Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp626906pxu; Wed, 14 Oct 2020 09:35:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzuPVJiELsSydqL7drmRIgidUor0OX5VSbtNbeF7V6D8dvLiroXJ1aOMnFMqkO5bqyM897C X-Received: by 2002:a50:ba83:: with SMTP id x3mr6122739ede.238.1602693313381; Wed, 14 Oct 2020 09:35:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602693313; cv=none; d=google.com; s=arc-20160816; b=JjrmuRAF7jCnREqLtwp8QXGQmFkDulCv+Rlpl9umZ9kwhBcXWuaSuim6vDWtERGOpp 5r018nTyM5BYa+/fefLAx6NOyButOW+sBd+aXWqChrytRx/obEYuOAe1MTpdJrbpraPD J2jo7yKXxHBvcLNEhcHGHjQmzVxxCXX20dKGRdJWOxY48LCHF0V0CTJpI5cS/oY5KYPw 4HPyBPdh3uL5HvkjrR6DOtC1kPBqszLdyj7fABkj3yCE1kEnkTlIPyRrkVYeL+/fMnOx Fw2vd7JngbDmegGdiauq9enCY5e3BZtgH3i5W3wpzK4IRk1ezQkAdDcQLfY1Mf11ia8A 2Z2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=UawW9kr1VSlFsZgDsJocSNaJ6Xn7ZSJWICbrc18ExZo=; b=0RaeuzHcTjCCuxnoA7dbGsODPc1Vv5fh3ML/q1/an/nFRrpSefqc7qkligIsS3SSFM 7ZOJJEIylAXVb1vyL4/Dl0DH8WtBifcz9ta62g4uFvv7F+LUh1dpeumV0IRnIbwwJIVF nLNJxGR8t4fRHSQ9tRSOfu2J4RjMdzMAsH/sugy+5cEQAjTyvFIBtK91Lp59khg9fb2y qxTCu0ChDrO8/BicJLxPAxxSTfLUJjt1SlgFJUsycP6lbkb/uiPKbG8NCZwKHA4XgfT/ 9MDZh0yf0RC+WyJ2E03l0vDP1c/BpyfQYO0NK5uCd+EaLLz2S6n7MMy5+Cd4MI0eRE8N 35hg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="f/kAX/pv"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id op21si118010ejb.487.2020.10.14.09.34.50; Wed, 14 Oct 2020 09:35:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="f/kAX/pv"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731112AbgJNNON (ORCPT + 99 others); Wed, 14 Oct 2020 09:14:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725919AbgJNNOM (ORCPT ); Wed, 14 Oct 2020 09:14:12 -0400 Received: from mail-pg1-x543.google.com (mail-pg1-x543.google.com [IPv6:2607:f8b0:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCB51C061755 for ; Wed, 14 Oct 2020 06:14:12 -0700 (PDT) Received: by mail-pg1-x543.google.com with SMTP id x13so1934702pgp.7 for ; Wed, 14 Oct 2020 06:14:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=UawW9kr1VSlFsZgDsJocSNaJ6Xn7ZSJWICbrc18ExZo=; b=f/kAX/pvagRkeIdnKXg+eLk1YQEk8AEaSMO4v/LAVYvP9aXQ7OTpenGA2Rt5D3rPdz 9bos2WL/Li5bhZSEKkSLHSRWQh9fdnr2OkZnrZrcp7Z94LP8r3maCBQFCFYHdrTilqE1 Xg/nHZJlGyNPZTsYoKnN+oQGmixOkHfnOywaqQqyzN6v0tLpxFX1KopZ4VpYO6Myf7e6 JsrCEYpJmqWTwVqQFnifj86I7K7zAybo3a3Cjg+1aMkqNb/JQrezvJQa3jaV7Ngp5k9o h1A5SEjXvly0shYu332fHNUlFNUCp8ZSJVg3d8iLBA1BonYHZJBefZYHdrw5NzITkeod F80w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=UawW9kr1VSlFsZgDsJocSNaJ6Xn7ZSJWICbrc18ExZo=; b=PdBBJ1eI6qNNekZqq0BWw0OrdxvjIiXBoSSxCDhIIWcYBiBCX+dteSRxtIRejU/5Vq e6d+XdUy2JCOD0T0UAOaA8lGy1Oj6O7JQIkMcDAyrn/pn/tvGmZ+Us6UujuCSNivZ9bB V48Ahe22U+K/jf0yCMyZ9FehVejn66IGBOAeedMTiHjog1rqTUjegWHhl78+23F12+Xu aSVHPW7Id0EkmRhkqRylcNwcPDSlSMukLU6pI1PYnA9fgfz/PdCBoObLy/aAYc3tzeUO Zfm79aM7n3g2GNVlaEIEnPi67ghf4sgag5h7xGcapqt8OM3YkkjZlZPK7KPIm0OG2Xpg xm7g== X-Gm-Message-State: AOAM532SCU+vQK7moBwgydAWA2nJIMj6GmT/+j2bsPRLgAocdqsQrp7K 7u90pexda2PmRmHmxGhkH8naUICm/XYrJuKpR/c= X-Received: by 2002:aa7:9358:0:b029:152:b349:8af8 with SMTP id 24-20020aa793580000b0290152b3498af8mr4352952pfn.9.1602681251951; Wed, 14 Oct 2020 06:14:11 -0700 (PDT) Received: from [192.168.0.104] ([49.207.205.44]) by smtp.gmail.com with ESMTPSA id p6sm3327907pjd.1.2020.10.14.06.14.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 14 Oct 2020 06:14:11 -0700 (PDT) Subject: Re: [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb() To: Andrew Price Cc: rpeterso@redhat.com, agruenba@redhat.com, cluster-devel@redhat.com, linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org, syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com, Fox Chen References: <20201013152648.438887-1-anant.thazhemadam@gmail.com> From: Anant Thazhemadam Message-ID: <48a1f8ca-54ce-09f4-45c2-b1091d4e358a@gmail.com> Date: Wed, 14 Oct 2020 18:44:06 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 14/10/20 6:34 pm, Andrew Price wrote: > On 13/10/2020 16:26, Anant Thazhemadam wrote: >> In gfs2_read_sb(), if the condition >>     (d != sdp->sd_heightsize[x - 1] || m) >> isn't satisfied (in the first 11 iterations), the loop continues, >> and begins to perform out-of-bounds access. >> Fix this out-of-bounds access by introducing a condition in the for loop >> that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are >> accessed. >> >> In addition to this, if the above condition is satisfied when >> x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks >> out of the loop, then an out-of-bounds access is performed again while >> assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and >> also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would >> fail. >> Fix this out-of-bounds access and ensure that the assertion doesn't fail >> by introducing another variable "index", which keeps track of the last >> valid value of x (pre-increment) that can be used. > > That's not quite the right approach. Your analysis below is correct: the problem stems from the block size in the superblock being zeroed by the fuzzer. So the correct fix would be to add a validation check for sb_bsize (gfs2_check_sb() is lacking somewhat). Valid values are powers of 2 between 512 and the page size. > I see. Thanks for the review! I'll send in a v2 that implements this check soon enough. Thanks, Anant