lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 May 2022 14:14:44 +0800 From: Yue Hu <zbestahu@...il.com> To: Gao Xiang <hsiangkao@...ux.alibaba.com> Cc: linux-erofs@...ts.ozlabs.org, Chao Yu <chao@...nel.org>, Yue Hu <huyue2@...ong.com>, LKML <linux-kernel@...r.kernel.org>, zhangwen@...lpad.com, huyue2@...lpad.com Subject: Re: [PATCH] erofs: fix buffer copy overflow of ztailpacking feature On Thu, 12 May 2022 19:58:33 +0800 Gao Xiang <hsiangkao@...ux.alibaba.com> wrote: > I got some KASAN report as below: > > [ 46.959738] ================================================================== > [ 46.960430] BUG: KASAN: use-after-free in z_erofs_shifted_transform+0x2bd/0x370 > [ 46.960430] Read of size 4074 at addr ffff8880300c2f8e by task fssum/188 > ... > [ 46.960430] Call Trace: > [ 46.960430] <TASK> > [ 46.960430] dump_stack_lvl+0x41/0x5e > [ 46.960430] print_report.cold+0xb2/0x6b7 > [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 > [ 46.960430] kasan_report+0x8a/0x140 > [ 46.960430] ? z_erofs_shifted_transform+0x2bd/0x370 > [ 46.960430] kasan_check_range+0x14d/0x1d0 > [ 46.960430] memcpy+0x20/0x60 > [ 46.960430] z_erofs_shifted_transform+0x2bd/0x370 > [ 46.960430] z_erofs_decompress_pcluster+0xaae/0x1080 > > The root cause is that the tail pcluster won't be a complete filesystem > block anymore. So if ztailpacking is used, the second part of an > uncompresed tail pcluster may not be ``rq->pageofs_out``. Yeah, since we have a 'pageofs_in' to the 'src' for ztailpacking. Reviewed-by: Yue Hu <huyue2@...lpad.com> > > Fixes: ab749badf9f4 ("erofs: support unaligned data decompression") > Fixes: cecf864d3d76 ("erofs: support inline data decompression") > Signed-off-by: Gao Xiang <hsiangkao@...ux.alibaba.com> > --- > fs/erofs/decompressor.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c > index 0f445f7e1df8..6dca1900c733 100644 > --- a/fs/erofs/decompressor.c > +++ b/fs/erofs/decompressor.c > @@ -320,6 +320,7 @@ static int z_erofs_shifted_transform(struct z_erofs_decompress_req *rq, > PAGE_ALIGN(rq->pageofs_out + rq->outputsize) >> PAGE_SHIFT; > const unsigned int righthalf = min_t(unsigned int, rq->outputsize, > PAGE_SIZE - rq->pageofs_out); > + const unsigned int lefthalf = rq->outputsize - righthalf; > unsigned char *src, *dst; > > if (nrpages_out > 2) { > @@ -342,10 +343,10 @@ static int z_erofs_shifted_transform(struct z_erofs_decompress_req *rq, > if (nrpages_out == 2) { > DBG_BUGON(!rq->out[1]); > if (rq->out[1] == *rq->in) { > - memmove(src, src + righthalf, rq->pageofs_out); > + memmove(src, src + righthalf, lefthalf); > } else { > dst = kmap_atomic(rq->out[1]); > - memcpy(dst, src + righthalf, rq->pageofs_out); > + memcpy(dst, src + righthalf, lefthalf); > kunmap_atomic(dst); > } > }
Powered by blists - more mailing lists