pending-4.19/f2fs-fix-to-avoid-accessing-xattr-across-the-boundar.patch

   1 From 551220c9cfa90499cd0ee031bb3f97f8ebf6b818 Mon Sep 17 00:00:00 2001
   2 From: Randall Huang <huangrandall@google.com>
   3 Date: Thu, 11 Apr 2019 16:26:46 +0800
   4 Subject: f2fs: fix to avoid accessing xattr across the boundary
   5
   6 [ Upstream commit 2777e654371dd4207a3a7f4fb5fa39550053a080 ]
   7
   8 When we traverse xattr entries via __find_xattr(),
   9 if the raw filesystem content is faked or any hardware failure occurs,
  10 out-of-bound error can be detected by KASAN.
  11 Fix the issue by introducing boundary check.
  12
  13 [   38.402878] c7   1827 BUG: KASAN: slab-out-of-bounds in f2fs_getxattr+0x518/0x68c
  14 [   38.402891] c7   1827 Read of size 4 at addr ffffffc0b6fb35dc by task
  15 [   38.402935] c7   1827 Call trace:
  16 [   38.402952] c7   1827 [<ffffff900809003c>] dump_backtrace+0x0/0x6bc
  17 [   38.402966] c7   1827 [<ffffff9008090030>] show_stack+0x20/0x2c
  18 [   38.402981] c7   1827 [<ffffff900871ab10>] dump_stack+0xfc/0x140
  19 [   38.402995] c7   1827 [<ffffff9008325c40>] print_address_description+0x80/0x2d8
  20 [   38.403009] c7   1827 [<ffffff900832629c>] kasan_report_error+0x198/0x1fc
  21 [   38.403022] c7   1827 [<ffffff9008326104>] kasan_report_error+0x0/0x1fc
  22 [   38.403037] c7   1827 [<ffffff9008325000>] __asan_load4+0x1b0/0x1b8
  23 [   38.403051] c7   1827 [<ffffff90085fcc44>] f2fs_getxattr+0x518/0x68c
  24 [   38.403066] c7   1827 [<ffffff90085fc508>] f2fs_xattr_generic_get+0xb0/0xd0
  25 [   38.403080] c7   1827 [<ffffff9008395708>] __vfs_getxattr+0x1f4/0x1fc
  26 [   38.403096] c7   1827 [<ffffff9008621bd0>] inode_doinit_with_dentry+0x360/0x938
  27 [   38.403109] c7   1827 [<ffffff900862d6cc>] selinux_d_instantiate+0x2c/0x38
  28 [   38.403123] c7   1827 [<ffffff900861b018>] security_d_instantiate+0x68/0x98
  29 [   38.403136] c7   1827 [<ffffff9008377db8>] d_splice_alias+0x58/0x348
  30 [   38.403149] c7   1827 [<ffffff900858d16c>] f2fs_lookup+0x608/0x774
  31 [   38.403163] c7   1827 [<ffffff900835eacc>] lookup_slow+0x1e0/0x2cc
  32 [   38.403177] c7   1827 [<ffffff9008367fe0>] walk_component+0x160/0x520
  33 [   38.403190] c7   1827 [<ffffff9008369ef4>] path_lookupat+0x110/0x2b4
  34 [   38.403203] c7   1827 [<ffffff900835dd38>] filename_lookup+0x1d8/0x3a8
  35 [   38.403216] c7   1827 [<ffffff900835eeb0>] user_path_at_empty+0x54/0x68
  36 [   38.403229] c7   1827 [<ffffff9008395f44>] SyS_getxattr+0xb4/0x18c
  37 [   38.403241] c7   1827 [<ffffff9008084200>] el0_svc_naked+0x34/0x38
  38
  39 Signed-off-by: Randall Huang <huangrandall@google.com>
  40 [Jaegeuk Kim: Fix wrong ending boundary]
  41 Reviewed-by: Chao Yu <yuchao0@huawei.com>
  42 Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
  43 Signed-off-by: Sasha Levin <sashal@kernel.org>
  44 ---
  45  fs/f2fs/xattr.c | 36 +++++++++++++++++++++++++++---------
  46  fs/f2fs/xattr.h |  2 ++
  47  2 files changed, 29 insertions(+), 9 deletions(-)
  48
  49 diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
  50 index 409a637f7a92..88e30f7cf9e1 100644
  51 --- a/fs/f2fs/xattr.c
  52 +++ b/fs/f2fs/xattr.c
  53 @@ -205,12 +205,17 @@ static inline const struct xattr_handler *f2fs_xattr_handler(int index)
  54         return handler;
  55  }
  56
  57 -static struct f2fs_xattr_entry *__find_xattr(void *base_addr, int index,
  58 -                                       size_t len, const char *name)
  59 +static struct f2fs_xattr_entry *__find_xattr(void *base_addr,
  60 +                               void *last_base_addr, int index,
  61 +                               size_t len, const char *name)
  62  {
  63         struct f2fs_xattr_entry *entry;
  64
  65         list_for_each_xattr(entry, base_addr) {
  66 +               if ((void *)(entry) + sizeof(__u32) > last_base_addr ||
  67 +                       (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr)
  68 +                       return NULL;
  69 +
  70                 if (entry->e_name_index != index)
  71                         continue;
  72                 if (entry->e_name_len != len)
  73 @@ -300,20 +305,22 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
  74                                 const char *name, struct f2fs_xattr_entry **xe,
  75                                 void **base_addr, int *base_size)
  76  {
  77 -       void *cur_addr, *txattr_addr, *last_addr = NULL;
  78 +       void *cur_addr, *txattr_addr, *last_txattr_addr;
  79 +       void *last_addr = NULL;
  80         nid_t xnid = F2FS_I(inode)->i_xattr_nid;
  81 -       unsigned int size = xnid ? VALID_XATTR_BLOCK_SIZE : 0;
  82         unsigned int inline_size = inline_xattr_size(inode);
  83         int err = 0;
  84
  85 -       if (!size && !inline_size)
  86 +       if (!xnid && !inline_size)
  87                 return -ENODATA;
  88
  89 -       *base_size = inline_size + size + XATTR_PADDING_SIZE;
  90 +       *base_size = XATTR_SIZE(xnid, inode) + XATTR_PADDING_SIZE;
  91         txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS);
  92         if (!txattr_addr)
  93                 return -ENOMEM;
  94
  95 +       last_txattr_addr = (void *)txattr_addr + XATTR_SIZE(xnid, inode);
  96 +
  97         /* read from inline xattr */
  98         if (inline_size) {
  99                 err = read_inline_xattr(inode, ipage, txattr_addr);
 100 @@ -340,7 +347,11 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
 101         else
 102                 cur_addr = txattr_addr;
 103
 104 -       *xe = __find_xattr(cur_addr, index, len, name);
 105 +       *xe = __find_xattr(cur_addr, last_txattr_addr, index, len, name);
 106 +       if (!*xe) {
 107 +               err = -EFAULT;
 108 +               goto out;
 109 +       }
 110  check:
 111         if (IS_XATTR_LAST_ENTRY(*xe)) {
 112                 err = -ENODATA;
 113 @@ -584,7 +595,8 @@ static int __f2fs_setxattr(struct inode *inode, int index,
 114                         struct page *ipage, int flags)
 115  {
 116         struct f2fs_xattr_entry *here, *last;
 117 -       void *base_addr;
 118 +       void *base_addr, *last_base_addr;
 119 +       nid_t xnid = F2FS_I(inode)->i_xattr_nid;
 120         int found, newsize;
 121         size_t len;
 122         __u32 new_hsize;
 123 @@ -608,8 +620,14 @@ static int __f2fs_setxattr(struct inode *inode, int index,
 124         if (error)
 125                 return error;
 126
 127 +       last_base_addr = (void *)base_addr + XATTR_SIZE(xnid, inode);
 128 +
 129         /* find entry with wanted name. */
 130 -       here = __find_xattr(base_addr, index, len, name);
 131 +       here = __find_xattr(base_addr, last_base_addr, index, len, name);
 132 +       if (!here) {
 133 +               error = -EFAULT;
 134 +               goto exit;
 135 +       }
 136
 137         found = IS_XATTR_LAST_ENTRY(here) ? 0 : 1;
 138
 139 diff --git a/fs/f2fs/xattr.h b/fs/f2fs/xattr.h
 140 index dbcd1d16e669..2a4ecaf338ea 100644
 141 --- a/fs/f2fs/xattr.h
 142 +++ b/fs/f2fs/xattr.h
 143 @@ -74,6 +74,8 @@ struct f2fs_xattr_entry {
 144                                 entry = XATTR_NEXT_ENTRY(entry))
 145  #define VALID_XATTR_BLOCK_SIZE (PAGE_SIZE - sizeof(struct node_footer))
 146  #define XATTR_PADDING_SIZE     (sizeof(__u32))
 147 +#define XATTR_SIZE(x,i)                (((x) ? VALID_XATTR_BLOCK_SIZE : 0) +   \
 148 +                                               (inline_xattr_size(i)))
 149  #define MIN_OFFSET(i)          XATTR_ALIGN(inline_xattr_size(i) +      \
 150                                                 VALID_XATTR_BLOCK_SIZE)
 151
 152 --
 153 2.20.1
 154