lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CABymUCNd36Z6F3miBfSSeaXnyNT5OH_S1j6FBFM=aV_x3dfiug@mail.gmail.com>
Date:   Tue, 15 Nov 2022 12:41:30 +0800
From:   Jun Nie <jun.nie@...aro.org>
To:     Chao Yu <chao@...nel.org>
Cc:     jaegeuk@...nel.org, linux-f2fs-devel@...ts.sourceforge.net,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Lee Jones <joneslee@...gle.com>, davem@...emloft.net,
        edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
        netdev@...r.kernel.org
Subject: Re: [BUG REPORT] f2fs: use-after-free during garbage collection

Chao Yu <chao@...nel.org> 于2022年11月15日周二 00:02写道:
>
> On 2022/11/14 9:47, Jun Nie wrote:
> > Hi  Chao & Jaegeuk,
> >
> > There is a KASAN report[0] that shows invalid memory
> > access(use-after-free) in f2fs garbage collection process, and this
> > issue is fixed by a recent f2fs patch set[1]. The KASAN report is caused
> > by an abnormal sum->ofs_in_node value 0xc3f1 in the first check. And
> > the investigation indicates that the f2fs_summary_block address range
> > is not from f2fs_kzalloc() in build_curseg(). The memory
> > allocation/free happens in non-f2fs thread, such as network. So I
> > guess the f2fs subsystem is accessing memory that's not belong to f2fs
> > in some cases. With the below commit merged into mainline recently,
> > this  use-after-free issue disappears. But there is another thread
> > blocked issue as below. The patch c6ad7fd16657 check the valid
> > ofs_in_node and stop further gc. I am not sure whether it is expected
> > that the f2fs_summary_block address in gc thread is not from
> > allocation in build_curseg(). Because I am not familiar with f2fs.
> >
> > Could you help comment on my question and new issue? Is there any work
> > in progress to fix the new blocked issue? Thanks!
>
> Please check below patch:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev-test&id=2272d08781a73b6d7039ed70f6d68d87ac82f256
>
Thanks for the patch! I cherry pick below 3 patches from your branch to mainline
to test the bug. It is not reproduced any more.

b380cedda7c3 f2fs: fix to do sanity check on i_extra_isize in is_alive()
cdcb173c158e f2fs: Fix the race condition of resize flag between resizefs
c316fb60f5fb f2fs: should put a page when checking the summary info

BTW:  below log line is repeated endless if cdcb173c158e is missing.
[  142.766237][    T9] F2FS-fs (loop0): Inconsistent blkaddr offset:
base:9, ofs_in_node:50161, max:923, ino:8, nid:8

Regards,
Jun


> Thanks,
>
> >
> > [0] https://syzkaller.appspot.com/bug?id=4cbcff00422ea402c2e5be2bc041a8f4196d608c
> > [1] c6ad7fd16657 f2fs: fix to do sanity check on summary info
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ