643] page dumped because: kasan: bad access detected

[   69.496650] addr ffff88800b4ffb48 is located in stack of task ln/1246 at offset 32 in frame:
[   69.496654]  ntfs_insert_reparse+0x0/0x160

[   69.496662] this frame has 1 object:
[   69.496666]  [32, 60) 're'

[   69.496672] Memory state around the buggy address:
[   69.496677]  ffff88800b4ffa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
[   69.496681]  ffff88800b4ffa80: f1 f1 f1 f1 04 f2 00 f3 f3 f3 00 00 00 00 00 00
[   69.496685] >ffff88800b4ffb00: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 04 f3 f3 f3
[   69.496689]                                                        ^
[   69.496693]  ffff88800b4ffb80: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   69.496697]  ffff88800b4ffc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   69.496701] ==================================================================


That's in hdr_insert_de() when doing

    memcpy(before, de, de_size);

* * *

Then the lockdep splat:

[  166.670709] ======================================================
[  166.671122] WARNING: possible circular locking dependency detected
[  166.671509] 5.10.0-rc3+ #7 Not tainted
[  166.671509] ------------------------------------------------------
[  166.671509] bash/1134 is trying to acquire lock:
[  166.671509] ffff96854bd78108 (&ni->ni_lock){+.+.}-{3:3}, at: ntfs_set_size+0x53/0xd0
[  166.671509] 
               but task is already holding lock:
[  166.671509] ffff96854bd78378 (&sb->s_type->i_mutex_key#12){+.+.}-{3:3}, at: ntfs_file_write_iter+0x8a/0xb40
[  166.671509] 
               which lock already depends on the new lock.

[  166.671509] 
               the existing dependency chain (in reverse order) is:
[  166.671509] 
               -> #1 (&sb->s_type->i_mutex_key#12){+.+.}-{3:3}:
[  166.671509]        down_write+0x2a/0x60
[  166.671509]        ntfs_set_state+0x8c/0x1a0
[  166.671509]        ntfs_create_inode+0x19e/0x1040
[  166.671509]        ntfs_atomic_open+0x1a3/0x210
[  166.671509]        lookup_open+0x383/0x600
[  166.671509]        path_openat+0x2b3/0xa20
[  166.671509]        do_filp_open+0x88/0x130
[  166.671509]        do_sys_openat2+0x97/0x150
[  166.671509]        __x64_sys_openat+0x54/0x90
[  166.671509]        do_syscall_64+0x33/0x40
[  166.671509]        entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  166.671509] 
               -> #0 (&ni->ni_lock){+.+.}-{3:3}:
[  166.671509]        __lock_acquire+0x1452/0x2a20
[  166.671509]        lock_acquire+0x132/0x420
[  166.671509]        __mutex_lock+0x85/0x9e0
[  166.671509]        ntfs_set_size+0x53/0xd0
[  166.671509]        ntfs_extend_ex+0x176/0x1c0
[  166.671509]        ntfs_file_write_iter+0xc9/0xb40
[  166.671509]        new_sync_write+0x11f/0x1c0
[  166.671509]        vfs_write+0x1b2/0x230
[  166.671509]        ksys_write+0x68/0xe0
[  166.671509]        do_syscall_64+0x33/0x40
[  166.671509]        entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  166.671509] 
               other info that might help us debug this:

[  166.671509]  Possible unsafe locking scenario:

[  166.671509]        CPU0                    CPU1
[  166.671509]        ----                    ----
[  166.671509]   lock(&sb->s_type->i_mutex_key#12);
[  166.671509]                                lock(&ni->ni_lock);
[  166.671509]                                lock(&sb->s_type->i_mutex_key#12);
[  166.671509]   lock(&ni->ni_lock);
[  166.671509] 
                *** DEADLOCK ***

[  166.671509] 2 locks held by bash/1134:
[  166.671509]  #0: ffff968547b54438 (sb_writers#10){.+.+}-{0:0}, at: vfs_write+0x17e/0x230
[  166.671509]  #1: ffff96854bd78378 (&sb->s_type->i_mutex_key#12){+.+.}-{3:3}, at: ntfs_file_write_iter+0x8a/0xb40
[  166.671509] 
               stack backtrace:
[  166.671509] CPU: 1 PID: 1134 Comm: bash Not tainted 5.10.0-rc3+ #7
[  166.671509] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812d-rebuilt.opensuse.org 04/01/2014
[  166.671509] Call Trace:
[  166.671509]  dump_stack+0x77/0x97
[  166.671509]  check_noncircular+0xf2/0x110
[  166.671509]  __lock_acquire+0x1452/0x2a20
[  166.671509]  lock_acquire+0x132/0x420
[  166.671509]  ? ntfs_set_size+0x53/0xd0
[  166.671509]  ? __lock_acquire+0x39d/0x2a20
[  166.671509]  __mutex_lock+0x85/0x9e0
[  166.671509]  ? ntfs_set_size+0x53/0xd0
[  166.671509]  ? ntfs_set_size+0x53/0xd0
[  166.671509]  ? lock_acquire+0x132/0x420
[  166.671509]  ntfs_set_size+0x53/0xd0
[  166.671509]  ntfs_extend_ex+0x176/0x1c0
[  166.671509]  ntfs_file_write_iter+0xc9/0xb40
[  166.671509]  ? lock_acquire+0x132/0x420
[  166.671509]  new_sync_write+0x11f/0x1c0
[  166.671509]  vfs_write+0x1b2/0x230
[  166.671509]  ksys_write+0x68/0xe0
[  166.671509]  do_syscall_64+0x33/0x40
[  166.671509]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  166.671509] RIP: 0033:0x7fe486a68204
[  166.671509] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 80 00 00 00 00 8b 05 aa d1 2c 00 48 63 ff 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 55 53 48 89 d5 48 89 f3 48 83
[  166.671509] RSP: 002b:00007ffd4b76fee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  166.671509] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe486a68204
[  166.671509] RDX: 0000000000000004 RSI: 000055b1dd9bb7a0 RDI: 0000000000000001
[  166.671509] RBP: 000055b1dd9bb7a0 R08: 000000000000000a R09: 0000000000000000
[  166.671509] R10: 000000000000000a R11: 0000000000000246 R12: 0000000000000004

Cheers,
-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ