butt3rflyh4ck <[email protected]> reported a bug found by
syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]:
dump_stack+0xfa/0x151 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232
__kasan_report mm/kasan/report.c:399 [inline]
kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
current_nat_addr fs/f2fs/node.h:213 [inline]
get_next_nat_page fs/f2fs/node.c:123 [inline]
__flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991
f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640
f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807
f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454
__sync_filesystem fs/sync.c:39 [inline]
sync_filesystem fs/sync.c:67 [inline]
sync_filesystem+0x1b5/0x260 fs/sync.c:48
generic_shutdown_super+0x70/0x370 fs/super.c:448
kill_block_super+0x97/0xf0 fs/super.c:1394
The root cause is, if nat entry in checkpoint journal area is corrupted,
e.g. nid of journalled nat entry exceeds max nid value, during checkpoint,
once it tries to flush nat journal to NAT area, get_next_nat_page() may
access out-of-bounds memory on nat_bitmap due to it uses wrong nid value
as bitmap offset.
[1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u
Reported-by: butt3rflyh4ck <[email protected]>
Signed-off-by: Chao Yu <[email protected]>
---
fs/f2fs/node.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index caf43970510e..8311b2367c7c 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -2790,6 +2790,9 @@ static void remove_nats_in_journal(struct f2fs_sb_info *sbi)
struct f2fs_nat_entry raw_ne;
nid_t nid = le32_to_cpu(nid_in_journal(journal, i));
+ if (f2fs_check_nid_range(sbi, nid))
+ continue;
+
raw_ne = nat_in_journal(journal, i);
ne = __lookup_nat_cache(nm_i, nid);
--
2.29.2
Hi butt3rflyh4ck,
On 2021/3/23 13:48, butt3rflyh4ck wrote:
> Hi, I have tested the patch on 5.12.0-rc4+, it seems to fix the problem.
Thanks for helping to test this patch.
Thanks,
>
> Regards,
> butt3rflyh4ck.
>
>
> On Mon, Mar 22, 2021 at 7:47 PM Chao Yu <[email protected]> wrote:
>>
>> butt3rflyh4ck <[email protected]> reported a bug found by
>> syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]:
>>
>> dump_stack+0xfa/0x151 lib/dump_stack.c:120
>> print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232
>> __kasan_report mm/kasan/report.c:399 [inline]
>> kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
>> f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
>> current_nat_addr fs/f2fs/node.h:213 [inline]
>> get_next_nat_page fs/f2fs/node.c:123 [inline]
>> __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
>> f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991
>> f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640
>> f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807
>> f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454
>> __sync_filesystem fs/sync.c:39 [inline]
>> sync_filesystem fs/sync.c:67 [inline]
>> sync_filesystem+0x1b5/0x260 fs/sync.c:48
>> generic_shutdown_super+0x70/0x370 fs/super.c:448
>> kill_block_super+0x97/0xf0 fs/super.c:1394
>>
>> The root cause is, if nat entry in checkpoint journal area is corrupted,
>> e.g. nid of journalled nat entry exceeds max nid value, during checkpoint,
>> once it tries to flush nat journal to NAT area, get_next_nat_page() may
>> access out-of-bounds memory on nat_bitmap due to it uses wrong nid value
>> as bitmap offset.
>>
>> [1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u
>>
>> Reported-by: butt3rflyh4ck <[email protected]>
>> Signed-off-by: Chao Yu <[email protected]>
>> ---
>> fs/f2fs/node.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
>> index caf43970510e..8311b2367c7c 100644
>> --- a/fs/f2fs/node.c
>> +++ b/fs/f2fs/node.c
>> @@ -2790,6 +2790,9 @@ static void remove_nats_in_journal(struct f2fs_sb_info *sbi)
>> struct f2fs_nat_entry raw_ne;
>> nid_t nid = le32_to_cpu(nid_in_journal(journal, i));
>>
>> + if (f2fs_check_nid_range(sbi, nid))
>> + continue;
>> +
>> raw_ne = nat_in_journal(journal, i);
>>
>> ne = __lookup_nat_cache(nm_i, nid);
>> --
>> 2.29.2
>>
> .
>
Hi, I have tested the patch on 5.12.0-rc4+, it seems to fix the problem.
Regards,
butt3rflyh4ck.
On Mon, Mar 22, 2021 at 7:47 PM Chao Yu <[email protected]> wrote:
>
> butt3rflyh4ck <[email protected]> reported a bug found by
> syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]:
>
> dump_stack+0xfa/0x151 lib/dump_stack.c:120
> print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232
> __kasan_report mm/kasan/report.c:399 [inline]
> kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
> f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
> current_nat_addr fs/f2fs/node.h:213 [inline]
> get_next_nat_page fs/f2fs/node.c:123 [inline]
> __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
> f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991
> f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640
> f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807
> f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454
> __sync_filesystem fs/sync.c:39 [inline]
> sync_filesystem fs/sync.c:67 [inline]
> sync_filesystem+0x1b5/0x260 fs/sync.c:48
> generic_shutdown_super+0x70/0x370 fs/super.c:448
> kill_block_super+0x97/0xf0 fs/super.c:1394
>
> The root cause is, if nat entry in checkpoint journal area is corrupted,
> e.g. nid of journalled nat entry exceeds max nid value, during checkpoint,
> once it tries to flush nat journal to NAT area, get_next_nat_page() may
> access out-of-bounds memory on nat_bitmap due to it uses wrong nid value
> as bitmap offset.
>
> [1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u
>
> Reported-by: butt3rflyh4ck <[email protected]>
> Signed-off-by: Chao Yu <[email protected]>
> ---
> fs/f2fs/node.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
> index caf43970510e..8311b2367c7c 100644
> --- a/fs/f2fs/node.c
> +++ b/fs/f2fs/node.c
> @@ -2790,6 +2790,9 @@ static void remove_nats_in_journal(struct f2fs_sb_info *sbi)
> struct f2fs_nat_entry raw_ne;
> nid_t nid = le32_to_cpu(nid_in_journal(journal, i));
>
> + if (f2fs_check_nid_range(sbi, nid))
> + continue;
> +
> raw_ne = nat_in_journal(journal, i);
>
> ne = __lookup_nat_cache(nm_i, nid);
> --
> 2.29.2
>
Hi,
On Tue, Mar 23, 2021 at 02:43:29PM +0800, Chao Yu wrote:
> Hi butt3rflyh4ck,
>
> On 2021/3/23 13:48, butt3rflyh4ck wrote:
> > Hi, I have tested the patch on 5.12.0-rc4+, it seems to fix the problem.
>
> Thanks for helping to test this patch.
Was this patch applied? I do not see it in mainline (unless
miss-checked).
Regards,
Salvatore
Hi,
On 04/20, Salvatore Bonaccorso wrote:
> Hi,
>
> On Tue, Mar 23, 2021 at 02:43:29PM +0800, Chao Yu wrote:
> > Hi butt3rflyh4ck,
> >
> > On 2021/3/23 13:48, butt3rflyh4ck wrote:
> > > Hi, I have tested the patch on 5.12.0-rc4+, it seems to fix the problem.
> >
> > Thanks for helping to test this patch.
>
> Was this patch applied? I do not see it in mainline (unless
> miss-checked).
Not yet. Queue for next merge window.
https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git/commit/?h=dev&id=b862676e371715456c9dade7990c8004996d0d9e
>
> Regards,
> Salvatore
Cool, thanks!
Regards,
butt3rflyh4ck.
On Wed, Apr 21, 2021 at 2:27 AM Jaegeuk Kim <[email protected]> wrote:
>
> Hi,
>
> On 04/20, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > On Tue, Mar 23, 2021 at 02:43:29PM +0800, Chao Yu wrote:
> > > Hi butt3rflyh4ck,
> > >
> > > On 2021/3/23 13:48, butt3rflyh4ck wrote:
> > > > Hi, I have tested the patch on 5.12.0-rc4+, it seems to fix the problem.
> > >
> > > Thanks for helping to test this patch.
> >
> > Was this patch applied? I do not see it in mainline (unless
> > miss-checked).
>
> Not yet. Queue for next merge window.
>
> https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git/commit/?h=dev&id=b862676e371715456c9dade7990c8004996d0d9e
>
> >
> > Regards,
> > Salvatore