Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp80031imm; Mon, 4 Jun 2018 13:23:26 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJsCB6qfcsunfIcTKOa64MMzOLkChPAT8iWmEokPfK8tLRBMVBKQx3dVaCa54W5AcY0JIVm X-Received: by 2002:a65:5d4a:: with SMTP id e10-v6mr7711735pgt.25.1528143806473; Mon, 04 Jun 2018 13:23:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528143806; cv=none; d=google.com; s=arc-20160816; b=b+QUd9YyONfoyMDbgEb6cDhbW3r7ASVfirH68czEEhYeDY+LVIlIkIipnNsXimLHhZ rCUtlZa/5y7X0XvvVvQFvKUKVb7jbwQZmaAqRhZUFduhp2Zx4g820wdis/MuQkB+YJVh +W9+YPncp66CYQvSMthJeouAbJDbw7b16LKJEAHseA7qlq1Vw5/HaX2aJSmGAgJSHq2t s3VBBEm2dPkdRwOyLNUXPCF0JuI4gi5cLoZn6JEo+ZdkpVzPiqyXLcMhkD0mG/bCN/G2 3hd1zbtJ8nBQPGixmmSBq3NTmh0DVp6UnirCr9AwmpkgO+A0nmUTosXKK8oHg4P4Ue1d hzyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=ph492xGoF4enCTXti9aN0RNbkB4eDcpEP/g1grIfd0c=; b=zRjGoM3pF7uTNwQnlP7YLfGyJOAhlFNxg3WyeLfWyixAf1jRMPTY7Bau/UYJBBdKK4 3Pn72noQNklgS/Qy+3zBGb3VENDlwaF5nL4x8wJRnvQAaDYS/x83GT8gr/ttrn0Zo4lS JQXlUA4i4NxBw0eisfbTWlP8HF/YBClj+w4Eat1f+0IHamQyXXjqnm3+uxneNsrXRYHn AuuLPYrV38AakBnDm9HPG5rbzLM5PCx2c/JcxOZfkfNJ9SCJJeWNjH7T0O/l/dGbxGgH xjnVWiOmpZwk22feOb3Dt0h2ZvfuiwhtrRnBQQYUMGw+v5h7UeYNMkyv/ZfljWAU1SGR qqaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=AfE0mq+6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d6-v6si856813pgn.493.2018.06.04.13.23.11; Mon, 04 Jun 2018 13:23:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=AfE0mq+6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751332AbeFDUWk (ORCPT + 99 others); Mon, 4 Jun 2018 16:22:40 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:44466 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751103AbeFDUWj (ORCPT ); Mon, 4 Jun 2018 16:22:39 -0400 Received: by mail-lf0-f67.google.com with SMTP id 36-v6so25317414lfr.11 for ; Mon, 04 Jun 2018 13:22:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ph492xGoF4enCTXti9aN0RNbkB4eDcpEP/g1grIfd0c=; b=AfE0mq+6BEwFU0tI4flDmgEygLz58Ckdi6WrhnnLG7WOhqMLjcjEbHqQGdFZNsw0C/ o4ztDVV8QNhiPDhwdz8Ph4z/09h2V1CBFL1YWNCU35dH0IiS21I2kaLfJ0A3CCYOwOlI 4VhsXqetqXNJSbeu7efGh2keINYYSKARrpQn71fEheISYobAEeemwZbiZ3xUo4Yjx2xR FmzAhDaWiNAlEvEeBza5AosZ3eZcYNKU+RdTzFfSFYdlmda1EaCQ0+Z7aAkvxvnlRLv5 bXG/U4Jg4StqaGLrmtexmLvMuSBN3JOR7KcYbqRRqKOpvtHj5pTWlJHyw1JepZ8Qnwn2 792w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ph492xGoF4enCTXti9aN0RNbkB4eDcpEP/g1grIfd0c=; b=aEdCQaXCu3wL3N/SSeeoQdM6uhNdop8AUvCqWU0qVTSutUXAMnc0xfvhOi207SMlYl VXgeM4RnruQMe3Ge39SPum3tkurQDkwa/l8+4YA1VLUa7RWC/sZ/h1V0KItd5IOP7Wc8 qzWFdj5LqSu9PG7Ce8awGGUaaZgbbYc6ynpK8Cko4OJcJCxFQ3KBBjVawYDA/hUqA6s6 eVOSfkXCzgKbqOKXarIFmcGWmHX99NkMN5BWV3pfevyRWDnfHuaMkCqGvfj35NBaMgEW BjTy2rPzy47FjBL4HOdNXedcFUokzgVS+nnc2fp/Zh6aVMy0sOfDK43O3HlVhPwnXUQh ktgg== X-Gm-Message-State: ALKqPwe9gWyvcBFYLIPV6KFcQgvLSmD7SdVDeG6zhVxRUYIomjsFtf1i xmxq71FYOutNdhNO4kTJX/MXDVQN6KpPnqZBsx8= X-Received: by 2002:a2e:18b:: with SMTP id f11-v6mr16139333lji.83.1528143758264; Mon, 04 Jun 2018 13:22:38 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:5119:0:0:0:0:0 with HTTP; Mon, 4 Jun 2018 13:22:37 -0700 (PDT) In-Reply-To: References: <2f2047ca-a96f-91da-c746-530c7b8d1bbf@oracle.com> From: shankarapailoor Date: Mon, 4 Jun 2018 13:22:37 -0700 Message-ID: Subject: Re: Slab out of bounds in setxattr To: Dave Kleikamp Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org Content-Type: multipart/mixed; boundary="000000000000e0a8f8056dd6b146" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --000000000000e0a8f8056dd6b146 Content-Type: text/plain; charset="UTF-8" Hi Dave, I've updated the patch accordingly. Regards, Shankara On Mon, Jun 4, 2018 at 11:39 AM, Dave Kleikamp wrote: > On 06/04/2018 01:30 PM, shankarapailoor wrote: >> Hi Dave, >> >> Attached is my proposed patch. It solves the problem as you suggest >> and I don't see the KASAN complaint. > > That looks good to me. Add a description and a Signed-off-by: and I'll > get it pushed upstream. > > Thanks for finding this. > > Shaggy > >> >> Regards, >> Shankara >> >> On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp wrote: >>> On 06/01/2018 11:06 PM, shankarapailoor wrote: >>>> Hi, >>>> >>>> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >>>> then e_buf->max_size is rounded up nearest page size [1]. If a new >>>> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >>>> no new space is allocated for the attiribute list [2] and this >>>> triggers the KASAN slab out of bounds error. This is the case in the C >>>> repro I provided. >>> >>> I see the problem. It looks like we should be calculating max_size >>> earlier and using that to call kmalloc(). (xattr.c#496) >>> >>> Shaggy >>>> >>>> >>>> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >>>> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >>>> >>>> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >>>> wrote: >>>>> Hi Dave et al, >>>>> >>>>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>>>> slab-out-of-bounds in jfs_xattr. >>>>> >>>>> Attached are my kernel configs and a C reproducer. In the first >>>>> setxattr call it appears that length is much larger than the name. In >>>>> __jfs_setxattr, I don't see where the length is checked against the >>>>> actual value length. >>>>> >>>>> Regards, >>>>> Shankara Pailoor -- Regards, Shankara Pailoor --000000000000e0a8f8056dd6b146 Content-Type: application/octet-stream; name=jfspatch Content-Disposition: attachment; filename=jfspatch Content-Transfer-Encoding: base64 X-Attachment-Id: f_ji0pbqay0 ZGlmZiAtLWdpdCBhL2ZzL2pmcy94YXR0ci5jIGIvZnMvamZzL3hhdHRyLmMKaW5kZXggYzYwZjNk My4uYTA5YzUyNiAxMDA2NDQKLS0tIGEvZnMvamZzL3hhdHRyLmMKKysrIGIvZnMvamZzL3hhdHRy LmMKQEAgLTQ5MywxNCArNDkzLDE0IEBAIHN0YXRpYyBpbnQgZWFfZ2V0KHN0cnVjdCBpbm9kZSAq aW5vZGUsIHN0cnVjdCBlYV9idWZmZXIgKmVhX2J1ZiwgaW50IG1pbl9zaXplKQogICAgICAgICAg ICAgICAgICogVG8ga2VlcCB0aGUgcmVzdCBvZiB0aGUgY29kZSBzaW1wbGUuICBBbGxvY2F0ZSBh CiAgICAgICAgICAgICAgICAgKiBjb250aWd1b3VzIGJ1ZmZlciB0byB3b3JrIHdpdGgKICAgICAg ICAgICAgICAgICAqLwotICAgICAgICAgICAgICAgZWFfYnVmLT54YXR0ciA9IGttYWxsb2Moc2l6 ZSwgR0ZQX0tFUk5FTCk7CisgICAgICAgICAgICAgICBlYV9idWYtPm1heF9zaXplID0gKHNpemUg KyBzYi0+c19ibG9ja3NpemUgLSAxKSAmCisgICAgICAgICAgICAgICAgICAgfihzYi0+c19ibG9j a3NpemUgLSAxKTsKKworICAgICAgICAgICAgICAgZWFfYnVmLT54YXR0ciA9IGttYWxsb2MoZWFf YnVmLT5tYXhfc2l6ZSwgR0ZQX0tFUk5FTCk7CiAgICAgICAgICAgICAgICBpZiAoZWFfYnVmLT54 YXR0ciA9PSBOVUxMKQogICAgICAgICAgICAgICAgICAgICAgICByZXR1cm4gLUVOT01FTTsKIAog ICAgICAgICAgICAgICAgZWFfYnVmLT5mbGFnID0gRUFfTUFMTE9DOwotICAgICAgICAgICAgICAg ZWFfYnVmLT5tYXhfc2l6ZSA9IChzaXplICsgc2ItPnNfYmxvY2tzaXplIC0gMSkgJgotICAgICAg ICAgICAgICAgICAgIH4oc2ItPnNfYmxvY2tzaXplIC0gMSk7Ci0KICAgICAgICAgICAgICAgIGlm IChlYV9zaXplID09IDApCiAgICAgICAgICAgICAgICAgICAgICAgIHJldHVybiAwOwo= --000000000000e0a8f8056dd6b146--