lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20221115014404.194531-1-liaochang1@huawei.com>
Date:   Tue, 15 Nov 2022 09:44:04 +0800
From:   Liao Chang <liaochang1@...wei.com>
To:     <willy@...radead.org>, <akpm@...ux-foundation.org>,
        <damien.lemoal@...nsource.wdc.com>, <roman.gushchin@...ux.dev>,
        <tytso@....edu>, <songmuchun@...edance.com>, <qhjin.dev@...il.com>,
        <liaochang1@...wei.com>
CC:     <linux-kernel@...r.kernel.org>
Subject: [PATCH v2] fs: Fix UBSAN detected shift-out-bounds error for bad superblock

UBSAN: shift-out-of-bounds in fs/minix/bitmap.c:103:3
shift exponent 8192 is too large for 32-bit type 'unsigned int'
CPU: 1 PID: 32273 Comm: syz-executor.0 Tainted: G        W
6.1.0-rc4-dirty #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xcd/0x134
 ubsan_epilogue+0xb/0x50
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x18d
 minix_count_free_blocks.cold+0x16/0x1b
 minix_statfs+0x22a/0x490
 statfs_by_dentry+0x133/0x210
 user_statfs+0xa9/0x160
 __do_sys_statfs+0x7a/0xf0
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The superblock stores on disk contains the size of a data zone, which is
too large to used as the shift when kernel try to calculate the total
size of zones, so it needs to check the superblock when kernel mounts
MINIX-FS.

Signed-off-by: Liao Chang <liaochang1@...wei.com>
---
v2:
1. Use compiler neutral API to calculate leading zeros count.
2. A invalid s_log_zone_size should be greater than the leading zeros
   count of (s_nzone - s_firstdatazone).

---
 fs/minix/inode.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index da8bdd1712a7..fbfe2021ef50 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -19,6 +19,7 @@
 #include <linux/highuid.h>
 #include <linux/vfs.h>
 #include <linux/writeback.h>
+#include <linux/count_zeros.h>
 
 static int minix_write_inode(struct inode *inode,
 		struct writeback_control *wbc);
@@ -166,6 +167,12 @@ static bool minix_check_superblock(struct super_block *sb)
 	    sb->s_maxbytes > (7 + 512 + 512*512) * BLOCK_SIZE)
 		return false;
 
+	/* the total size of zones must not exceed the limitation of U32_MAX. */
+	if (sbi->s_log_zone_size && (sbi->s_nzones - sbi->s_firstdatazone) &&
+	    (count_leading_zeros(sbi->s_nzones - sbi->s_firstdatazone) <
+	     sbi->s_log_zone_size))
+		return false;
+
 	return true;
 }
 
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ