Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp4014969pxf; Mon, 22 Mar 2021 23:45:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxUGmyeTrE4ZnL4YlMI6SxFDaGMl7drPCqQace1bW37W1XR630BoxMoCgHo5+wkiDR3ao9G X-Received: by 2002:a17:906:4f10:: with SMTP id t16mr3354062eju.531.1616481944885; Mon, 22 Mar 2021 23:45:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616481944; cv=none; d=google.com; s=arc-20160816; b=XakkgJ4mhv2E5EDoSlP2SMhRjm/c7BxkuBMRO9bXtQou8ZiXcTYU5wMi9SN0pmM4j/ Vry/T0exgD8uxUtAYJ8UplK4epZUW+S/LtPWHjviFqyDdD+E9dqz9asXdLK2g3e+fG1L aHt0Lu0X2DZD1xtrXGdj3ukFTQ1XkgVhltl8ilXuWzz/NLFVcSzRfrCTCIF2KZrHPBz7 NcymAr6JzUG5PX8c+jeeNMvHeInLE2IvVGMTcBDkqq8wc+6ql6PUu05xzvCa5Dt7rTec W83lzdQ7vd+MFZsGEZlvs1ve31HFvYYpoKpDrxt8c3NLWLxIUUgdchqDANqekoRMGPx8 MW3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=7nu1K4MT3wGXLy7DZ43MSBFKzg1KQj/b4Hr69+9iSMM=; b=pF3uLf6k1jIan6O0qPQd/7xrm0pEYW5dUDbtDenfdv/Bo/S0tTjeAGJ84WU10wVR/L 8dvUBsIqftNyWVyqLfaKfjH7HjYCRW0Fp8MljwwCXFVAXLf/zQGbAOsfshMOpZjsdtcN NVKgYMw9BTApzBnr9U6GOsa2TPO3/67lfCEjwcEYpCyCAkBqy2wJMOp7fLNVKijmse4T ovvldb+PhfDLOzPTXcBBvSFgngBjxC+17DRle3NHqF7kjdbkbE4z270hYDiid+8SUtGO pBS3EEfDp+8xL7afhVPoFBvS7MzBDXo8dUKc2FSLAhG3vKk+sTKYR8UmPVumRktzWzZj Lk3w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n4si13414148ejz.464.2021.03.22.23.45.22; Mon, 22 Mar 2021 23:45:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229992AbhCWGoF (ORCPT + 99 others); Tue, 23 Mar 2021 02:44:05 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:13663 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229904AbhCWGnh (ORCPT ); Tue, 23 Mar 2021 02:43:37 -0400 Received: from DGGEMS407-HUB.china.huawei.com (unknown [172.30.72.58]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4F4MFs022sznV7F; Tue, 23 Mar 2021 14:41:05 +0800 (CST) Received: from [10.136.110.154] (10.136.110.154) by smtp.huawei.com (10.3.19.207) with Microsoft SMTP Server (TLS) id 14.3.498.0; Tue, 23 Mar 2021 14:43:29 +0800 Subject: Re: [PATCH] f2fs: fix to avoid out-of-bounds memory access To: butt3rflyh4ck CC: , , LKML , References: <20210322114730.71103-1-yuchao0@huawei.com> From: Chao Yu Message-ID: Date: Tue, 23 Mar 2021 14:43:29 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.136.110.154] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi butt3rflyh4ck, On 2021/3/23 13:48, butt3rflyh4ck wrote: > Hi, I have tested the patch on 5.12.0-rc4+, it seems to fix the problem. Thanks for helping to test this patch. Thanks, > > Regards, > butt3rflyh4ck. > > > On Mon, Mar 22, 2021 at 7:47 PM Chao Yu wrote: >> >> butt3rflyh4ck reported a bug found by >> syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]: >> >> dump_stack+0xfa/0x151 lib/dump_stack.c:120 >> print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232 >> __kasan_report mm/kasan/report.c:399 [inline] >> kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 >> f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline] >> current_nat_addr fs/f2fs/node.h:213 [inline] >> get_next_nat_page fs/f2fs/node.c:123 [inline] >> __flush_nat_entry_set fs/f2fs/node.c:2888 [inline] >> f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991 >> f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640 >> f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807 >> f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454 >> __sync_filesystem fs/sync.c:39 [inline] >> sync_filesystem fs/sync.c:67 [inline] >> sync_filesystem+0x1b5/0x260 fs/sync.c:48 >> generic_shutdown_super+0x70/0x370 fs/super.c:448 >> kill_block_super+0x97/0xf0 fs/super.c:1394 >> >> The root cause is, if nat entry in checkpoint journal area is corrupted, >> e.g. nid of journalled nat entry exceeds max nid value, during checkpoint, >> once it tries to flush nat journal to NAT area, get_next_nat_page() may >> access out-of-bounds memory on nat_bitmap due to it uses wrong nid value >> as bitmap offset. >> >> [1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u >> >> Reported-by: butt3rflyh4ck >> Signed-off-by: Chao Yu >> --- >> fs/f2fs/node.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c >> index caf43970510e..8311b2367c7c 100644 >> --- a/fs/f2fs/node.c >> +++ b/fs/f2fs/node.c >> @@ -2790,6 +2790,9 @@ static void remove_nats_in_journal(struct f2fs_sb_info *sbi) >> struct f2fs_nat_entry raw_ne; >> nid_t nid = le32_to_cpu(nid_in_journal(journal, i)); >> >> + if (f2fs_check_nid_range(sbi, nid)) >> + continue; >> + >> raw_ne = nat_in_journal(journal, i); >> >> ne = __lookup_nat_cache(nm_i, nid); >> -- >> 2.29.2 >> > . >