Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp14076412ybl; Mon, 30 Dec 2019 03:39:45 -0800 (PST) X-Google-Smtp-Source: APXvYqwnqVJ2rT+W1HbyPXjad+bqdplH1+AIHHiNlzR6T/BI/2+RkLK+QrL+HppAIN8oVIjZc66A X-Received: by 2002:a9d:480b:: with SMTP id c11mr61990492otf.283.1577705985501; Mon, 30 Dec 2019 03:39:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577705985; cv=none; d=google.com; s=arc-20160816; b=C0dLDpAIrjWYexgG5Pwkl1QmY1UuzuEyqUpu8r+v2Wf3JaLz+anWMxXLp4ap2hLSed Zy6iUe3ejY7Se6iF/FMxQoMbNrwjoIAS1thPPHlH2UImXflD+81agfs07b884MaSR/zZ CD1FudYjl/gb5oH1E3MZvS0BXmgq3WAZ/kBr9pnNg83srTQGiW9lZr28L9rgrU/dCdYs KI6kbCmK0K7Jh3+m86tIaP+ZIrL5BFO2i9T+Xz0qL59o+phkcR07qDKf1DUiPrJfeph5 4FNFkDlsexe4z1Z39y+hwyJ9pguomJImp5VAeaa2brSx/66Z9kpYfIG18x+W36d+zV1+ vZ0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=zo0RsNMMLTv4ram+JJCohreDJrgaJjQ48w8OlJtUVb4=; b=pCuDryEwbNoRGI1Sk3ZbtjEM50C/LvPX4LgmGMTenYlpjXM1sdfAoe8vpW1XzJhasv KO9TxfjfOfbjztLx7Hh9Lmu338aWulmrZp88TrD9kiMteGt0zfb8cKtq2Fxq74vCWH+d pwYHPfY8jrFSDFU7EoSz5a6l3axTZ/B0C3bSH4i9baEp2LB6pz2ibYSX7p/AxHTnnMC4 yRbGMGaZ5qhTfQKZRJ+L8tzd8lUj2jhMYvrhJtSR3vBC0eVCmz/NPXOygM6UPGy8tqY9 4Vr2CmUsISiKXGtUSeMEd6qbPv5bUgo5PVa/qXUH9sECdJv2Y+R1KenEym/eGkooK5WB IxUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KKkTGyhX; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r5si20235807oic.19.2019.12.30.03.39.34; Mon, 30 Dec 2019 03:39:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KKkTGyhX; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727447AbfL3Li4 (ORCPT + 99 others); Mon, 30 Dec 2019 06:38:56 -0500 Received: from mail-wm1-f67.google.com ([209.85.128.67]:34561 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727379AbfL3Li4 (ORCPT ); Mon, 30 Dec 2019 06:38:56 -0500 Received: by mail-wm1-f67.google.com with SMTP id c127so11431412wme.1 for ; Mon, 30 Dec 2019 03:38:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zo0RsNMMLTv4ram+JJCohreDJrgaJjQ48w8OlJtUVb4=; b=KKkTGyhX7DCENFxSENp4msaFU7acPutGa5HZcm05WxIsJlHO8kQJqxOudxcvvyVBNP Zy1Kd2ItBcKlD/gLNUzrR3IXqAW+hho07zm0vVC6RC3kpIjd8KXoFwKIOzbVlEAvsPZ2 GOu24QmsEZif/dpLi3OU6VMagyf+K16AEG2ECGSCsuTg4UW62Jqr/9mlQmzo8SytBiik g8SVf4K3HWqhT832BywfZKw0mN7LGzq2QAyAixUwjXI69KTmtF5izl18VpPY3KoYS6Ix oMUGiwFsO8Ge9qqnLU2wvdV7sTRQxLNz/qZ3BereWmIjROVsswzPSh3IzyI3f27VDcMb tcdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zo0RsNMMLTv4ram+JJCohreDJrgaJjQ48w8OlJtUVb4=; b=VahPLezZlI/M0YvYaJRGJPpKch/w4zIC4sF2DzbPwxfoPkr3ocQ9Ppmdj6EBGqWq0/ 1RQcyCC+M0AniFv9ebSHcjcOjap+t7AEB1OPGaq2WfQAJpd8turw5e44+yTj82SWz8LC RxvwXPfBrsn7ircjaIO0wHsSmc4ANamTLt05wrWa3UrtV5gXKXNgLdwSKqd+r9O7A4KS PeM1tiCOMHp/HkKmzT9ztuTAFQwwZoNKSEqPzOujXy5KVWvY2bcMqiTF6h9clzu64+Te MzkTIOKqHR+Eay8rr0CJZgKBBmEE78KV7VRKQE+y+bFRqtY9s9PWPcyQCttQ6UTUzn9j zV5w== X-Gm-Message-State: APjAAAUYpnWrI/V8g1J3BekXntJ6tirxOz5OVSY7LsRFiju1Xhz3JY91 eJsmm0XgtWxFK1tGrCayIqDPRKkM2QfFRR54D1iO4YTE X-Received: by 2002:a1c:a949:: with SMTP id s70mr33796316wme.69.1577705934113; Mon, 30 Dec 2019 03:38:54 -0800 (PST) MIME-Version: 1.0 References: <1574759039-7429-1-git-send-email-wangshilong1991@gmail.com> <1574759039-7429-2-git-send-email-wangshilong1991@gmail.com> In-Reply-To: <1574759039-7429-2-git-send-email-wangshilong1991@gmail.com> From: Wang Shilong Date: Mon, 30 Dec 2019 19:38:33 +0800 Message-ID: Subject: Re: [PATCH 2/2] e2fsck: fix use after free in calculate_tree() To: Ext4 Developers List Cc: Andreas Dilger , Li Xi , Wang Shilong Content-Type: text/plain; charset="UTF-8" Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Ping... On Tue, Nov 26, 2019 at 5:04 PM Wang Shilong wrote: > > From: Wang Shilong > > Hit following Seg errors randomly when running f_large_dir test: > > +Signal (11) SIGSEGV si_code=SEGV_MAPERR fault addr=0x7f02cfffbc1a > +../e2fsck/e2fsck[0x43766e] > +/lib64/libpthread.so.0(+0xf7e0)[0x7f02d8c9a7e0] > +../e2fsck/e2fsck(e2fsck_rehash_dir+0x10f3)[0x436173] > +../e2fsck/e2fsck(e2fsck_rehash_directories+0xf4)[0x4362d4] > +../e2fsck/e2fsck(e2fsck_pass3+0x722)[0x4292c2] > +../e2fsck/e2fsck(e2fsck_run+0x47)[0x414ef7] > +../e2fsck/e2fsck(main+0x1c1d)[0x41319d] > +/lib64/libc.so.6(__libc_start_main+0x100)[0x7f02d8915d20] > +../e2fsck/e2fsck[0x40fc59] > +Exit status is 8 > > gdb output is: > 0x436173 is in e2fsck_rehash_dir (rehash.c:752). > warning: Source file is more recent than executable. > 747 dx_ent->hash = > 748 ext2fs_cpu_to_le32(outdir->hashes[i]); > 749 dx_ent++; > 750 c3--; > 751 } > 752 int_limit->count = ext2fs_cpu_to_le16(limit->limit - c2); > 753 int_limit->limit = ext2fs_cpu_to_le16(limit->limit); > 754 > 755 limit->count = ext2fs_cpu_to_le16(limit->limit - c3); > 756 limit->limit = ext2fs_cpu_to_le16(limit->limit); > > The problem is alloc_blocks() will call get_next_block() > which might reallocate @outdir->buf, and memory address > could be changed after this. @int_limit and @root should > be recalculated based on new start address. Otherwise, > it will try to access freed memory and cause SEGV_MAPERR > errors. > > Signed-off-by: Wang Shilong > --- > e2fsck/rehash.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c > index 5250652e..0eb99328 100644 > --- a/e2fsck/rehash.c > +++ b/e2fsck/rehash.c > @@ -636,6 +636,9 @@ static int alloc_blocks(ext2_filsys fs, > if (retval) > return retval; > > + /* outdir->buf might be reallocated */ > + *prev_ent = (struct ext2_dx_entry *) (outdir->buf + *prev_offset); > + > *next_ent = set_int_node(fs, block_start); > *limit = (struct ext2_dx_countlimit *)(*next_ent); > if (next_offset) > @@ -725,12 +728,18 @@ static errcode_t calculate_tree(ext2_filsys fs, > return retval; > } > if (c3 == 0) { > + int delta1 = int_offset;; > + int delta2 = (char *)root - outdir->buf; > + > retval = alloc_blocks(fs, &limit, &int_ent, > &dx_ent, &int_offset, > NULL, outdir, i, &c2, > &c3); > if (retval) > return retval; > + /* outdir->buf might be reallocated */ > + int_limit = (struct ext2_dx_countlimit *)(outdir->buf + delta1); > + root = (struct ext2_dx_entry *)(outdir->buf + delta2); > > } > dx_ent->block = ext2fs_cpu_to_le32(i); > -- > 2.21.0 >