| Message ID | 20230613032254.1235752-1-haowenchao2@huawei.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp2626261vqr;
Mon, 12 Jun 2023 07:24:55 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ5d34w+xKbr+MXSIx2Vq8U5wzcGEP/fSBMOoQZCHhRoZyghyNm1IqPXcTtLyvk7O5axKWN2
X-Received: by 2002:a17:902:7243:b0:1b1:d0b2:b9b3 with SMTP id
c3-20020a170902724300b001b1d0b2b9b3mr6737768pll.23.1686579895450;
Mon, 12 Jun 2023 07:24:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1686579895; cv=none;
d=google.com; s=arc-20160816;
b=aYpWEwROZWNZmpGgOQM2uVj64hNlkGgpKyaOylkcTiB4gOXYOpqNgrnGAy3FIUdK1D
lZwK1kAWX/ID+tVzpv/hyqNSKt4P/HrZ4ikFbGtzvBo/WExb59nFCPoPBKO9cooYIeJ7
kJmPCuI43ciLfOYkg48DczRA48vynuo6KWf8PeeSG+P1Hxu5ycKUimsCQ/XEANyGX7em
gP/wL6WbnuXo3DXQn9WlHrXnYvd41rCEkiA96YrjxrjTR7Sb73xFrZA5wBSugx9aSna+
3+fRP1YXZuOXLmJ29G5oh3Wm1WTogrnlTW7Nekjie5itzenWr+hmJTQLcdp4/Cm5PAAK
v1jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=kiOVnfII61NsSijUK3unba79CVgA4wPzhdfxZhW7XZ4=;
b=Fra8KYkXkxG/02Tb5TKYVRMdEdyebELdt73miCxiuJx42lJZ5QIZtemLsGaa95ZLKn
TSSiROunbLckZZ1/nZvIm8DpLRm4IE3GT4VHXaqKSlUfECUmLr3qZnBzP2xuE83GTubr
92fg3PG1wTwWpdC03pRYT7ty4px3sfUEa+1Natu6xSPVjTNAuoxuG1jF4OiWrJbpOnJB
dZCZfyAHMseYgXsXQ7pCgazaHqPlu1MR/kscuEMh43wAHLd7rnWs6ypSNkyvtVVc97Kn
PJVavTnvKlJy6Yd89smfRUG16juBrqxfLuWLGvZCoYrhzkVppJk8Ct9A2naDMd1k0zzv
lL3g==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
j15-20020a170902da8f00b001aaeed1a0e3si1347220plx.487.2023.06.12.07.24.43;
Mon, 12 Jun 2023 07:24:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S236088AbjFLOBF (ORCPT <rfc822;rust.linux@gmail.com> + 99 others);
Mon, 12 Jun 2023 10:01:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47088 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S236158AbjFLOA5 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 12 Jun 2023 10:00:57 -0400
Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E78210D3
for <linux-kernel@vger.kernel.org>;
Mon, 12 Jun 2023 07:00:53 -0700 (PDT)
Received: from kwepemm600012.china.huawei.com (unknown [172.30.72.55])
by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4QftWK1SPcz18Lc7;
Mon, 12 Jun 2023 21:55:57 +0800 (CST)
Received: from build.huawei.com (10.175.101.6) by
kwepemm600012.china.huawei.com (7.193.23.74) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2507.23; Mon, 12 Jun 2023 22:00:51 +0800
From: Wenchao Hao <haowenchao2@huawei.com>
To: Jan Kara <jack@suse.com>, <linux-kernel@vger.kernel.org>
CC: <linfeilong@huawei.com>, Wenchao Hao <haowenchao2@huawei.com>
Subject: [PATCH 0/2] Fix out-of-bound access if pagecache of udf device is
corrupted
Date: Tue, 13 Jun 2023 11:22:52 +0800
Message-ID: <20230613032254.1235752-1-haowenchao2@huawei.com>
X-Mailer: git-send-email 2.32.0
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
X-Originating-IP: [10.175.101.6]
X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To
kwepemm600012.china.huawei.com (7.193.23.74)
X-CFilter-Loop: Reflected
X-Spam-Status: No,
score=-1.0 required=5.0 tests=BAYES_00,DATE_IN_FUTURE_12_24,
RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1768507200676153585?=
X-GMAIL-MSGID: =?utf-8?q?1768507200676153585?=
|
| Series |
Fix out-of-bound access if pagecache of udf device is corrupted
|
|
Message
Wenchao Hao
June 13, 2023, 3:22 a.m. UTC
Following steps would cause out-of-bound access and even cause kernel panic when using udf: dd if=/dev/zero of=udf.img bs=1M count=512 mkfs.udf udf.img mount -o loop -t udf udf.img /mnt dd if=/dev/random of=/dev/loop0 bs=512 count=1 seek=128 umount /mnt [if /mnt is mounted on /dev/loop0] It is because we did not check if udf_sb_info->s_lvid_bh is valid in udf_sb_lvidiu(). Although it's illegal to write backend device since filesystem has been mounted, but we should avoid kernel panic if it happened. The first patch add a helper function to check if the data is valid. The second patch just call the helper function, if check failed, return NULL from udf_sb_lvidiu() Wenchao Hao (2): udf: add helper function udf_check_tagged_bh to check tagged page udf:check if buffer head's data when getting lvidiu fs/udf/misc.c | 60 ++++++++++++++++++++++++++++-------------------- fs/udf/super.c | 2 ++ fs/udf/udfdecl.h | 1 + 3 files changed, 38 insertions(+), 25 deletions(-)
Comments
On Tue 13-06-23 11:22:52, Wenchao Hao wrote: > Following steps would cause out-of-bound access and even cause kernel > panic when using udf: > > dd if=/dev/zero of=udf.img bs=1M count=512 > mkfs.udf udf.img > mount -o loop -t udf udf.img /mnt > dd if=/dev/random of=/dev/loop0 bs=512 count=1 seek=128 > umount /mnt > > [if /mnt is mounted on /dev/loop0] > > It is because we did not check if udf_sb_info->s_lvid_bh is valid in > udf_sb_lvidiu(). > > Although it's illegal to write backend device since filesystem has been > mounted, but we should avoid kernel panic if it happened. No, it is perfectly valid to crash the kernel if someone writes the buffer cache of the device while the device is mounted (which your example above does). There is no practical protection against this because someone could overwrite the buffer just after the moment you verify its validity. The only protection would be to lock the buffer for each access and fully verify validity of the data after each locking but the performance and maintenance overhead of this is too high to justify. So I'm sorry but I will not take any patches that try to "fix" situations when someone writes buffer cache while the filesystem is mounted. I guess your work is motivated by some syzbot reproducer which was doing this. Let me work on a kernel option which syzbot can use to not report these issues. Honza
On 2023/6/12 22:40, Jan Kara wrote: > On Tue 13-06-23 11:22:52, Wenchao Hao wrote: >> Following steps would cause out-of-bound access and even cause kernel >> panic when using udf: >> >> dd if=/dev/zero of=udf.img bs=1M count=512 >> mkfs.udf udf.img >> mount -o loop -t udf udf.img /mnt >> dd if=/dev/random of=/dev/loop0 bs=512 count=1 seek=128 >> umount /mnt >> >> [if /mnt is mounted on /dev/loop0] >> >> It is because we did not check if udf_sb_info->s_lvid_bh is valid in >> udf_sb_lvidiu(). >> >> Although it's illegal to write backend device since filesystem has been >> mounted, but we should avoid kernel panic if it happened. > > No, it is perfectly valid to crash the kernel if someone writes the buffer > cache of the device while the device is mounted (which your example above > does). There is no practical protection against this because someone could > overwrite the buffer just after the moment you verify its validity. The > only protection would be to lock the buffer for each access and fully > verify validity of the data after each locking but the performance and > maintenance overhead of this is too high to justify. So I'm sorry but I > will not take any patches that try to "fix" situations when someone writes > buffer cache while the filesystem is mounted. > > I guess your work is motivated by some syzbot reproducer which was doing > this. Let me work on a kernel option which syzbot can use to not report > these issues. > > > Honza Yes, the issue is discovered by syzbot. Looking forward you patches.