Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3050553pxp; Tue, 22 Mar 2022 11:01:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyDIIThHo2I3XRO4tEtSge9TfLV5OSbDf32iG3sXyBxLv9zN46EdGtLydxoCDZ2CWFrnUcY X-Received: by 2002:a17:907:1c17:b0:6df:b257:cba4 with SMTP id nc23-20020a1709071c1700b006dfb257cba4mr22185924ejc.102.1647972082327; Tue, 22 Mar 2022 11:01:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647972082; cv=none; d=google.com; s=arc-20160816; b=0TMtb6nzY6PDWA4jlhoombzoBbswqceCIqgtqCMPEx6xlhmmVsKwaCAzKLCdMO2pUy DcjIvPGU1nyJP6FuSDlZFXqn1d7WKNcGpkDIzXkHW477yVptNowqemgfoYqcjHxUrTbB wboYDGf3O0fAWkR1dylm01gRNkreulXRSzAwERpsN1xkjgelh1VoiDNHiPCCk7ODRI+w KaAcfKgwIqvmq5dHPne0RSm7FrNUjr79AAzGyJzpVajxQ+3txpQPzpgOt5CajXNGcX8C 8sfDdbDLfVIXwJPFIcyjpcou78RX//ImW2PDe7I9aBc17aUIEqA7wFW8w4a1yijppWaa Y9nA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id:dkim-signature; bh=8eVxzRvyLtCG7jsxYp2DMv5IzFzQJ8tF2ct1zspcSHM=; b=SsoW0f+Pp7/OkRcMJyqrWUVW00kVwnExlJ3d7/NM8jzYI9D7Sowkog/RGwIxSVKEaO lXMwmhOfCStg5cowMuGffSIXYQNv1Y3Hag5m6e2yB9oYAnIzOPMI31OrgnkW92qclOkv x1JYv6IutucfPgSh0XzAq1wsib3rx73sh1moIm/klMVaKz0a9K+BR/geTygNbsLVVXPK I+eEtY8jrsb/8Ee9+Q61ghz2I5QocMkZCEn79xdNpOpFZ1dv6m0mb5BaLByexZnTus8Y v5EPvfb4M5TkkonxoQB1p9XZnnkHqBJ3Sk/6/8PcMm3vmMGgTo4//YfSQklZGW2ChpTD t4tg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CFN0faYq; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c3-20020a17090620c300b006df76385d59si12211791ejc.505.2022.03.22.11.00.47; Tue, 22 Mar 2022 11:01:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=CFN0faYq; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239150AbiCVRn6 (ORCPT + 99 others); Tue, 22 Mar 2022 13:43:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58834 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232603AbiCVRn5 (ORCPT ); Tue, 22 Mar 2022 13:43:57 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 288568D68E for ; Tue, 22 Mar 2022 10:42:30 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id mz9-20020a17090b378900b001c657559290so3679913pjb.2 for ; Tue, 22 Mar 2022 10:42:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=message-id:date:mime-version:user-agent:content-language:to:cc :references:from:subject:in-reply-to:content-transfer-encoding; bh=8eVxzRvyLtCG7jsxYp2DMv5IzFzQJ8tF2ct1zspcSHM=; b=CFN0faYqJEMiGGiJ3/jcs6SXeF7Ypf47fmbFWVnsXCh1OLgjcru4hRQ6G9Qzb9kc98 1fpOP6GO9bDh7FNxEHSNNOLgjaP6FPwosn0mZ7LOA6uVP5W1IAbyUQiq+OX1UnQ3bs+X RP3sMuyDBbemnWWXnk+Xgm3smBTU3nlHc1snpOtNcIosBdNgwzUXx4heTfUYk7t0mYLD UaVO1G81vlzQWa2SAgGLxXQ5rSNR+tgMVCKwSOO1QqkX3jDPIuxlIXZP3m2hSOMFMfdY QUWkGEfT90Z6GO6twtb5sRDDWRRmH3BnfrhBFmHx99nmkiEAwglm1Ktl1c8lwiFvqFDR 7MNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:subject:in-reply-to :content-transfer-encoding; bh=8eVxzRvyLtCG7jsxYp2DMv5IzFzQJ8tF2ct1zspcSHM=; b=3KUist9NjwnF/WZFOk0QYFq+L+l/IKdD1v86DXfpe+F7SGYmMQVO+seembRnhHAENQ j50OmmiU0sgRxdHPsLaaA1eNdJhd4e5impZEuDbRP5tpatJqrBNtdJ74XTQXbkKR6oap r1UzjtohrzwXEOZW2YTzhpJC0VjaoEIP9jg+s7xZnla5jhTKE9fqStkrXuKJwdzX+enw uKerV8Kz5aVA9N6ltEkL9QsHE6Tcm2Ror4Y5in5/AyOh1lyc+ex5f8sOohs8FO+pM/cY lZSxZKSPQisEVooCg43Q1BbdPBEJt2+HTQAx81OPFvfw22X8Bg0a5YS6dumZQm68z4vO on4g== X-Gm-Message-State: AOAM532alzvKAu2p5Ewc4xIrfyen0tyTLbcffCsbyav2kY8RfwdN4igz EvsymvoFb7dRzDwSZYENpkqPvA== X-Received: by 2002:a17:90b:1643:b0:1c6:e74b:31e1 with SMTP id il3-20020a17090b164300b001c6e74b31e1mr6363736pjb.182.1647970949596; Tue, 22 Mar 2022 10:42:29 -0700 (PDT) Received: from [192.168.254.17] ([50.39.160.154]) by smtp.gmail.com with ESMTPSA id oo17-20020a17090b1c9100b001bf0ccc59c2sm3713845pjb.16.2022.03.22.10.42.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 22 Mar 2022 10:42:28 -0700 (PDT) Message-ID: Date: Tue, 22 Mar 2022 10:42:27 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-US To: Ira Weiny Cc: tytso@mit.edu, Andreas Dilger , Ritesh Harjani , linux-ext4@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com References: <20220315215439.269122-1-tadeusz.struk@linaro.org> From: Tadeusz Struk Subject: Re: [PATCH v2] ext4: check if offset+length is valid in fallocate In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Hi Ira, On 3/22/22 09:37, Ira Weiny wrote: > On Tue, Mar 15, 2022 at 02:54:39PM -0700, Tadeusz Struk wrote: >> Syzbot found an issue [1] in ext4_fallocate(). >> The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul, >> and offset 0x1000000ul, which, when added together exceed the disk size, >> and trigger a BUG in ext4_ind_remove_space() [3]. >> According to the comment doc in ext4_ind_remove_space() the 'end' block >> parameter needs to be one block after the last block to remove. >> In the case when the BUG is triggered it points to the last block on >> a 4GB virtual disk image. This is calculated in >> ext4_ind_remove_space() in [4]. >> This patch adds a check that ensure the length + offest to be >> within the valid range and returns -ENOSPC error code in case >> it is invalid. > > Why is the check in vfs_fallocate() not working for this? > > https://elixir.bootlin.com/linux/v5.17-rc8/source/fs/open.c#L300 Good question. From reading the comment: https://elixir.bootlin.com/linux/v5.17/source/fs/ext4/file.c#L225 it is possible that, for the bitmap-format, the limit might be smaller than the s_maxbytes. But even for a extent-mapped file the offest+len needs to be within the first to last-1 block range for fallocate(fd, FALLOC_FL_PUNCH_HOLE, ...) If it points to the last one then it is invalid, no? The check you pointed to in vfs code checks if offest+len goes beyond maximal file size. > Also why do other file systems not fail? Is it because ext4 is special due to > the end block needing to be one block after the last. That seems to imply the > last block can't be used or there is some off by one issue somewhere? According to the comment in https://elixir.bootlin.com/linux/v5.17/source/fs/ext4/indirect.c#L1214 it has to be one block after the last to be removed. -- Thanks, Tadeusz