lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0000000000006f4cc8061b38a491@google.com>
Date: Tue, 18 Jun 2024 23:52:31 -0700
From: syzbot <syzbot+36bb70085ef6edc2ebb9@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] fs/ntfs3: Do copy_to_user out of run_lock

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: fs/ntfs3: Do copy_to_user out of run_lock
Author: almaz.alexandrovich@...agon-software.com

#syz test

--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -1898,6 +1898,47 @@ enum REPARSE_SIGN ni_parse_reparse(struct 
ntfs_inode *ni, struct ATTRIB *attr,
      return REPARSE_LINK;
  }

+/*
+ * fiemap_fill_next_extent_k - a copy of fiemap_fill_next_extent
+ * but it accepts kernel address for fi_extents_start
+ */
+static int fiemap_fill_next_extent_k(struct fiemap_extent_info *fieinfo,
+                     u64 logical, u64 phys, u64 len, u32 flags)
+{
+    struct fiemap_extent extent;
+    struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
+
+    /* only count the extents */
+    if (fieinfo->fi_extents_max == 0) {
+        fieinfo->fi_extents_mapped++;
+        return (flags & FIEMAP_EXTENT_LAST) ? 1 : 0;
+    }
+
+    if (fieinfo->fi_extents_mapped >= fieinfo->fi_extents_max)
+        return 1;
+
+    if (flags & FIEMAP_EXTENT_DELALLOC)
+        flags |= FIEMAP_EXTENT_UNKNOWN;
+    if (flags & FIEMAP_EXTENT_DATA_ENCRYPTED)
+        flags |= FIEMAP_EXTENT_ENCODED;
+    if (flags & (FIEMAP_EXTENT_DATA_TAIL | FIEMAP_EXTENT_DATA_INLINE))
+        flags |= FIEMAP_EXTENT_NOT_ALIGNED;
+
+    memset(&extent, 0, sizeof(extent));
+    extent.fe_logical = logical;
+    extent.fe_physical = phys;
+    extent.fe_length = len;
+    extent.fe_flags = flags;
+
+    dest += fieinfo->fi_extents_mapped;
+    memcpy(dest, &extent, sizeof(extent));
+
+    fieinfo->fi_extents_mapped++;
+    if (fieinfo->fi_extents_mapped == fieinfo->fi_extents_max)
+        return 1;
+    return (flags & FIEMAP_EXTENT_LAST) ? 1 : 0;
+}
+
  /*
   * ni_fiemap - Helper for file_fiemap().
   *
@@ -1908,6 +1949,8 @@ int ni_fiemap(struct ntfs_inode *ni, struct 
fiemap_extent_info *fieinfo,
            __u64 vbo, __u64 len)
  {
      int err = 0;
+    struct fiemap_extent __user *fe_u = fieinfo->fi_extents_start;
+    struct fiemap_extent *fe_k = NULL;
      struct ntfs_sb_info *sbi = ni->mi.sbi;
      u8 cluster_bits = sbi->cluster_bits;
      struct runs_tree *run;
@@ -1955,6 +1998,18 @@ int ni_fiemap(struct ntfs_inode *ni, struct 
fiemap_extent_info *fieinfo,
          goto out;
      }

+    /*
+     * To avoid lock problems replace pointer to user memory by pointer 
to kernel memory.
+     */
+    fe_k = kmalloc_array(fieinfo->fi_extents_max,
+                 sizeof(struct fiemap_extent),
+                 GFP_NOFS | __GFP_ZERO);
+    if (!fe_k) {
+        err = -ENOMEM;
+        goto out;
+    }
+    fieinfo->fi_extents_start = fe_k;
+
      end = vbo + len;
      alloc_size = le64_to_cpu(attr->nres.alloc_size);
      if (end > alloc_size)
@@ -2043,8 +2098,9 @@ int ni_fiemap(struct ntfs_inode *ni, struct 
fiemap_extent_info *fieinfo,
              if (vbo + dlen >= end)
                  flags |= FIEMAP_EXTENT_LAST;

-            err = fiemap_fill_next_extent(fieinfo, vbo, lbo, dlen,
-                              flags);
+            err = fiemap_fill_next_extent_k(fieinfo, vbo, lbo, dlen,
+                            flags);
+
              if (err < 0)
                  break;
              if (err == 1) {
@@ -2064,7 +2120,8 @@ int ni_fiemap(struct ntfs_inode *ni, struct 
fiemap_extent_info *fieinfo,
          if (vbo + bytes >= end)
              flags |= FIEMAP_EXTENT_LAST;

-        err = fiemap_fill_next_extent(fieinfo, vbo, lbo, bytes, flags);
+        err = fiemap_fill_next_extent_k(fieinfo, vbo, lbo, bytes,
+                        flags);
          if (err < 0)
              break;
          if (err == 1) {
@@ -2077,7 +2134,19 @@ int ni_fiemap(struct ntfs_inode *ni, struct 
fiemap_extent_info *fieinfo,

      up_read(run_lock);

+    /*
+     * Copy to user memory out of lock
+     */
+    if (copy_to_user(fe_u, fe_k,
+             fieinfo->fi_extents_max *
+                 sizeof(struct fiemap_extent))) {
+        err = -EFAULT;
+    }
+
  out:
+    /* Restore original pointer. */
+    fieinfo->fi_extents_start = fe_u;
+    kfree(fe_k);
      return err;
  }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ