Re: [PATCH] btrfs: fix out of bounds array access while reading extent buffer

From: Qu Wenruo
Date: Fri Jun 14 2019 - 09:57:53 EST

Next message: Florian Weimer: "Re: [PATCH 1/5] glibc: Perform rseq(2) registration at C startup and thread creation (v10)"
Previous message: Thomas Gleixner: "Re: [PATCHv4 09/28] timens: Shift /proc/uptime"
In reply to: Young Xiao: "[PATCH] btrfs: fix out of bounds array access while reading extent buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2019/6/14 äå7:51, Young Xiao wrote:
> There is a corner case that slips through the checkers in functions
> reading extent buffer, ie.
>
> if (start < eb->len) and (start + len > eb->len), then:
> the checkers in read_extent_buffer_to_user(), and memcmp_extent_buffer()
> WARN_ON(start > eb->len) and WARN_ON(start + len > eb->start + eb->len),
> both are OK in this corner case, but it'd actually try to access the eb->pages
> out of bounds because of (start + len > eb->len).
>
> This is adding proper checks in order to avoid invalid memory access,
> ie. 'general protection fault', before it's too late.
>
> See commit f716abd55d1e ("Btrfs: fix out of bounds array access while
> reading extent buffer") for details.
>
> Signed-off-by: Young Xiao <92siuyang@xxxxxxxxx>
> ---
> fs/btrfs/extent_io.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index db337e5..dcf3b2e 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -5476,8 +5476,12 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb,
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> int ret = 0;
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (start + len > eb->len) {
The original (start + len > eb->start + eb->len) check is so wrong from
the very beginning. eb->start makes no sense in the context.
So your patch makes sense.

But it's not 100% fixed.

If @start and @len overflow u64, e.g @start = 1 << 63 + 8k, @len = 1<<
63 + 8K. it can still skip the check.

So, we still need to check @start against eb->len, then @start + @len
against eb->len.

Also, shouldn't we include the equal case for @start? (although start +
len == eb->len should be OK)

> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, len);
> + memset(dst, 0, len);

I'd prefer not to do the memset, as @start and @len is already wrong, I
doubt the @dst could be completely some wild pointer, and set them could
easily screw up the whole kernel.

Thanks,
Qu

> + return;
> + }
>
> offset = offset_in_page(start_offset + start);
>
> @@ -5554,8 +5558,12 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> int ret = 0;
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (start + len > eb->len) {
> + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> + eb->start, eb->len, start, len);
> + memset(ptr, 0, len);
> + return;
> + }
>
> offset = offset_in_page(start_offset + start);
>
>

Attachment: signature.asc
Description: OpenPGP digital signature

Next message: Florian Weimer: "Re: [PATCH 1/5] glibc: Perform rseq(2) registration at C startup and thread creation (v10)"
Previous message: Thomas Gleixner: "Re: [PATCHv4 09/28] timens: Shift /proc/uptime"
In reply to: Young Xiao: "[PATCH] btrfs: fix out of bounds array access while reading extent buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]