Re: [PATCH v5] f2fs: fix to avoid accessing xattr across the boundary

From: Chao Yu
Date: Thu Apr 11 2019 - 22:08:41 EST

Next message: Joel Fernandes: "Re: [PATCH] module: Make srcu_struct ptr array as read-only"
Previous message: Benjamin Herrenschmidt: "Re: [PATCH v2 01/21] docs/memory-barriers.txt: Rewrite "KERNEL I/O BARRIER EFFECTS" section"
In reply to: Randall Huang: "[PATCH v5] f2fs: fix to avoid accessing xattr across the boundary"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2019/4/11 16:26, Randall Huang wrote:
> When we traverse xattr entries via __find_xattr(),
> if the raw filesystem content is faked or any hardware failure occurs,
> out-of-bound error can be detected by KASAN.
> Fix the issue by introducing boundary check.
>
> [ 38.402878] c7 1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c
> [ 38.402891] c7 1827 Read of size 4 at addr ffffffc0b6fb35dc by task
> [ 38.402935] c7 1827 Call trace:
> [ 38.402952] c7 1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc
> [ 38.402966] c7 1827 [<ffffff9008090030>] show_stack+0x20/0x2c
> [ 38.402981] c7 1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140
> [ 38.402995] c7 1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8
> [ 38.403009] c7 1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc
> [ 38.403022] c7 1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc
> [ 38.403037] c7 1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8
> [ 38.403051] c7 1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c
> [ 38.403066] c7 1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0
> [ 38.403080] c7 1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc
> [ 38.403096] c7 1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938
> [ 38.403109] c7 1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38
> [ 38.403123] c7 1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98
> [ 38.403136] c7 1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348
> [ 38.403149] c7 1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774
> [ 38.403163] c7 1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc
> [ 38.403177] c7 1827 [<ffffff9008367fe0>] walk_component+0x160/0x520
> [ 38.403190] c7 1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4
> [ 38.403203] c7 1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8
> [ 38.403216] c7 1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68
> [ 38.403229] c7 1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c
> [ 38.403241] c7 1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38
>
> Bug: 126558260
>
> Signed-off-by: Randall Huang <huangrandall@xxxxxxxxxx>

Looks good to me now. :)

Reviewed-by: Chao Yu <yuchao0@xxxxxxxxxx>

> + unsigned int xattr_nid_size = xnid ? VALID_XATTR_BLOCK_SIZE : 0;

Nitpick, xnode_size or xattr_node_size will be better than xattr_nid_size?

Maybe Jaegeuk can help to change this when merging this patch, no new version
patch needed.

Thanks,

Next message: Joel Fernandes: "Re: [PATCH] module: Make srcu_struct ptr array as read-only"
Previous message: Benjamin Herrenschmidt: "Re: [PATCH v2 01/21] docs/memory-barriers.txt: Rewrite "KERNEL I/O BARRIER EFFECTS" section"
In reply to: Randall Huang: "[PATCH v5] f2fs: fix to avoid accessing xattr across the boundary"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]