Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2767411pxb; Thu, 3 Feb 2022 13:59:41 -0800 (PST) X-Google-Smtp-Source: ABdhPJxUQvubq2wkD0eZIG05Kprr4B8xq/G2SnF1IaeIx5fBsAb+PMiVXeakv90ntCtl1Nslg+2y X-Received: by 2002:a17:90b:4c06:: with SMTP id na6mr16194930pjb.37.1643925581448; Thu, 03 Feb 2022 13:59:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643925581; cv=none; d=google.com; s=arc-20160816; b=o1jCJWLIbDrKxhF5kEnmSO73qQ+rKizvsUgNHZEh+j7QEW+bKLv/CtvBnb9AL5R75n nqU2Qz8UA1HAAKrm21+ei0NUoAGG62dUuIy+FBZwnvuokFiNsbMCH8QF3tphTp2gE4Q/ 8td7FKYSYcizU5U73yinfJP/QHHeIFaB4rWPrQR0HKQy3v3fNWUqxZALlxV4dF2knAhz vwk/8wu5ArZe5Oiqz3JZunPhWmcpv33GHzorE2AiV4xaVqmLwXpm6xwpcMdEUswuu+A1 3OgFF0A0Y6TBoKPQmTatnaoHHPszBGTwdLSmF/p/rplXe55p2ahc+OSwV+BkaVWWB2de yt7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:in-reply-to:date:subject:cc:to:from:user-agent :references:dkim-signature; bh=6Q5oK/Wqo/jJURiLu01rJD0zyv5nHsMb5jhB2hwDQQ8=; b=FDAGfU5O39fVe/Op+U4wlm0lpDgRBAjq42wF5KgODw3bkW1KcsIHUf3mvuaDT5PXbF 3a+mlPTZo/rlte7EiJk5Kad5+f0iqkRLgqvfitMKzzH5CG7GgocEJTyqEBS0rF6wP/h0 InTesNSEb0kkdq+w1CVuirVtnWcHIWnan/zPE9NcXGJc3Gf98gcyWwq6qvXOb4DSjZNy fMls8C1pCBGcp/BukGoQLIamLkndccPcwmffwU/vZxdapxLGMk/t8QQQ43lFC1MITbI1 asbVshWy0kUrAdZV3MYstPdcFogVlxFTbmTbE05Pg9KmIpwiESQGCCLdpr+f12ys8uSM alrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@inbox.eu header.s=20140211 header.b=QbDZ+AbN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id my10si10856848pjb.171.2022.02.03.13.59.30; Thu, 03 Feb 2022 13:59:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@inbox.eu header.s=20140211 header.b=QbDZ+AbN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241412AbiBCNdK (ORCPT + 99 others); Thu, 3 Feb 2022 08:33:10 -0500 Received: from eu-shark1.inbox.eu ([195.216.236.81]:51666 "EHLO eu-shark1.inbox.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232242AbiBCNdJ (ORCPT ); Thu, 3 Feb 2022 08:33:09 -0500 Received: from eu-shark1.inbox.eu (localhost [127.0.0.1]) by eu-shark1-out.inbox.eu (Postfix) with ESMTP id CAA086C0071B; Thu, 3 Feb 2022 15:33:07 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inbox.eu; s=20140211; t=1643895187; bh=5CWjScT1XW8d+nIOT0i4Q+4qvhjMs70lGC/mjHRVjIY=; h=References:From:To:Cc:Subject:Date:In-reply-to:Message-ID: Content-Type:X-ESPOL:from:date:to:cc; b=QbDZ+AbNbJpIH19pupUPjNn8t9Kn8yIi/BIE0k5tVF8HGZog91F2LStaomVMKuWm7 0pcT6zXr6qFciYcsKcx7eGR8qP3LP5E+APCdpy+FCYFYJDAPgAxL51SCArYl1ks/Lf 1qrtTb1Hnw5wyUtiHcAxeFQ72z+LGoui/XnKVLc0= Received: from localhost (localhost [127.0.0.1]) by eu-shark1-in.inbox.eu (Postfix) with ESMTP id BB8676C00715; Thu, 3 Feb 2022 15:33:07 +0200 (EET) Received: from eu-shark1.inbox.eu ([127.0.0.1]) by localhost (eu-shark1.inbox.eu [127.0.0.1]) (spamfilter, port 35) with ESMTP id hPg7AAATWSB6; Thu, 3 Feb 2022 15:33:07 +0200 (EET) Received: from mail.inbox.eu (eu-pop1 [127.0.0.1]) by eu-shark1-in.inbox.eu (Postfix) with ESMTP id 5F7006C006BE; Thu, 3 Feb 2022 15:33:07 +0200 (EET) References: <20220202214455.15753-1-davispuh@gmail.com> <20220202214455.15753-2-davispuh@gmail.com> User-agent: mu4e 1.7.0; emacs 27.2 From: Su Yue To: =?utf-8?B?RMSBdmlzIE1vc8SBbnM=?= Cc: linux-btrfs@vger.kernel.org, Chris Mason , Josef Bacik , David Sterba , linux-kernel@vger.kernel.org Subject: Re: [PATCH 2/2] btrfs: prevent copying too big compressed lzo segment Date: Thu, 03 Feb 2022 21:26:20 +0800 In-reply-to: <20220202214455.15753-2-davispuh@gmail.com> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: OK X-ESPOL: 6NpmlYxOGzysiV+lRWetewt38GpVJY3o+ue5zhxdnmX7NS+afEgJTHLEkGpqPg+1xF8X Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed 02 Feb 2022 at 23:44, D=C4=81vis Mos=C4=81ns =20 wrote: > Compressed length can be corrupted to be a lot larger than=20 > memory > we have allocated for buffer. > This will cause memcpy in copy_compressed_segment to write=20 > outside > of allocated memory. > > This mostly results in stuck read syscall but sometimes when=20 > using > btrfs send can get #GP > > kernel: general protection fault, probably for non-canonical=20 > address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI > kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P=20 > OE 5.17.0-rc2-1 #12 > kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs] > kernel: RIP: 0010:lzo_decompress_bio=20 > (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322=20 > fs/btrfs/lzo.c:394) btrfs > Code starting with the faulting instruction > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > 0:* 48 8b 06 mov (%rsi),%rax=20 > <-- trapping instruction > 3: 48 8d 79 08 lea 0x8(%rcx),%rdi > 7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi > b: 48 89 01 mov %rax,(%rcx) > e: 44 89 f0 mov %r14d,%eax > 11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx > kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212 > kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX:=20 > ffff98996e6d8ff8 > kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI:=20 > ffffffff9500435d > kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09:=20 > 0000000000000000 > kernel: R10: 0000000000000000 R11: 0000000000001000 R12:=20 > ffff98996e6d8000 > kernel: R13: 0000000000000008 R14: 0000000000001000 R15:=20 > 000841551d5c1000 > kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000)=20 > knlGS:0000000000000000 > kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4:=20 > 00000000003506e0 > kernel: Call Trace: > kernel: > kernel: end_compressed_bio_read (fs/btrfs/compression.c:104=20 > fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs > kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs > kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs > kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27=20 > ./include/linux/jump_label.h:212=20 > ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312) > kernel: worker_thread (./include/linux/list.h:292=20 > kernel/workqueue.c:2455) > kernel: ? process_one_work (kernel/workqueue.c:2397) > kernel: kthread (kernel/kthread.c:377) > kernel: ? kthread_complete_and_exit (kernel/kthread.c:332) > kernel: ret_from_fork (arch/x86/entry/entry_64.S:301) > kernel: > > Signed-off-by: D=C4=81vis Mos=C4=81ns > --- > fs/btrfs/lzo.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/fs/btrfs/lzo.c b/fs/btrfs/lzo.c > index 31319dfcc9fb..ebaa5083f2ae 100644 > --- a/fs/btrfs/lzo.c > +++ b/fs/btrfs/lzo.c > @@ -383,6 +383,13 @@ int lzo_decompress_bio(struct list_head=20 > *ws, struct compressed_bio *cb) > kunmap(cur_page); > cur_in +=3D LZO_LEN; > > + if (seg_len > WORKSPACE_CBUF_LENGTH) { > + // seg_len shouldn't be larger than we=20 > have allocated for workspace->cbuf > Makes sense. Is the corrupted lzo compressed extent produced by a normal fs or crafted manually? If it is from a normal fs, something insane=20 happened in extent compressed path. -- Su > + btrfs_err(fs_info, "unexpectedly large lzo=20 > segment len %u", seg_len); > + ret =3D -EUCLEAN; > + goto out; > + } > + > /* Copy the compressed segment payload into=20 > workspace */ > copy_compressed_segment(cb, workspace->cbuf,=20 > seg_len, &cur_in);