lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Dec 2022 15:51:51 +0530 From: Siddh Raman Pant <code@...dh.me> To: Gao Xiang <hsiangkao@...ux.alibaba.com>, Chao Yu <chao@...nel.org>, Yue Hu <huyue2@...lpad.com>, Jeffle Xu <jefflexu@...ux.alibaba.com> Cc: linux-erofs <linux-erofs@...ts.ozlabs.org>, linux-kernel <linux-kernel@...r.kernel.org>, syzbot+a8e049cd3abd342936b6@...kaller.appspotmail.com Subject: [PATCH v2] erofs/zmap.c: Fix incorrect offset calculation Effective offset to add to length was being incorrectly calculated, which resulted in iomap->length being set to 0, triggering a WARN_ON in iomap_iter_done(). Fix that, and describe it in comments. This was reported as a crash by syzbot under an issue about a warning encountered in iomap_iter_done(), but unrelated to erofs. C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1037a6b2880000 Kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=e2021a61197ebe02 Dashboard link: https://syzkaller.appspot.com/bug?extid=a8e049cd3abd342936b6 Reported-by: syzbot+a8e049cd3abd342936b6@...kaller.appspotmail.com Suggested-by: Gao Xiang <hsiangkao@...ux.alibaba.com> Signed-off-by: Siddh Raman Pant <code@...dh.me> --- Changes since v2: - Fix the calculation instead of bailing out. fs/erofs/zmap.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c index 0bb66927e3d0..a171e4caba3c 100644 --- a/fs/erofs/zmap.c +++ b/fs/erofs/zmap.c @@ -790,12 +790,16 @@ static int z_erofs_iomap_begin_report(struct inode *inode, loff_t offset, iomap->type = IOMAP_HOLE; iomap->addr = IOMAP_NULL_ADDR; /* - * No strict rule how to describe extents for post EOF, yet - * we need do like below. Otherwise, iomap itself will get + * No strict rule on how to describe extents for post EOF, yet + * we need to do like below. Otherwise, iomap itself will get * into an endless loop on post EOF. + * + * Calculate the effective offset by subtracting extent start + * (map.m_la) from the requested offset, and add it to length. + * (NB: offset >= map.m_la always) */ if (iomap->offset >= inode->i_size) - iomap->length = length + map.m_la - offset; + iomap->length = length + offset - map.m_la; } iomap->flags = 0; return 0; -- 2.35.1
Powered by blists - more mailing lists