lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Y4tR52dEWMhRMC2C@debian>
Date:   Sat, 3 Dec 2022 21:40:55 +0800
From:   Gao Xiang <xiang@...nel.org>
To:     Chen Zhongjin <chenzhongjin@...wei.com>,
        syzbot+6f8cd9a0155b366d227f@...kaller.appspotmail.com,
        linux-erofs@...ts.ozlabs.org, linux-kernel@...r.kernel.org,
        xiang@...nel.org, chao@...nel.org, huyue2@...lpad.com,
        jefflexu@...ux.alibaba.com
Subject: Re: [PATCH] erofs: Fix pcluster become inline when m_pa is zero

On Sat, Dec 03, 2022 at 09:20:17PM +0800, Gao Xiang wrote:
> Hi Zhongjin,
> 
> On Sat, Dec 03, 2022 at 05:45:27PM +0800, Chen Zhongjin wrote:
> > syzkaller reported a memleak:
> > https://syzkaller.appspot.com/bug?id=62f37ff612f0021641eda5b17f056f1668aa9aed
> > 
> > unreferenced object 0xffff88811009c7f8 (size 136):
> >   ...
> >   backtrace:
> >     [<ffffffff821db19b>] z_erofs_do_read_page+0x99b/0x1740
> >     [<ffffffff821dee9e>] z_erofs_readahead+0x24e/0x580
> >     [<ffffffff814bc0d6>] read_pages+0x86/0x3d0
> >     ...
> > 
> > syzkaller constructed a case: in z_erofs_register_pcluster(),
> > ztailpacking = false and map->m_pa = zero. This makes pcl->obj.index
> > become zero although pcl is not an inline pcluster.
> 
> Thanks for the patch!
> 
> We should just fail out if map->m_pa / EROFS_BLKSIZ == 0.
> 
> > 
> > Then following path adds refcount for grp, but the it won't be put
> > because pcl is inline, which makes pcl not released when shrink.
> > 
> > z_erofs_readahead()
> >   z_erofs_do_read_page() # for another page
> >     z_erofs_collector_begin()
> >       erofs_find_workgroup()
> >         erofs_workgroup_get()
> > 
> > To fix this, add an attribute in z_erofs_pcluster to mark the inline
> > state which not depends on index of grp.
> 
> I think the main reason is "inline pcluster _always_ did memory leak
> before since I don't find any chance to these free inline pclusters
> in the current codebase.
> 
> Actually I submitted a patch for this, could you check/review this
> if possible?
> https://lore.kernel.org/r/20221202033327.52702-1-hsiangkao@linux.alibaba.com

Oh, I just realized my patch may be incorrect, I think we need to
just fail out this (since m_pblk == 0 cannot be a real pcluster,
since it has on-disk super block at least):

diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
index ab22100be861..e14e6c32e70d 100644
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -496,7 +496,8 @@ static int z_erofs_register_pcluster(struct
z_erofs_decompress_frontend *fe)
 	struct erofs_workgroup *grp;
 	int err;
 
-	if (!(map->m_flags & EROFS_MAP_ENCODED)) {
+	if (!(map->m_flags & EROFS_MAP_ENCODED) ||
+	    !(map->m_pa >> PAGE_SHIFT)) {
 		DBG_BUGON(1);
 		return -EFSCORRUPTED;


Could you resend next version behaving like the above?

Thanks,
Gao Xiang

> 
> Thanks,
> Gao Xiang
> 
> > 
> > Fixes: cecf864d3d76 ("erofs: support inline data decompression")
> > Reported-by: syzbot+6f8cd9a0155b366d227f@...kaller.appspotmail.com
> > Signed-off-by: Chen Zhongjin <chenzhongjin@...wei.com>
> > ---
> >  fs/erofs/zdata.c | 2 +-
> >  fs/erofs/zdata.h | 5 ++++-
> >  2 files changed, 5 insertions(+), 2 deletions(-)
> > 
> > diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
> > index b792d424d774..fef2624d19e3 100644
> > --- a/fs/erofs/zdata.c
> > +++ b/fs/erofs/zdata.c
> > @@ -517,7 +517,7 @@ static int z_erofs_register_pcluster(struct z_erofs_decompress_frontend *fe)
> >  	DBG_BUGON(!mutex_trylock(&pcl->lock));
> >  
> >  	if (ztailpacking) {
> > -		pcl->obj.index = 0;	/* which indicates ztailpacking */
> > +		pcl->is_inline = true;  /* which indicates ztailpacking */
> >  		pcl->pageofs_in = erofs_blkoff(map->m_pa);
> >  		pcl->tailpacking_size = map->m_plen;
> >  	} else {
> > diff --git a/fs/erofs/zdata.h b/fs/erofs/zdata.h
> > index d98c95212985..35051ad27521 100644
> > --- a/fs/erofs/zdata.h
> > +++ b/fs/erofs/zdata.h
> > @@ -78,6 +78,9 @@ struct z_erofs_pcluster {
> >  		unsigned short tailpacking_size;
> >  	};
> >  
> > +	/* I:  whether it is inline or not */
> > +	bool is_inline;
> > +
> >  	/* I: compression algorithm format */
> >  	unsigned char algorithmformat;
> >  
> > @@ -115,7 +118,7 @@ struct z_erofs_decompressqueue {
> >  
> >  static inline bool z_erofs_is_inline_pcluster(struct z_erofs_pcluster *pcl)
> >  {
> > -	return !pcl->obj.index;
> > +	return pcl->is_inline;
> >  }
> >  
> >  static inline unsigned int z_erofs_pclusterpages(struct z_erofs_pcluster *pcl)
> > -- 
> > 2.17.1
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ