Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932066Ab3GAWzi (ORCPT <rfc822;w@1wt.eu>);
	Mon, 1 Jul 2013 18:55:38 -0400
Received: from cobra.newdream.net ([66.33.216.30]:42096 "EHLO
	cobra.newdream.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755601Ab3GAWzh (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 1 Jul 2013 18:55:37 -0400
Date: Mon, 1 Jul 2013 15:55:36 -0700 (PDT)
From: Sage Weil <sage@inktank.com>
X-X-Sender: sage@cobra.newdream.net
To: Sasha Levin <sasha.levin@oracle.com>
cc: ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ceph: avoid accessing invalid memory
In-Reply-To: <1372718019-16549-1-git-send-email-sasha.levin@oracle.com>
Message-ID: <alpine.DEB.2.00.1307011554490.13163@cobra.newdream.net>
References: <1372718019-16549-1-git-send-email-sasha.levin@oracle.com>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3982
Lines: 79

On Mon, 1 Jul 2013, Sasha Levin wrote:
> when mounting ceph with a dev name that starts with a slash, ceph
> would attempt to access the character before that slash. Since we
> don't actually own that byte of memory, we would trigger an
> invalid access:
> 
> [   43.499934] BUG: unable to handle kernel paging request at ffff880fa3a97fff
> [   43.500984] IP: [<ffffffff818f3884>] parse_mount_options+0x1a4/0x300
> [   43.501491] PGD 743b067 PUD 10283c4067 PMD 10282a6067 PTE 8000000fa3a97060
> [   43.502301] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> [   43.503006] Dumping ftrace buffer:
> [   43.503596]    (ftrace buffer empty)
> [   43.504046] CPU: 0 PID: 10879 Comm: mount Tainted: G        W    3.10.0-sasha #1129
> [   43.504851] task: ffff880fa625b000 ti: ffff880fa3412000 task.ti: ffff880fa3412000
> [   43.505608] RIP: 0010:[<ffffffff818f3884>]  [<ffffffff818f3884>] parse_mount_options$
> [   43.506552] RSP: 0018:ffff880fa3413d08  EFLAGS: 00010286
> [   43.507133] RAX: ffff880fa3a98000 RBX: ffff880fa3a98000 RCX: 0000000000000000
> [   43.507893] RDX: ffff880fa3a98001 RSI: 000000000000002f RDI: ffff880fa3a98000
> [   43.508610] RBP: ffff880fa3413d58 R08: 0000000000001f99 R09: ffff880fa3fe64c0
> [   43.509426] R10: ffff880fa3413d98 R11: ffff880fa38710d8 R12: ffff880fa3413da0
> [   43.509792] R13: ffff880fa3a97fff R14: 0000000000000000 R15: ffff880fa3413d90
> [   43.509792] FS:  00007fa9c48757e0(0000) GS:ffff880fd2600000(0000) knlGS:000000000000$
> [   43.509792] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [   43.509792] CR2: ffff880fa3a97fff CR3: 0000000fa3bb9000 CR4: 00000000000006b0
> [   43.509792] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   43.509792] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [   43.509792] Stack:
> [   43.509792]  0000e5180000000e ffffffff85ca1900 ffff880fa38710d8 ffff880fa3413d98
> [   43.509792]  0000000000000120 0000000000000000 ffff880fa3a98000 0000000000000000
> [   43.509792]  ffffffff85cf32a0 0000000000000000 ffff880fa3413dc8 ffffffff818f3c72
> [   43.509792] Call Trace:
> [   43.509792]  [<ffffffff818f3c72>] ceph_mount+0xa2/0x390
> [   43.509792]  [<ffffffff81226314>] ? pcpu_alloc+0x334/0x3c0
> [   43.509792]  [<ffffffff81282f8d>] mount_fs+0x8d/0x1a0
> [   43.509792]  [<ffffffff812263d0>] ? __alloc_percpu+0x10/0x20
> [   43.509792]  [<ffffffff8129f799>] vfs_kern_mount+0x79/0x100
> [   43.509792]  [<ffffffff812a224d>] do_new_mount+0xcd/0x1c0
> [   43.509792]  [<ffffffff812a2e8d>] do_mount+0x15d/0x210
> [   43.509792]  [<ffffffff81220e55>] ? strndup_user+0x45/0x60
> [   43.509792]  [<ffffffff812a2fdd>] SyS_mount+0x9d/0xe0
> [   43.509792]  [<ffffffff83fd816c>] tracesys+0xdd/0xe2
> [   43.509792] Code: 4c 8b 5d c0 74 0a 48 8d 50 01 49 89 14 24 eb 17 31 c0 48 83 c9 ff $
> [   43.509792] RIP  [<ffffffff818f3884>] parse_mount_options+0x1a4/0x300
> [   43.509792]  RSP <ffff880fa3413d08>
> [   43.509792] CR2: ffff880fa3a97fff
> [   43.509792] ---[ end trace 22469cd81e93af51 ]---
> 
> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

Looks good!  Reviewed-by: and added to the tree.  Thanks!
sage


> ---
>  fs/ceph/super.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/ceph/super.c b/fs/ceph/super.c
> index 7d377c9..6627b26 100644
> --- a/fs/ceph/super.c
> +++ b/fs/ceph/super.c
> @@ -357,7 +357,7 @@ static int parse_mount_options(struct ceph_mount_options **pfsopt,
>  	}
>  	err = -EINVAL;
>  	dev_name_end--;		/* back up to ':' separator */
> -	if (*dev_name_end != ':') {
> +	if (dev_name_end < dev_name || *dev_name_end != ':') {
>  		pr_err("device name is missing path (no : separator in %s)\n",
>  				dev_name);
>  		goto out;
> -- 
> 1.7.10.4
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/