From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: linux-xfs@vger.kernel.org, Eric Biggers <ebiggers@google.com>
Subject: Re: [PATCH] xfs: prevent creating negative-sized file via INSERT_RANGE
Date: Mon, 16 Apr 2018 17:52:18 -0700 [thread overview]
Message-ID: <20180417005218.GC5203@magnolia> (raw)
In-Reply-To: <20180416204630.177682-1-ebiggers3@gmail.com>
On Mon, Apr 16, 2018 at 01:46:30PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> During the "insert range" fallocate operation, i_size grows by the
> specified 'len' bytes. XFS verifies that i_size + len < s_maxbytes, as
> it should. But this comparison is done using the signed 'loff_t', and
> 'i_size + len' can wrap around to a negative value, causing the check to
Hmm. Looking at that closer, i_size_read returns loff_t, which means
that when your generic/484 test runs, it ends up doing:
if ((loff_t)9223372036854771712 + (loff_t)8192 < (loff_t)9223372036854775807)
This is a signed addition that overflows the long long int, I think.
Yes, it does; the UBSAN checker complains:
================================================================================
UBSAN: Undefined behaviour in fs/xfs/xfs_file.c:783:12
signed integer overflow:
9223372036854771712 + 8192 cannot be represented in type 'long long int'
CPU: 1 PID: 11277 Comm: xfs_io Not tainted 4.17.0-rc1-xfsx #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-1ubuntu1djwong0 04/01/2014
Call Trace:
dump_stack+0x7c/0xbb
ubsan_epilogue+0x9/0x40
handle_overflow+0xc7/0xf0
? xfs_ilock+0x2ae/0x450 [xfs]
xfs_file_fallocate+0x41d/0x4e0 [xfs]
vfs_fallocate+0x132/0x250
ksys_fallocate+0x3c/0x70
__x64_sys_fallocate+0x1a/0x20
do_syscall_64+0x56/0x180
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f38f4a4d2cf
RSP: 002b:00007ffe289615c0 EFLAGS: 00000293 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f38f4a4d2cf
RDX: 0000000000000000 RSI: 0000000000000020 RDI: 0000000000000003
RBP: 0000000000000020 R08: 0000000000000000 R09: 1999999999999999
R10: 0000000000002000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000002000 R14: 00000000012bcbd0 R15: 00000000012bc3e0
================================================================================
So I think we can't rely on the addition working properly and this code
has to be rearranged to use subtraction:
loff_t isize;
isize = i_size_read(inode);
/*
* New inode size must not exceed ->s_maxbytes, accounting for
* possible signed overflow.
*/
if (inode->i_sb->s_maxbytes - isize < len) {
error = -EFBIG;
goto out_unlock;
}
if (offset & blksize_mask || len & blksize_mask) {
error = -EINVAL;
goto out_unlock;
}
new_size = isize + len;
I think? Integer wrap always ties my brain in knots.
--D
> incorrectly pass, resulting in an inode with "negative" i_size. This is
> possible on 64-bit platforms, where XFS sets s_maxbytes = LLONG_MAX.
> ext4 and f2fs don't run into this because they set a smaller s_maxbytes.
>
> Fix it by doing an unsigned comparison instead.
>
> Reproducer:
> xfs_io -f file -c "truncate $(((1<<63)-1))" -c "finsert 0 4096"
>
> Fixes: a904b1ca5751 ("xfs: Add support FALLOC_FL_INSERT_RANGE for fallocate")
> Cc: <stable@vger.kernel.org> # v4.1+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> fs/xfs/xfs_file.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
> index 299aee4b7b0b..56a820efeb2a 100644
> --- a/fs/xfs/xfs_file.c
> +++ b/fs/xfs/xfs_file.c
> @@ -786,8 +786,11 @@ xfs_file_fallocate(
> goto out_unlock;
> }
>
> - /* check the new inode size does not wrap through zero */
> - if (new_size > inode->i_sb->s_maxbytes) {
> + /*
> + * New inode size must not exceed ->s_maxbytes, accounting for
> + * possible signed overflow.
> + */
> + if ((u64)new_size > inode->i_sb->s_maxbytes) {
> error = -EFBIG;
> goto out_unlock;
> }
> --
> 2.17.0.484.g0c8726318c-goog
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-04-17 0:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-16 20:46 [PATCH] xfs: prevent creating negative-sized file via INSERT_RANGE Eric Biggers
2018-04-17 0:52 ` Darrick J. Wong [this message]
2018-04-17 5:39 ` [PATCH v2] " Darrick J. Wong
2018-04-17 7:09 ` Christoph Hellwig
2018-04-17 17:55 ` [PATCH v3] " Darrick J. Wong
2018-04-17 18:00 ` Eric Biggers
2018-04-17 18:44 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180417005218.GC5203@magnolia \
--to=darrick.wong@oracle.com \
--cc=ebiggers3@gmail.com \
--cc=ebiggers@google.com \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.