Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp2024400rwl; Mon, 26 Dec 2022 07:54:53 -0800 (PST) X-Google-Smtp-Source: AMrXdXttdk7gm2eFEfEWiW6Y2FfjlgrRtIanJQ2z/9tXpmeGQNwLYbglZxrU4YssOEXPtUAufIdK X-Received: by 2002:a17:907:1110:b0:78d:f455:3118 with SMTP id qu16-20020a170907111000b0078df4553118mr14947357ejb.64.1672070093802; Mon, 26 Dec 2022 07:54:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672070093; cv=none; d=google.com; s=arc-20160816; b=QDech42bUIl8v/0coq9zWkWcQ5zonaL2ksf3tmlu2xjHfyVzpEkCkbkSt/FMjYioit 4VhgK4niCQnmk4RFf513FLf1LTu94MdVZGTKb3l7qY2WmtBYEx1veHfeLf/YcAr2zdiB d/FNGIMHsLmeX5RfpdOxw5jkRJucO9qByTlaTLyzthsmJz0ZEgincUICygwz1spYFKDy aVq6DtqdP2TJw288iB8ButQARdUb2emfCUviJraiGc8MA8r6QwmNH30dSEqIOX9oZF/X BRbNwaB5B7F/2ULNicC8K667NmFMtaQVRmkOOnsWU/tdf5ArpLCBeb0YBwOWEzKnGXBj SACQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-signature; bh=B2DaB7WWHJqDDPT074JtcIYqB7GPsr9A6JYSY3UQo6U=; b=RrsUeigqthL5Bun4mrqKZjoTX4kMGF4ZW91J6pIaDLHvjFElCi2ycU+oMT4JJ9h5o/ TOAaxfEjo59p9OvPm2DIgx0kvalxHImL1Drb37091odTo7z+r6m0foHeNZgNAkoym8Zi 0oBFtusfAs7SO90pSL9S7/P8iHGSGXa0lt9nk7EJvHBwd8+sR8xAnHViBmCw2d5XTL9S judkMHkwS4jqAtEOOZxUuH58MWEfqm/3cCXgn0EkDxDrhfIz2MZ+rDGD7xsTEUOOM02r xcQjz32M9nlAtzDq82T1GQhC0lSOL+dH2HC+0qZ6k4VIqLGUEo2lneBEKKs2S7o5fzhd do1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=KisxStYY; dkim=pass header.i=@paragon-software.com header.s=mail header.b=srLL5s6W; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hg5-20020a1709072cc500b0078dc5c888f1si9535404ejc.135.2022.12.26.07.54.38; Mon, 26 Dec 2022 07:54:53 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=KisxStYY; dkim=pass header.i=@paragon-software.com header.s=mail header.b=srLL5s6W; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229908AbiLZPqG (ORCPT + 66 others); Mon, 26 Dec 2022 10:46:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37488 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229612AbiLZPqE (ORCPT ); Mon, 26 Dec 2022 10:46:04 -0500 Received: from relayaws-01.paragon-software.com (relayaws-01.paragon-software.com [35.157.23.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A917273 for ; Mon, 26 Dec 2022 07:46:02 -0800 (PST) Received: from relayfre-01.paragon-software.com (unknown [172.30.72.12]) by relayaws-01.paragon-software.com (Postfix) with ESMTPS id 6FB751B7; Mon, 26 Dec 2022 15:42:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1672069351; bh=B2DaB7WWHJqDDPT074JtcIYqB7GPsr9A6JYSY3UQo6U=; h=Date:Subject:To:CC:References:From:In-Reply-To; b=KisxStYY6RKSCjV14OMqd1AN9M4b3jpleHIjMtPr3h29CgBn3f0X2HXXGEJq8nWJt if0GrKCYq5FkJrJBDunwO2IPuOTvpj8bXpNTZwisTbeqZXXwHqEwrq2rSIT/mb9MlZ +OesJkgYwfq10M8OILeN+tGiPJBznsAaSRcmrNrw= Received: from dlg2.mail.paragon-software.com (vdlg-exch-02.paragon-software.com [172.30.1.105]) by relayfre-01.paragon-software.com (Postfix) with ESMTPS id C87941D33; Mon, 26 Dec 2022 15:46:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1672069560; bh=B2DaB7WWHJqDDPT074JtcIYqB7GPsr9A6JYSY3UQo6U=; h=Date:Subject:To:CC:References:From:In-Reply-To; b=srLL5s6WA8Db3RMquWKLg6OnexE9pPc8SUk1CPAhDg/PW+n+sCZJWAf6qCHIeIHz5 Jbxon/PRMqq8hv0wxvajo3z8YvuMaCGvUDARgSXOyMhuC5VbcPOGWwP1zD3kG2Bm6B m5UCY2cH9bUBn+vR5xHkRumXIgJR9FKSDHNFCyRE= Received: from [192.168.211.153] (192.168.211.153) by vdlg-exch-02.paragon-software.com (172.30.1.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Mon, 26 Dec 2022 18:46:00 +0300 Message-ID: Date: Mon, 26 Dec 2022 19:45:59 +0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: Re: [PATCH] fs/ntfs3: Fix slab-out-of-bounds in ntfs_trim_fs() Content-Language: en-US To: Shigeru Yoshida CC: , References: <20221130145705.488351-1-syoshida@redhat.com> From: Konstantin Komarov In-Reply-To: <20221130145705.488351-1-syoshida@redhat.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [192.168.211.153] X-ClientProxiedBy: vobn-exch-01.paragon-software.com (172.30.72.13) To vdlg-exch-02.paragon-software.com (172.30.1.105) X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 30.11.2022 18:57, Shigeru Yoshida wrote: > ntfs_trim_fs() should loop with wnd->nwnd, not wnd->nbits. KASAN > detects this as an out-of-bounds access like below: > > ================================================================== > BUG: KASAN: slab-out-of-bounds in ntfs_trim_fs (fs/ntfs3/bitmap.c:1434) > Read of size 2 at addr ffff8881745b4f02 by task repro/19678 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-2.fc37 04/01/2014 > Call Trace: > > dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) > print_report (mm/kasan/report.c:285 mm/kasan/report.c:395) > ? __virt_addr_valid (arch/x86/mm/physaddr.c:66) > ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4)) > ? ntfs_trim_fs (fs/ntfs3/bitmap.c:1434) > ? ntfs_trim_fs (fs/ntfs3/bitmap.c:1434) > kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497) > ? ntfs_trim_fs (fs/ntfs3/bitmap.c:1434) > ntfs_trim_fs (fs/ntfs3/bitmap.c:1434) > ntfs_ioctl (fs/ntfs3/file.c:41 fs/ntfs3/file.c:57) > ? ntfs_fiemap (fs/ntfs3/file.c:51) > ? bpf_lsm_file_ioctl (./include/linux/lsm_hook_defs.h:165) > ? ntfs_fiemap (fs/ntfs3/file.c:51) > __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856) > do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) > > Signed-off-by: Shigeru Yoshida > --- > fs/ntfs3/bitmap.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/ntfs3/bitmap.c b/fs/ntfs3/bitmap.c > index e92bbd754365..1930640be31a 100644 > --- a/fs/ntfs3/bitmap.c > +++ b/fs/ntfs3/bitmap.c > @@ -1424,7 +1424,7 @@ int ntfs_trim_fs(struct ntfs_sb_info *sbi, struct fstrim_range *range) > > down_read_nested(&wnd->rw_lock, BITMAP_MUTEX_CLUSTERS); > > - for (; iw < wnd->nbits; iw++, wbit = 0) { > + for (; iw < wnd->nwnd; iw++, wbit = 0) { > CLST lcn_wnd = iw * wbits; > struct buffer_head *bh; > Thanks for work, this bug has already been fixed: https://lore.kernel.org/ntfs3/20221001070024.1366018-1-abdun.nihaal@gmail.com/