Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1251562imm; Wed, 17 Oct 2018 16:27:37 -0700 (PDT) X-Google-Smtp-Source: ACcGV61XdWVNlBJAgYFoNugDo9+cjuksJGNtkmI6pVAqnYV9y6aOi9xtx89eiyn23/nV7DapZ11y X-Received: by 2002:a65:5c81:: with SMTP id a1-v6mr26136324pgt.390.1539818857223; Wed, 17 Oct 2018 16:27:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539818857; cv=none; d=google.com; s=arc-20160816; b=hYMLbMLE12rtNUWhXG8oc1C0veSMfnC8YkEb8pD9MB9Wm5s0HEY6Z/N4hrkgrmHeVv M4yhyQS/p7TKysRgwfX0pnWW9a4Vbj5dgQXAHW+6VOB9cn4+au+FrBbY8MydVB3WNvc9 BaNoOKnNDGpjduoKS/vVfs9o4zPZPIeGsKf6EXhs+CQN8yjqsyWhmKS5PZe3+x6cayZT D6p2d5DDyUxK5hJfl7lbRkl6XQ1QSjJzIqylFsFyv/ah2m5WICgyuXoFkZkVSwQMUC6R wPbQZkAQLD66g+y6LYqltzHwoxXGCIfPxVITCrf1w9ySEIwKKsIatv2jZI7cGQLunHRz Kafw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Rw5EQ4P5L5OJIAYP4PrknKXH4KzCQ/H1NPMWUsBajpg=; b=g5CQ9GFeg2JlNNp211SoJoTkT3mhD2eEkeu/sTfbenFcK1F7+2ogFELOBIV0SLvLd6 tlPlw/wT550+axQLFdZTBbLdn1nQ/V0DMTYseviWbub/aIGnADgtS3zle+nGnKA1kmjE Y4SB7mK7SwmeO4GthkAoWd3YrQdaf8c4DKifjq/KWUnK3B4IPP7gNwV0zIbm6GpZTgGl BNgq+25YiyYwK1ZfDzRcSuFZjH3QA0hyyohLj8ZRLVMuo4cvyEHfU7VuPztNXMVV2eoE PvaiRG4lYZf/yuoRLue89J0xT1zAHOt5Mss5vwZdI8NQ71PN0fK6aot1/UKBtmTPDjRV af9w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b190-v6si16319899pfb.166.2018.10.17.16.27.21; Wed, 17 Oct 2018 16:27:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727359AbeJRHPN (ORCPT + 99 others); Thu, 18 Oct 2018 03:15:13 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:38322 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726644AbeJRHPM (ORCPT ); Thu, 18 Oct 2018 03:15:12 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.90_1 #2 (Red Hat Linux)) id 1gCv3s-0001o1-Gv; Wed, 17 Oct 2018 23:17:08 +0000 Date: Thu, 18 Oct 2018 00:17:08 +0100 From: Al Viro To: Andrew Morton Cc: Colin King , linux-fsdevel@vger.kernel.org, dhowells@redhat.com, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org, Vyacheslav Dubeyko , "Ernesto A. Fernndez" Subject: Re: [PATCH] hfs: fix array out of bounds read of array extent Message-ID: <20181017231708.GB32577@ZenIV.linux.org.uk> References: <20180831140538.31566-1-colin.king@canonical.com> <20181017150117.fef4f8d8e814aa2d25adba5e@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181017150117.fef4f8d8e814aa2d25adba5e@linux-foundation.org> User-Agent: Mutt/1.9.1 (2017-09-22) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 17, 2018 at 03:01:17PM -0700, Andrew Morton wrote: > On Fri, 31 Aug 2018 15:05:38 +0100 Colin King wrote: > > > From: Colin Ian King > > > > Currently extent and index i are both being incremented causing > > an array out of bounds read on extent[i]. Fix this by removing > > the extraneous increment of extent. > > > > Detected by CoverityScan, CID#711541 ("Out of bounds read") > > > > Fixes: d1081202f1d0 ("HFS rewrite") > > No such commit here. I assume this is 7cb74be6fd827e314f8. > > > --- a/fs/hfs/extent.c > > +++ b/fs/hfs/extent.c > > @@ -300,7 +300,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type) > > return 0; > > > > blocks = 0; > > - for (i = 0; i < 3; extent++, i++) > > + for (i = 0; i < 3; i++) > > blocks += be16_to_cpu(extent[i].count); > > > > res = hfs_free_extents(sb, extent, blocks, blocks); > > Well, that's quite the bug. Question is, why didn't anyone notice it. > What are the runtime effects? A disk space leak, perhaps? > > I worry a bit that, given the fs was evidently working "ok", perhaps > this error was corrected elsewhere in the code and that "fixing" this > site will have unexpected and undesirable runtime effects. Can someone > help me out here? hfs_free_extents() seems to expect the 'offset' argument to be the sum of ->count of 1--3 starting elements of extent array. In case of mismatch, it returns -EIO and that's it - hfs_free_fork() will bugger off with -EIO at that point. If it does match, block_nr is supposed to be in range 0..offset and blocks offset - block_nr .. offset - 1 are freed. So at a guess, that sucker mostly ends up leaking blocks. Said that, it means that the rest of hfs_free_fork() has never been tested. I'd suggest somebody to turn that /* panic? */ return -EIO; in hfs_free_extents() into printk(KERN_ERR "hfs_free_extents is fucked"); return -EIO; and see if it's triggerable. Then check if there's a block leak in the reproducer, whatever it is.