Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3923058imm; Mon, 4 Jun 2018 11:31:27 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLAuP4eTa6QxuFARzx2XrGGLt+pqtwMiMhLLQvW+mFbFD6iaiufINDncku54+ClU6xtdGgc X-Received: by 2002:a62:d14c:: with SMTP id t12-v6mr22432460pfl.203.1528137087901; Mon, 04 Jun 2018 11:31:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528137087; cv=none; d=google.com; s=arc-20160816; b=ylC56nBZpzZ+viGO5Q+VG9yj9AxAeSsdXZGoiUoytNFAqCp9j7cW8sQ8A2Y3UHnBwe 0md0I1tjc/Y5UApwWnLO697npANpXa3Qiu4wzhBiR7wIryC4JHp8ErjRNMm5MWg26/Q+ 8ejba8/GBdBF668VfYJ7S1mzMOnGgXODDV8OIfXF9mzqJUb+jB8kHjBBPF2JFlbHQgly s3W4rjxtaovO+keDCt7ReblrNkv3p3l6lV5ISFFUDCrjsN1GavN8BzTtCR0Uw8QCXbqu ApsxJQiRHAK89kWju5MGF2pnf7n+8k0BRdhWC/p59Roe3CYWMAGHGrSKWAMHdo4Nml/Y v0qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=37+buZsZVmUux4PqhzuZhE6D9EA8jRjFaen4htP6a+A=; b=qpcP5vyShlsAmmOPsmHYgecHo4cnFhMJHdZ1wAo2Vt0mbfa86fBY+G5MHb4cYcPXAC jbexGEqru88xENxBc7cby2mXgyaPNNS/+kNU92MwAocNKoClekVpScD5RiptFZLCb79o XeezQsL546/OQ3OlIEE/FvLgcK4jfoakjNP8ozyWPB7P3Z6UrrHOVcjl5EUz7EMyvczw ySNsk3HdTzlWudxoJD7lDk8mt17ie+HeqMuAszKQ5tDWylhHrE+SUnW9L5x3w6/RgtKX 5OeRVadmkBYoy0egwhpdxDjr9SbDWi4wkb4MZMhVAt08ayaAM09nkx+uz2qiztSWwI63 axPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KJOorDF0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t7-v6si6184484pgv.668.2018.06.04.11.31.13; Mon, 04 Jun 2018 11:31:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KJOorDF0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751301AbeFDSaj (ORCPT + 99 others); Mon, 4 Jun 2018 14:30:39 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:45777 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751017AbeFDSai (ORCPT ); Mon, 4 Jun 2018 14:30:38 -0400 Received: by mail-lf0-f67.google.com with SMTP id n3-v6so26772866lfe.12 for ; Mon, 04 Jun 2018 11:30:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=37+buZsZVmUux4PqhzuZhE6D9EA8jRjFaen4htP6a+A=; b=KJOorDF0bI4WRICJnyjBQsmUyp93bpnJG4D7B5TDBDS3tAvXn/60U3XnzzgXFD0Fp1 UHQsJFN02ATyWMMWXZ7WAkye603DvH87BxOPivJO0ePMCGPQCoshpTTpWbzyjvBNjrBH 0rzZR42ht7XqTdmWmUtcU/ycHRby+fW2/sVcnqEdJQeLmh6z/oVLvcAVaB43AGdszlJX QF5YqU5W2rgCT6xbEr13OEw3nGvtTe1/ES5ldR4q+d3bmjJ1N7UIJsfS5X+fZKfhxWG+ m3YljjCJLXJDDHWp1aSj5DB2r6ezKE+TGzNZF6P91VuBeG7E8aNrvK8BRJ4NzUNPQUM5 0k0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=37+buZsZVmUux4PqhzuZhE6D9EA8jRjFaen4htP6a+A=; b=syXuiORhPNaHtrRrUOSwC9f7xXTj6tp1gMCAQnHHDmd1xVI7cZWagvuAGs41VdozMs ZPpW6FE5VIDLlhbOOIUNtkn8M/F3FJ1Nv13R64yd/CeyMNc3fO5DM7kGBt0nCNZxPd8H yeJTahPET5bOrZ+xD8PIgA8ArS6e6T82zhDC5CXKd7xy7KtNT+rn8Ax2vPez2das6b5f U8SUyqR4kLS1Av4w21Lew2ML4Geb0EriE0xo4QpjtuhFxfGltcwn4DwIMkWwoaM8uJiu exguL02mGkAOdQV0D95SyFIAmz/s2q/B4EtzH1JIJ/yy23xdyOONaYOqL2EFadoOwFr+ 30ZA== X-Gm-Message-State: APt69E1sYSmN0tSF+Jer1e+uy/LLnC+SLP9aZWSzRzQjHP+any+y0/Hy 0z66WJ2BGmE+upBWkNctZXPofryUGNENmYlyTqM= X-Received: by 2002:a2e:6e19:: with SMTP id j25-v6mr6626019ljc.61.1528137037065; Mon, 04 Jun 2018 11:30:37 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:5119:0:0:0:0:0 with HTTP; Mon, 4 Jun 2018 11:30:36 -0700 (PDT) In-Reply-To: <2f2047ca-a96f-91da-c746-530c7b8d1bbf@oracle.com> References: <2f2047ca-a96f-91da-c746-530c7b8d1bbf@oracle.com> From: shankarapailoor Date: Mon, 4 Jun 2018 11:30:36 -0700 Message-ID: Subject: Re: Slab out of bounds in setxattr To: Dave Kleikamp Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org Content-Type: multipart/mixed; boundary="000000000000435523056dd52163" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --000000000000435523056dd52163 Content-Type: text/plain; charset="UTF-8" Hi Dave, Attached is my proposed patch. It solves the problem as you suggest and I don't see the KASAN complaint. Regards, Shankara On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp wrote: > On 06/01/2018 11:06 PM, shankarapailoor wrote: >> Hi, >> >> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >> then e_buf->max_size is rounded up nearest page size [1]. If a new >> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >> no new space is allocated for the attiribute list [2] and this >> triggers the KASAN slab out of bounds error. This is the case in the C >> repro I provided. > > I see the problem. It looks like we should be calculating max_size > earlier and using that to call kmalloc(). (xattr.c#496) > > Shaggy >> >> >> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >> >> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >> wrote: >>> Hi Dave et al, >>> >>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>> slab-out-of-bounds in jfs_xattr. >>> >>> Attached are my kernel configs and a C reproducer. In the first >>> setxattr call it appears that length is much larger than the name. In >>> __jfs_setxattr, I don't see where the length is checked against the >>> actual value length. >>> >>> Regards, >>> Shankara Pailoor >> >> >> -- Regards, Shankara Pailoor --000000000000435523056dd52163 Content-Type: application/octet-stream; name=jfspatch Content-Disposition: attachment; filename=jfspatch Content-Transfer-Encoding: base64 X-Attachment-Id: f_ji0lbf6q0 ZGlmZiAtLWdpdCBhL2ZzL2pmcy94YXR0ci5jIGIvZnMvamZzL3hhdHRyLmMKaW5kZXggYzYwZjNk My4uYTA5YzUyNiAxMDA2NDQKLS0tIGEvZnMvamZzL3hhdHRyLmMKKysrIGIvZnMvamZzL3hhdHRy LmMKQEAgLTQ5MywxNCArNDkzLDE0IEBAIHN0YXRpYyBpbnQgZWFfZ2V0KHN0cnVjdCBpbm9kZSAq aW5vZGUsIHN0cnVjdCBlYV9idWZmZXIgKmVhX2J1ZiwgaW50IG1pbl9zaXplKQogICAgICAgICAg ICAgICAgICogVG8ga2VlcCB0aGUgcmVzdCBvZiB0aGUgY29kZSBzaW1wbGUuICBBbGxvY2F0ZSBh CiAgICAgICAgICAgICAgICAgKiBjb250aWd1b3VzIGJ1ZmZlciB0byB3b3JrIHdpdGgKICAgICAg ICAgICAgICAgICAqLwotICAgICAgICAgICAgICAgZWFfYnVmLT54YXR0ciA9IGttYWxsb2Moc2l6 ZSwgR0ZQX0tFUk5FTCk7CisgICAgICAgICAgICAgICBlYV9idWYtPm1heF9zaXplID0gKHNpemUg KyBzYi0+c19ibG9ja3NpemUgLSAxKSAmCisgICAgICAgICAgICAgICAgICAgfihzYi0+c19ibG9j a3NpemUgLSAxKTsKKworICAgICAgICAgICAgICAgZWFfYnVmLT54YXR0ciA9IGttYWxsb2MoZWFf YnVmLT5tYXhfc2l6ZSwgR0ZQX0tFUk5FTCk7CiAgICAgICAgICAgICAgICBpZiAoZWFfYnVmLT54 YXR0ciA9PSBOVUxMKQogICAgICAgICAgICAgICAgICAgICAgICByZXR1cm4gLUVOT01FTTsKIAog ICAgICAgICAgICAgICAgZWFfYnVmLT5mbGFnID0gRUFfTUFMTE9DOwotICAgICAgICAgICAgICAg ZWFfYnVmLT5tYXhfc2l6ZSA9IChzaXplICsgc2ItPnNfYmxvY2tzaXplIC0gMSkgJgotICAgICAg ICAgICAgICAgICAgIH4oc2ItPnNfYmxvY2tzaXplIC0gMSk7Ci0KICAgICAgICAgICAgICAgIGlm IChlYV9zaXplID09IDApCiAgICAgICAgICAgICAgICAgICAgICAgIHJldHVybiAwOwo= --000000000000435523056dd52163--