| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Mar 2023 16:51:00 +0800
From: Zhihao Cheng <chengzhihao1@...wei.com>
To: Jan Kara <jack@...e.cz>
CC: <tytso@....edu>, <adilger.kernel@...ger.ca>, <jack@...e.com>,
<tudor.ambarus@...aro.org>, <linux-ext4@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <yi.zhang@...wei.com>
Subject: Re: [PATCH] ext4: Fix i_disksize exceeding i_size problem in
paritally written case
> Hi, Jan
>> On Fri 17-03-23 09:35:53, Zhihao Cheng wrote:
>>> Following process makes i_disksize exceed i_size:
>>>
>>> generic_perform_write
>>> copied = iov_iter_copy_from_user_atomic(len) // copied < len
>>> ext4_da_write_end
>>> | ext4_update_i_disksize
>>> | new_i_size = pos + copied;
>>> | WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize
>>> | generic_write_end
>>> | copied = block_write_end(copied, len) // copied = 0
>>> | if (unlikely(copied < len))
>>> | if (!PageUptodate(page))
>>> | copied = 0;
>>> | if (pos + copied > inode->i_size) // return false
>>> if (unlikely(copied == 0))
>>> goto again;
>>> if (unlikely(iov_iter_fault_in_readable(i, bytes))) {
>>> status = -EFAULT;
>>> break;
>>> }
>>>
>>> We get i_disksize greater than i_size here, which could trigger WARNING
>>> check 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio:
>>>
>>> ext4_dio_write_iter
>>> iomap_dio_rw
>>> __iomap_dio_rw // return err, length is not aligned to 512
>>> ext4_handle_inode_extension
>>> WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops
>>>
>>> WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319
>>> CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2
>>> RIP: 0010:ext4_file_write_iter+0xbc7
>>> Call Trace:
>>> vfs_write+0x3b1
>>> ksys_write+0x77
>>> do_syscall_64+0x39
>>>
>>> Fix it by putting block_write_end() before i_disksize updating just
>>> like ext4_write_end() does.
>>>
>>> Fetch a reproducer in [Link].
>>>
>>> Link: https://bugzilla.kernel.org/show_bug.cgi?id=217209
>>> Fixes: 64769240bd07f ("ext4: Add delayed allocation support in
>>> data=writeback mode")
>>> Signed-off-by: Zhihao Cheng <chengzhihao1@...wei.com>
>>
>> Good catch (although practically this will hardly have any negative
>> effect). But rather than opencoding generic_write_end() I'd do:
>>
>> if (unlikely(copied < len) && !PageUptodate(page))
>> copied = 0;
>>
>> at the beginning of ext4_da_write_end() and that should solve these
>> problems as well?
>>
>
> Yes, your suggestion looks good, and I think we can put the checking
> just after ext4_write_inline_data_end(Line 3150)? On the one hand, we
> can pass original 'copied' value in trace_ext4_da_write_end(), one the
> other hand, ext4_write_inline_data_end() already has this checking.
> .
BTW, I want send another patch as follows:
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index bf0b7dea4900..570a687ae847 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3149,7 +3149,7 @@ static int ext4_da_write_end(struct file *file,
return ext4_write_inline_data_end(inode, pos, len,
copied, page);
start = pos & (PAGE_SIZE - 1);
- end = start + copied - 1;
+ end = start + (copied ? copied - 1 : copied);
/*
* Since we are holding inode lock, we are sure i_disksize <=
@@ -3167,7 +3167,7 @@ static int ext4_da_write_end(struct file *file,
* ext4_da_write_inline_data_end().
*/
new_i_size = pos + copied;
- if (copied && new_i_size > inode->i_size &&
+ if (new_i_size > inode->i_size &&
ext4_da_should_update_i_disksize(page, end))
ext4_update_i_disksize(inode, new_i_size);
This modification handle unconsistent i_size and i_disksize imported by
ea51d132dbf9 ("ext4: avoid hangs in ext4_da_should_update_i_disksize()").
Paritially written may display a fake inode size for user, for example:
i_disksize=1
generic_perform_write
copied = iov_iter_copy_from_user_atomic(len) // copied = 0
ext4_da_write_end // skip updating i_disksize
generic_write_end
if (pos + copied > inode->i_size) { // 10 + 0 > 1, true
i_size_write(inode, pos + copied); // i_size = 10
}
0 1 10 4096
|_|_______|_________..._____|
| |
i_size pos
Now, user see the i_size is 10 (i_disksize is still 1). After inode
destroyed, user will get the i_size is 1 read from disk.
Powered by blists - more mailing lists