]>
Commit | Line | Data |
---|---|---|
13e8e92f GKH |
1 | From foo@baz Mon Sep 17 12:22:41 CEST 2018 |
2 | From: Chao Yu <yuchao0@huawei.com> | |
3 | Date: Sat, 30 Jun 2018 18:13:40 +0800 | |
4 | Subject: f2fs: fix to do sanity check with reserved blkaddr of inline inode | |
5 | ||
6 | From: Chao Yu <yuchao0@huawei.com> | |
7 | ||
8 | [ Upstream commit 4dbe38dc386910c668c75ae616b99b823b59f3eb ] | |
9 | ||
10 | As Wen Xu reported in bugzilla, after image was injected with random data | |
11 | by fuzzing, inline inode would contain invalid reserved blkaddr, then | |
12 | during inline conversion, we will encounter illegal memory accessing | |
13 | reported by KASAN, the root cause of this is when writing out converted | |
14 | inline page, we will use invalid reserved blkaddr to update sit bitmap, | |
15 | result in accessing memory beyond sit bitmap boundary. | |
16 | ||
17 | In order to fix this issue, let's do sanity check with reserved block | |
18 | address of inline inode to avoid above condition. | |
19 | ||
20 | https://bugzilla.kernel.org/show_bug.cgi?id=200179 | |
21 | ||
22 | [ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0 | |
23 | [ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741 | |
24 | ||
25 | [ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1 | |
26 | [ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 | |
27 | [ 1428.846860] Call Trace: | |
28 | [ 1428.846868] dump_stack+0x71/0xab | |
29 | [ 1428.846875] print_address_description+0x6b/0x290 | |
30 | [ 1428.846881] kasan_report+0x28e/0x390 | |
31 | [ 1428.846888] ? update_sit_entry+0x80/0x7f0 | |
32 | [ 1428.846898] update_sit_entry+0x80/0x7f0 | |
33 | [ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70 | |
34 | [ 1428.846914] ? f2fs_get_node_info+0x14f/0x590 | |
35 | [ 1428.846920] do_write_page+0xc8/0x150 | |
36 | [ 1428.846928] f2fs_outplace_write_data+0xfe/0x210 | |
37 | [ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170 | |
38 | [ 1428.846941] ? radix_tree_tag_clear+0xff/0x130 | |
39 | [ 1428.846946] ? __mod_node_page_state+0x22/0xa0 | |
40 | [ 1428.846951] ? inc_zone_page_state+0x54/0x100 | |
41 | [ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0 | |
42 | [ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0 | |
43 | [ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0 | |
44 | [ 1428.846978] ? __get_node_page+0x335/0x6b0 | |
45 | [ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500 | |
46 | [ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0 | |
47 | [ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40 | |
48 | [ 1428.847005] ? kasan_kmalloc+0xa6/0xd0 | |
49 | [ 1428.847024] f2fs_file_mmap+0x79/0xc0 | |
50 | [ 1428.847029] mmap_region+0x58b/0x880 | |
51 | [ 1428.847037] ? arch_get_unmapped_area+0x370/0x370 | |
52 | [ 1428.847042] do_mmap+0x55b/0x7a0 | |
53 | [ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0 | |
54 | [ 1428.847055] ? vma_is_stack_for_current+0x50/0x50 | |
55 | [ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160 | |
56 | [ 1428.847068] ? do_sys_open+0x206/0x2a0 | |
57 | [ 1428.847073] ? __fget+0xb4/0x100 | |
58 | [ 1428.847079] ksys_mmap_pgoff+0x278/0x360 | |
59 | [ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50 | |
60 | [ 1428.847091] do_syscall_64+0x73/0x160 | |
61 | [ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | |
62 | [ 1428.847102] RIP: 0033:0x7fb1430766ba | |
63 | [ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 | |
64 | [ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 | |
65 | [ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba | |
66 | [ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000 | |
67 | [ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000 | |
68 | [ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000 | |
69 | [ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000 | |
70 | ||
71 | [ 1428.847252] Allocated by task 2683: | |
72 | [ 1428.847372] kasan_kmalloc+0xa6/0xd0 | |
73 | [ 1428.847380] kmem_cache_alloc+0xc8/0x1e0 | |
74 | [ 1428.847385] getname_flags+0x73/0x2b0 | |
75 | [ 1428.847390] user_path_at_empty+0x1d/0x40 | |
76 | [ 1428.847395] vfs_statx+0xc1/0x150 | |
77 | [ 1428.847401] __do_sys_newlstat+0x7e/0xd0 | |
78 | [ 1428.847405] do_syscall_64+0x73/0x160 | |
79 | [ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | |
80 | ||
81 | [ 1428.847466] Freed by task 2683: | |
82 | [ 1428.847566] __kasan_slab_free+0x137/0x190 | |
83 | [ 1428.847571] kmem_cache_free+0x85/0x1e0 | |
84 | [ 1428.847575] filename_lookup+0x191/0x280 | |
85 | [ 1428.847580] vfs_statx+0xc1/0x150 | |
86 | [ 1428.847585] __do_sys_newlstat+0x7e/0xd0 | |
87 | [ 1428.847590] do_syscall_64+0x73/0x160 | |
88 | [ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9 | |
89 | ||
90 | [ 1428.847648] The buggy address belongs to the object at ffff880194483300 | |
91 | which belongs to the cache names_cache of size 4096 | |
92 | [ 1428.847946] The buggy address is located 576 bytes inside of | |
93 | 4096-byte region [ffff880194483300, ffff880194484300) | |
94 | [ 1428.848234] The buggy address belongs to the page: | |
95 | [ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0 | |
96 | [ 1428.848606] flags: 0x17fff8000008100(slab|head) | |
97 | [ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380 | |
98 | [ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 | |
99 | [ 1428.849122] page dumped because: kasan: bad access detected | |
100 | ||
101 | [ 1428.849305] Memory state around the buggy address: | |
102 | [ 1428.849436] ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
103 | [ 1428.849620] ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
104 | [ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
105 | [ 1428.849985] ^ | |
106 | [ 1428.850120] ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
107 | [ 1428.850303] ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
108 | [ 1428.850498] ================================================================== | |
109 | ||
110 | Reported-by: Wen Xu <wen.xu@gatech.edu> | |
111 | Signed-off-by: Chao Yu <yuchao0@huawei.com> | |
112 | Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> | |
113 | Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> | |
114 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
115 | --- | |
116 | fs/f2fs/inline.c | 21 +++++++++++++++++++++ | |
117 | 1 file changed, 21 insertions(+) | |
118 | ||
119 | --- a/fs/f2fs/inline.c | |
120 | +++ b/fs/f2fs/inline.c | |
121 | @@ -124,6 +124,16 @@ int f2fs_convert_inline_page(struct dnod | |
122 | if (err) | |
123 | return err; | |
124 | ||
125 | + if (unlikely(dn->data_blkaddr != NEW_ADDR)) { | |
126 | + f2fs_put_dnode(dn); | |
127 | + set_sbi_flag(fio.sbi, SBI_NEED_FSCK); | |
128 | + f2fs_msg(fio.sbi->sb, KERN_WARNING, | |
129 | + "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, " | |
130 | + "run fsck to fix.", | |
131 | + __func__, dn->inode->i_ino, dn->data_blkaddr); | |
132 | + return -EINVAL; | |
133 | + } | |
134 | + | |
135 | f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page)); | |
136 | ||
137 | read_inline_data(page, dn->inode_page); | |
138 | @@ -351,6 +361,17 @@ static int f2fs_move_inline_dirents(stru | |
139 | if (err) | |
140 | goto out; | |
141 | ||
142 | + if (unlikely(dn.data_blkaddr != NEW_ADDR)) { | |
143 | + f2fs_put_dnode(&dn); | |
144 | + set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK); | |
145 | + f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING, | |
146 | + "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, " | |
147 | + "run fsck to fix.", | |
148 | + __func__, dir->i_ino, dn.data_blkaddr); | |
149 | + err = -EINVAL; | |
150 | + goto out; | |
151 | + } | |
152 | + | |
153 | f2fs_wait_on_page_writeback(page, DATA, true); | |
154 | zero_user_segment(page, MAX_INLINE_DATA, PAGE_SIZE); | |
155 |