lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220513141444.00001a6d.zbestahu@gmail.com>
Date:   Fri, 13 May 2022 14:14:44 +0800
From:   Yue Hu <zbestahu@...il.com>
To:     Gao Xiang <hsiangkao@...ux.alibaba.com>
Cc:     linux-erofs@...ts.ozlabs.org, Chao Yu <chao@...nel.org>,
        Yue Hu <huyue2@...ong.com>,
        LKML <linux-kernel@...r.kernel.org>, zhangwen@...lpad.com,
        huyue2@...lpad.com
Subject: Re: [PATCH] erofs: fix buffer copy overflow of ztailpacking feature

On Thu, 12 May 2022 19:58:33 +0800
Gao Xiang <hsiangkao@...ux.alibaba.com> wrote:

> I got some KASAN report as below:
> 
> [   46.959738] ==================================================================
> [   46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370
> [   46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188
> ...
> [   46.960430] Call Trace:
> [   46.960430]  <TASK>
> [   46.960430]  dump_stack_lvl+0x41/0x5e
> [   46.960430]  print_report.cold+0xb2/0x6b7
> [   46.960430]  ? z_erofs_shifted_transform+0x2bd/0x370
> [   46.960430]  kasan_report+0x8a/0x140
> [   46.960430]  ? z_erofs_shifted_transform+0x2bd/0x370
> [   46.960430]  kasan_check_range+0x14d/0x1d0
> [   46.960430]  memcpy+0x20/0x60
> [   46.960430]  z_erofs_shifted_transform+0x2bd/0x370
> [   46.960430]  z_erofs_decompress_pcluster+0xaae/0x1080
> 
> The root cause is that the tail pcluster won't be a complete filesystem
> block anymore. So if ztailpacking is used, the second part of an
> uncompresed tail pcluster may not be ``rq->pageofs_out``.

Yeah, since we have a 'pageofs_in' to the 'src' for ztailpacking.

Reviewed-by: Yue Hu <huyue2@...lpad.com>

> 
> Fixes: ab749badf9f4 ("erofs: support unaligned data decompression")
> Fixes: cecf864d3d76 ("erofs: support inline data decompression")
> Signed-off-by: Gao Xiang <hsiangkao@...ux.alibaba.com>
> ---
>  fs/erofs/decompressor.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
> index 0f445f7e1df8..6dca1900c733 100644
> --- a/fs/erofs/decompressor.c
> +++ b/fs/erofs/decompressor.c
> @@ -320,6 +320,7 @@ static int z_erofs_shifted_transform(struct z_erofs_decompress_req *rq,
>  		PAGE_ALIGN(rq->pageofs_out + rq->outputsize) >> PAGE_SHIFT;
>  	const unsigned int righthalf = min_t(unsigned int, rq->outputsize,
>  					     PAGE_SIZE - rq->pageofs_out);
> +	const unsigned int lefthalf = rq->outputsize - righthalf;
>  	unsigned char *src, *dst;
>  
>  	if (nrpages_out > 2) {
> @@ -342,10 +343,10 @@ static int z_erofs_shifted_transform(struct z_erofs_decompress_req *rq,
>  	if (nrpages_out == 2) {
>  		DBG_BUGON(!rq->out[1]);
>  		if (rq->out[1] == *rq->in) {
> -			memmove(src, src + righthalf, rq->pageofs_out);
> +			memmove(src, src + righthalf, lefthalf);
>  		} else {
>  			dst = kmap_atomic(rq->out[1]);
> -			memcpy(dst, src + righthalf, rq->pageofs_out);
> +			memcpy(dst, src + righthalf, lefthalf);
>  			kunmap_atomic(dst);
>  		}
>  	}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ