[thirdparty/kernel/stable-queue.git] / releases / 4.9.128 / f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch

From foo@baz Mon Sep 17 12:22:41 CEST 2018
From: Chao Yu <yuchao0@huawei.com>
Date: Sat, 30 Jun 2018 18:13:40 +0800
Subject: f2fs: fix to do sanity check with reserved blkaddr of inline inode

From: Chao Yu <yuchao0@huawei.com>

[ Upstream commit 4dbe38dc386910c668c75ae616b99b823b59f3eb ]

As Wen Xu reported in bugzilla, after image was injected with random data
by fuzzing, inline inode would contain invalid reserved blkaddr, then
during inline conversion, we will encounter illegal memory accessing
reported by KASAN, the root cause of this is when writing out converted
inline page, we will use invalid reserved blkaddr to update sit bitmap,
result in accessing memory beyond sit bitmap boundary.

In order to fix this issue, let's do sanity check with reserved block
address of inline inode to avoid above condition.

https://bugzilla.kernel.org/show_bug.cgi?id=200179

[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741

[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G        W         4.17.0+ #1
[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1428.846860] Call Trace:
[ 1428.846868]  dump_stack+0x71/0xab
[ 1428.846875]  print_address_description+0x6b/0x290
[ 1428.846881]  kasan_report+0x28e/0x390
[ 1428.846888]  ? update_sit_entry+0x80/0x7f0
[ 1428.846898]  update_sit_entry+0x80/0x7f0
[ 1428.846906]  f2fs_allocate_data_block+0x6db/0xc70
[ 1428.846914]  ? f2fs_get_node_info+0x14f/0x590
[ 1428.846920]  do_write_page+0xc8/0x150
[ 1428.846928]  f2fs_outplace_write_data+0xfe/0x210
[ 1428.846935]  ? f2fs_do_write_node_page+0x170/0x170
[ 1428.846941]  ? radix_tree_tag_clear+0xff/0x130
[ 1428.846946]  ? __mod_node_page_state+0x22/0xa0
[ 1428.846951]  ? inc_zone_page_state+0x54/0x100
[ 1428.846956]  ? __test_set_page_writeback+0x336/0x5d0
[ 1428.846964]  f2fs_convert_inline_page+0x407/0x6d0
[ 1428.846971]  ? f2fs_read_inline_data+0x3b0/0x3b0
[ 1428.846978]  ? __get_node_page+0x335/0x6b0
[ 1428.846987]  f2fs_convert_inline_inode+0x41b/0x500
[ 1428.846994]  ? f2fs_convert_inline_page+0x6d0/0x6d0
[ 1428.847000]  ? kasan_unpoison_shadow+0x31/0x40
[ 1428.847005]  ? kasan_kmalloc+0xa6/0xd0
[ 1428.847024]  f2fs_file_mmap+0x79/0xc0
[ 1428.847029]  mmap_region+0x58b/0x880
[ 1428.847037]  ? arch_get_unmapped_area+0x370/0x370
[ 1428.847042]  do_mmap+0x55b/0x7a0
[ 1428.847048]  vm_mmap_pgoff+0x16f/0x1c0
[ 1428.847055]  ? vma_is_stack_for_current+0x50/0x50
[ 1428.847062]  ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
[ 1428.847068]  ? do_sys_open+0x206/0x2a0
[ 1428.847073]  ? __fget+0xb4/0x100
[ 1428.847079]  ksys_mmap_pgoff+0x278/0x360
[ 1428.847085]  ? find_mergeable_anon_vma+0x50/0x50
[ 1428.847091]  do_syscall_64+0x73/0x160
[ 1428.847098]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1428.847102] RIP: 0033:0x7fb1430766ba
[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000

[ 1428.847252] Allocated by task 2683:
[ 1428.847372]  kasan_kmalloc+0xa6/0xd0
[ 1428.847380]  kmem_cache_alloc+0xc8/0x1e0
[ 1428.847385]  getname_flags+0x73/0x2b0
[ 1428.847390]  user_path_at_empty+0x1d/0x40
[ 1428.847395]  vfs_statx+0xc1/0x150
[ 1428.847401]  __do_sys_newlstat+0x7e/0xd0
[ 1428.847405]  do_syscall_64+0x73/0x160
[ 1428.847411]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[ 1428.847466] Freed by task 2683:
[ 1428.847566]  __kasan_slab_free+0x137/0x190
[ 1428.847571]  kmem_cache_free+0x85/0x1e0
[ 1428.847575]  filename_lookup+0x191/0x280
[ 1428.847580]  vfs_statx+0xc1/0x150
[ 1428.847585]  __do_sys_newlstat+0x7e/0xd0
[ 1428.847590]  do_syscall_64+0x73/0x160
[ 1428.847596]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[ 1428.847648] The buggy address belongs to the object at ffff880194483300
                which belongs to the cache names_cache of size 4096
[ 1428.847946] The buggy address is located 576 bytes inside of
                4096-byte region [ffff880194483300, ffff880194484300)
[ 1428.848234] The buggy address belongs to the page:
[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
[ 1428.848606] flags: 0x17fff8000008100(slab|head)
[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[ 1428.849122] page dumped because: kasan: bad access detected

[ 1428.849305] Memory state around the buggy address:
[ 1428.849436]  ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849620]  ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.849985]                                            ^
[ 1428.850120]  ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.850303]  ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1428.850498] ==================================================================

Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/inline.c |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -124,6 +124,16 @@ int f2fs_convert_inline_page(struct dnod
 	if (err)
 		return err;
 
+	if (unlikely(dn->data_blkaddr != NEW_ADDR)) {
+		f2fs_put_dnode(dn);
+		set_sbi_flag(fio.sbi, SBI_NEED_FSCK);
+		f2fs_msg(fio.sbi->sb, KERN_WARNING,
+			"%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
+			"run fsck to fix.",
+			__func__, dn->inode->i_ino, dn->data_blkaddr);
+		return -EINVAL;
+	}
+
 	f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page));
 
 	read_inline_data(page, dn->inode_page);
@@ -351,6 +361,17 @@ static int f2fs_move_inline_dirents(stru
 	if (err)
 		goto out;
 
+	if (unlikely(dn.data_blkaddr != NEW_ADDR)) {
+		f2fs_put_dnode(&dn);
+		set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK);
+		f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING,
+			"%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
+			"run fsck to fix.",
+			__func__, dir->i_ino, dn.data_blkaddr);
+		err = -EINVAL;
+		goto out;
+	}
+
 	f2fs_wait_on_page_writeback(page, DATA, true);
 	zero_user_segment(page, MAX_INLINE_DATA, PAGE_SIZE);
Commit	Line	Data
13e8e92f GKH	1	From foo@baz Mon Sep 17 12:22:41 CEST 2018
	2	From: Chao Yu <yuchao0@huawei.com>
	3	Date: Sat, 30 Jun 2018 18:13:40 +0800
	4	Subject: f2fs: fix to do sanity check with reserved blkaddr of inline inode
	5
	6	From: Chao Yu <yuchao0@huawei.com>
	7
	8	[ Upstream commit 4dbe38dc386910c668c75ae616b99b823b59f3eb ]
	9
	10	As Wen Xu reported in bugzilla, after image was injected with random data
	11	by fuzzing, inline inode would contain invalid reserved blkaddr, then
	12	during inline conversion, we will encounter illegal memory accessing
	13	reported by KASAN, the root cause of this is when writing out converted
	14	inline page, we will use invalid reserved blkaddr to update sit bitmap,
	15	result in accessing memory beyond sit bitmap boundary.
	16
	17	In order to fix this issue, let's do sanity check with reserved block
	18	address of inline inode to avoid above condition.
	19
	20	https://bugzilla.kernel.org/show_bug.cgi?id=200179
	21
	22	[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
	23	[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741
	24
	25	[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1
	26	[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
	27	[ 1428.846860] Call Trace:
	28	[ 1428.846868] dump_stack+0x71/0xab
	29	[ 1428.846875] print_address_description+0x6b/0x290
	30	[ 1428.846881] kasan_report+0x28e/0x390
	31	[ 1428.846888] ? update_sit_entry+0x80/0x7f0
	32	[ 1428.846898] update_sit_entry+0x80/0x7f0
	33	[ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70
	34	[ 1428.846914] ? f2fs_get_node_info+0x14f/0x590
	35	[ 1428.846920] do_write_page+0xc8/0x150
	36	[ 1428.846928] f2fs_outplace_write_data+0xfe/0x210
	37	[ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170
	38	[ 1428.846941] ? radix_tree_tag_clear+0xff/0x130
	39	[ 1428.846946] ? __mod_node_page_state+0x22/0xa0
	40	[ 1428.846951] ? inc_zone_page_state+0x54/0x100
	41	[ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0
	42	[ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0
	43	[ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0
	44	[ 1428.846978] ? __get_node_page+0x335/0x6b0
	45	[ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500
	46	[ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0
	47	[ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40
	48	[ 1428.847005] ? kasan_kmalloc+0xa6/0xd0
	49	[ 1428.847024] f2fs_file_mmap+0x79/0xc0
	50	[ 1428.847029] mmap_region+0x58b/0x880
	51	[ 1428.847037] ? arch_get_unmapped_area+0x370/0x370
	52	[ 1428.847042] do_mmap+0x55b/0x7a0
	53	[ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0
	54	[ 1428.847055] ? vma_is_stack_for_current+0x50/0x50
	55	[ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
	56	[ 1428.847068] ? do_sys_open+0x206/0x2a0
	57	[ 1428.847073] ? __fget+0xb4/0x100
	58	[ 1428.847079] ksys_mmap_pgoff+0x278/0x360
	59	[ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50
	60	[ 1428.847091] do_syscall_64+0x73/0x160
	61	[ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9
	62	[ 1428.847102] RIP: 0033:0x7fb1430766ba
	63	[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
	64	[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
65	[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
66	[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
67	[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
68	[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
69	[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
70
71	[ 1428.847252] Allocated by task 2683:
72	[ 1428.847372] kasan_kmalloc+0xa6/0xd0
73	[ 1428.847380] kmem_cache_alloc+0xc8/0x1e0
74	[ 1428.847385] getname_flags+0x73/0x2b0
75	[ 1428.847390] user_path_at_empty+0x1d/0x40
76	[ 1428.847395] vfs_statx+0xc1/0x150
77	[ 1428.847401] __do_sys_newlstat+0x7e/0xd0
78	[ 1428.847405] do_syscall_64+0x73/0x160
79	[ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9
80
81	[ 1428.847466] Freed by task 2683:
82	[ 1428.847566] __kasan_slab_free+0x137/0x190
83	[ 1428.847571] kmem_cache_free+0x85/0x1e0
84	[ 1428.847575] filename_lookup+0x191/0x280
85	[ 1428.847580] vfs_statx+0xc1/0x150
86	[ 1428.847585] __do_sys_newlstat+0x7e/0xd0
87	[ 1428.847590] do_syscall_64+0x73/0x160
88	[ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9
89
90	[ 1428.847648] The buggy address belongs to the object at ffff880194483300
91	which belongs to the cache names_cache of size 4096
92	[ 1428.847946] The buggy address is located 576 bytes inside of
93	4096-byte region [ffff880194483300, ffff880194484300)
94	[ 1428.848234] The buggy address belongs to the page:
95	[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
96	[ 1428.848606] flags: 0x17fff8000008100(slab\|head)
97	[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
98	[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
99	[ 1428.849122] page dumped because: kasan: bad access detected
100
101	[ 1428.849305] Memory state around the buggy address:
102	[ 1428.849436] ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
103	[ 1428.849620] ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
104	[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
105	[ 1428.849985] ^
106	[ 1428.850120] ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
107	[ 1428.850303] ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
108	[ 1428.850498] ==================================================================
109
110	Reported-by: Wen Xu <wen.xu@gatech.edu>
111	Signed-off-by: Chao Yu <yuchao0@huawei.com>
112	Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
113	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
114	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
115	---
116	fs/f2fs/inline.c \| 21 +++++++++++++++++++++
117	1 file changed, 21 insertions(+)
118
119	--- a/fs/f2fs/inline.c
120	+++ b/fs/f2fs/inline.c
121	@@ -124,6 +124,16 @@ int f2fs_convert_inline_page(struct dnod
122	if (err)
123	return err;
124
125	+ if (unlikely(dn->data_blkaddr != NEW_ADDR)) {
126	+ f2fs_put_dnode(dn);
127	+ set_sbi_flag(fio.sbi, SBI_NEED_FSCK);
128	+ f2fs_msg(fio.sbi->sb, KERN_WARNING,
129	+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
130	+ "run fsck to fix.",
131	+ __func__, dn->inode->i_ino, dn->data_blkaddr);
132	+ return -EINVAL;
133	+ }
134	+
135	f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page));
136
137	read_inline_data(page, dn->inode_page);
138	@@ -351,6 +361,17 @@ static int f2fs_move_inline_dirents(stru
139	if (err)
140	goto out;
141
142	+ if (unlikely(dn.data_blkaddr != NEW_ADDR)) {
143	+ f2fs_put_dnode(&dn);
144	+ set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK);
145	+ f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING,
146	+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
147	+ "run fsck to fix.",
148	+ __func__, dir->i_ino, dn.data_blkaddr);
149	+ err = -EINVAL;
150	+ goto out;
151	+ }
152	+
153	f2fs_wait_on_page_writeback(page, DATA, true);
154	zero_user_segment(page, MAX_INLINE_DATA, PAGE_SIZE);
155