Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp805813pxu; Wed, 14 Oct 2020 14:25:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyrt6u6XVIa3du3NG3Zx/eav5ms432Y47b0Gg55fq6dWaMvA71swiOash8dF2mslDBtsS2v X-Received: by 2002:aa7:c9c3:: with SMTP id i3mr1031234edt.236.1602710737168; Wed, 14 Oct 2020 14:25:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602710737; cv=none; d=google.com; s=arc-20160816; b=gH3bSZkNduV2GbyjbxdVBqm9cSPzEFKyKnqqaloqdD0rZ5iiAUfUFVAjHT0xfNzBnG gB8+/e5vYhEqMdhajJenNKAQx2DKjNaur1UK6Spo+8M1yJqE4a9xcB4ho1hJENSrXgFu pSL/W9CQ0Hu3HR/+IFybJu6uEaJsqQPCoNqXtHAHYDZu1V0q06dtFxxhjL+j04/q1pw5 UlCxizJcPXvld3RpqhvVOd5ampdqxH22Q6mr+YLSTZ8kMXKSTlD6z161ZD2sqN4cNfZc v7EPW/B6nTbwnTl5x39tdZASmfIXH4RgW5o7cHwqO4TozHXf83Ug1G2sHspJ3HxJp8Ka 4/ZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=SEeiR89yjI9xFVeEVUoUu9rdjXMwFKArbd3q8yMhdnk=; b=NrjdgXBN1wCyZH5nRMJ2sCtyZzKjoLbAk1UXdaeeuzrIbCwSC6YMURYAjMt30W51uE OHkBcGNHKxKL0XQN6p/SkGv4U+UBFR+gB7BnewQA2P6llNI7y4BrgPFaUlrWmpwp6OKr mvKJtZHIcJjR56ccWNg7fsciRre8tOrX2HsbVE81Hox2t9B9B5KlECitNYLp930GVA9G CFGJQfJQF2yCJOop3pus6z/J6jH/5xThI+3tyw/ttDWhZxA/Oxpocpe/InQq9E6AxtMP GEpY+SR/kIZ3k7tUV7Vy4fM2WoBoXl/kqrLp34RIo8vCJnItU8fZxHT98CQM0r0D/4xP 9C4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=fJ4C9Zaw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h6si668358ejd.632.2020.10.14.14.25.14; Wed, 14 Oct 2020 14:25:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=fJ4C9Zaw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731040AbgJNNEW (ORCPT + 99 others); Wed, 14 Oct 2020 09:04:22 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:54628 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727141AbgJNNEW (ORCPT ); Wed, 14 Oct 2020 09:04:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1602680660; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SEeiR89yjI9xFVeEVUoUu9rdjXMwFKArbd3q8yMhdnk=; b=fJ4C9Zawnvf1DyKMAbSMo6RD2s2x+Xaqq8yczMkjN13FmwfDYjPv/PvHTjWiWLO/5tNI4I 8iCzq7bCpPh31niwR1AKoLqgFhIrPWwM2Pk39uoVIk7CXHM8CK71Ua+4x2ytvOp7L4bE/j LpqsNvQN2XfLuGtHV59eKsr2t0Q5GKo= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-521-djCRKjCEOcqbxFgj6vXNrg-1; Wed, 14 Oct 2020 09:04:18 -0400 X-MC-Unique: djCRKjCEOcqbxFgj6vXNrg-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CF9F09CC0C; Wed, 14 Oct 2020 13:04:16 +0000 (UTC) Received: from [10.33.36.138] (unknown [10.33.36.138]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4DC815D9D5; Wed, 14 Oct 2020 13:04:11 +0000 (UTC) Subject: Re: [Cluster-devel] [PATCH] fs: gfs2: prevent OOB access in gfs2_read_sb() To: Anant Thazhemadam Cc: rpeterso@redhat.com, agruenba@redhat.com, cluster-devel@redhat.com, linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org, syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com, Fox Chen References: <20201013152648.438887-1-anant.thazhemadam@gmail.com> From: Andrew Price Message-ID: Date: Wed, 14 Oct 2020 14:04:10 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <20201013152648.438887-1-anant.thazhemadam@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13/10/2020 16:26, Anant Thazhemadam wrote: > In gfs2_read_sb(), if the condition > (d != sdp->sd_heightsize[x - 1] || m) > isn't satisfied (in the first 11 iterations), the loop continues, > and begins to perform out-of-bounds access. > Fix this out-of-bounds access by introducing a condition in the for loop > that ensures that no more than GFS2_MAX_META_HEIGHT + 1 elements are > accessed. > > In addition to this, if the above condition is satisfied when > x = GFS2_MAX_META_HEIGHT (which = 10), and the flow of control breaks > out of the loop, then an out-of-bounds access is performed again while > assigning sdp->sd_heightsize[x] = ~0 (since x would be 11 now.), and > also the assertion that spd->sd_max_height <= GFS2_MAX_META_HEIGHT would > fail. > Fix this out-of-bounds access and ensure that the assertion doesn't fail > by introducing another variable "index", which keeps track of the last > valid value of x (pre-increment) that can be used. That's not quite the right approach. Your analysis below is correct: the problem stems from the block size in the superblock being zeroed by the fuzzer. So the correct fix would be to add a validation check for sb_bsize (gfs2_check_sb() is lacking somewhat). Valid values are powers of 2 between 512 and the page size. Just a heads-up to avoid duplication of effort: Fox Chen (CCed) has attempted to fix this also[1], but I don't know if they plan to send another patch. [1] https://www.redhat.com/archives/cluster-devel/2020-October/msg00006.html Thanks, Andy > Reported-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com > Tested-by: syzbot+a5e2482a693e6b1e444b@syzkaller.appspotmail.com > Signed-off-by: Anant Thazhemadam > --- > > I have one question here (potentially a place where I suspect this > patch could have a fatal flaw and might need some rework). > > sdp->sd_max_height = x; > sdp->sd_heightsize[x] = ~0; > > Were these lines written with the logic that the value of x would be > equal to (sdp->sd_heightsize[]'s last index filled in by the loop) + 1? > Or, is the expected value of x at these lines equal to > (sdp->sd_heightsize[]'s last index as filled in by the loop)? > I would appreciate it if someone could clarify for me, how this would > hold against the second potential out-of-bounds access I mentioned in my > commit message. > > An additional comment (which I feel is of some significance) on this. > Reproducing the crash locally, I could infer that sdp->sd_fsb2bb_shift > sdp->sd_sb.sb_bsize, sdp->sd_sb.sb_bsize_shift, and sdp->sd_inptrs > were all 0. > This by extension also means that in gfs2_read_sb(), all the attributes > whose values were determined by performing some sort of calculation > involving any one of these variables all resulted in either 0 or a > negative value. > Simply doing the math will also show how this was also the primary reason > this OOB access occured in the first place. > However, I still feel that gfs2_read_sb() could do with this bit of checking, > since it fundamentally prevents OOB accesses from occuring in gfs2_read_sb() > in all scenarios. > Anyways, coming back to my initial point. Can having values like that be > considered unacceptable and as something that needs to be handled (at > gfs2_fill_super() maybe?) or is this non-anomalous behaviour and okay? > > fs/gfs2/ops_fstype.c | 15 ++++++++------- > 1 file changed, 8 insertions(+), 7 deletions(-) > > diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c > index 6d18d2c91add..66ee8fb06ab9 100644 > --- a/fs/gfs2/ops_fstype.c > +++ b/fs/gfs2/ops_fstype.c > @@ -281,7 +281,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent) > { > u32 hash_blocks, ind_blocks, leaf_blocks; > u32 tmp_blocks; > - unsigned int x; > + unsigned int x, index; > int error; > > error = gfs2_read_super(sdp, GFS2_SB_ADDR >> sdp->sd_fsb2bb_shift, silent); > @@ -329,20 +329,21 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent) > sdp->sd_heightsize[0] = sdp->sd_sb.sb_bsize - > sizeof(struct gfs2_dinode); > sdp->sd_heightsize[1] = sdp->sd_sb.sb_bsize * sdp->sd_diptrs; > - for (x = 2;; x++) { > + for (x = 2; x <= GFS2_MAX_META_HEIGHT; x++) { > u64 space, d; > u32 m; > > - space = sdp->sd_heightsize[x - 1] * sdp->sd_inptrs; > + index = x; > + space = sdp->sd_heightsize[index - 1] * sdp->sd_inptrs; > d = space; > m = do_div(d, sdp->sd_inptrs); > > - if (d != sdp->sd_heightsize[x - 1] || m) > + if (d != sdp->sd_heightsize[index - 1] || m) > break; > - sdp->sd_heightsize[x] = space; > + sdp->sd_heightsize[index] = space; > } > - sdp->sd_max_height = x; > - sdp->sd_heightsize[x] = ~0; > + sdp->sd_max_height = index; > + sdp->sd_heightsize[index] = ~0; > gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT); > > sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize - >