| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 May 2022 14:14:44 +0800
From: Yue Hu <zbestahu@...il.com>
To: Gao Xiang <hsiangkao@...ux.alibaba.com>
Cc: linux-erofs@...ts.ozlabs.org, Chao Yu <chao@...nel.org>,
Yue Hu <huyue2@...ong.com>,
LKML <linux-kernel@...r.kernel.org>, zhangwen@...lpad.com,
huyue2@...lpad.com
Subject: Re: [PATCH] erofs: fix buffer copy overflow of ztailpacking feature
On Thu, 12 May 2022 19:58:33 +0800
Gao Xiang <hsiangkao@...ux.alibaba.com> wrote:
> I got some KASAN report as below:
>
> [ 46.959738] ==================================================================
> [ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370
> [ 46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188
> ...
> [ 46.960430] Call Trace:
> [ 46.960430] <TASK>
> [ 46.960430] dump_stack_lvl+0x41/0x5e
> [ 46.960430] print_report.cold+0xb2/0x6b7
> [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370
> [ 46.960430] kasan_report+0x8a/0x140
> [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370
> [ 46.960430] kasan_check_range+0x14d/0x1d0
> [ 46.960430] memcpy+0x20/0x60
> [ 46.960430] z_erofs_shifted_transform+0x2bd/0x370
> [ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080
>
> The root cause is that the tail pcluster won't be a complete filesystem
> block anymore. So if ztailpacking is used, the second part of an
> uncompresed tail pcluster may not be ``rq->pageofs_out``.
Yeah, since we have a 'pageofs_in' to the 'src' for ztailpacking.
Reviewed-by: Yue Hu <huyue2@...lpad.com>
>
> Fixes: ab749badf9f4 ("erofs: support unaligned data decompression")
> Fixes: cecf864d3d76 ("erofs: support inline data decompression")
> Signed-off-by: Gao Xiang <hsiangkao@...ux.alibaba.com>
> ---
> fs/erofs/decompressor.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
> index 0f445f7e1df8..6dca1900c733 100644
> --- a/fs/erofs/decompressor.c
> +++ b/fs/erofs/decompressor.c
> @@ -320,6 +320,7 @@ static int z_erofs_shifted_transform(struct z_erofs_decompress_req *rq,
> PAGE_ALIGN(rq->pageofs_out + rq->outputsize) >> PAGE_SHIFT;
> const unsigned int righthalf = min_t(unsigned int, rq->outputsize,
> PAGE_SIZE - rq->pageofs_out);
> + const unsigned int lefthalf = rq->outputsize - righthalf;
> unsigned char *src, *dst;
>
> if (nrpages_out > 2) {
> @@ -342,10 +343,10 @@ static int z_erofs_shifted_transform(struct z_erofs_decompress_req *rq,
> if (nrpages_out == 2) {
> DBG_BUGON(!rq->out[1]);
> if (rq->out[1] == *rq->in) {
> - memmove(src, src + righthalf, rq->pageofs_out);
> + memmove(src, src + righthalf, lefthalf);
> } else {
> dst = kmap_atomic(rq->out[1]);
> - memcpy(dst, src + righthalf, rq->pageofs_out);
> + memcpy(dst, src + righthalf, lefthalf);
> kunmap_atomic(dst);
> }
> }
Powered by blists - more mailing lists