From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nikolay Borisov <nborisov@suse.com>,
Johannes Thumshirn <jthumshirn@suse.de>,
David Sterba <dsterba@suse.com>
Subject: [PATCH 4.14 15/45] btrfs: correctly validate compression type
Date: Wed, 18 Sep 2019 08:18:53 +0200 [thread overview]
Message-ID: <20190918061224.441745861@linuxfoundation.org> (raw)
In-Reply-To: <20190918061222.854132812@linuxfoundation.org>
From: Johannes Thumshirn <jthumshirn@suse.de>
commit aa53e3bfac7205fb3a8815ac1c937fd6ed01b41e upstream.
Nikolay reported the following KASAN splat when running btrfs/048:
[ 1843.470920] ==================================================================
[ 1843.471971] BUG: KASAN: slab-out-of-bounds in strncmp+0x66/0xb0
[ 1843.472775] Read of size 1 at addr ffff888111e369e2 by task btrfs/3979
[ 1843.473904] CPU: 3 PID: 3979 Comm: btrfs Not tainted 5.2.0-rc3-default #536
[ 1843.475009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 1843.476322] Call Trace:
[ 1843.476674] dump_stack+0x7c/0xbb
[ 1843.477132] ? strncmp+0x66/0xb0
[ 1843.477587] print_address_description+0x114/0x320
[ 1843.478256] ? strncmp+0x66/0xb0
[ 1843.478740] ? strncmp+0x66/0xb0
[ 1843.479185] __kasan_report+0x14e/0x192
[ 1843.479759] ? strncmp+0x66/0xb0
[ 1843.480209] kasan_report+0xe/0x20
[ 1843.480679] strncmp+0x66/0xb0
[ 1843.481105] prop_compression_validate+0x24/0x70
[ 1843.481798] btrfs_xattr_handler_set_prop+0x65/0x160
[ 1843.482509] __vfs_setxattr+0x71/0x90
[ 1843.483012] __vfs_setxattr_noperm+0x84/0x130
[ 1843.483606] vfs_setxattr+0xac/0xb0
[ 1843.484085] setxattr+0x18c/0x230
[ 1843.484546] ? vfs_setxattr+0xb0/0xb0
[ 1843.485048] ? __mod_node_page_state+0x1f/0xa0
[ 1843.485672] ? _raw_spin_unlock+0x24/0x40
[ 1843.486233] ? __handle_mm_fault+0x988/0x1290
[ 1843.486823] ? lock_acquire+0xb4/0x1e0
[ 1843.487330] ? lock_acquire+0xb4/0x1e0
[ 1843.487842] ? mnt_want_write_file+0x3c/0x80
[ 1843.488442] ? debug_lockdep_rcu_enabled+0x22/0x40
[ 1843.489089] ? rcu_sync_lockdep_assert+0xe/0x70
[ 1843.489707] ? __sb_start_write+0x158/0x200
[ 1843.490278] ? mnt_want_write_file+0x3c/0x80
[ 1843.490855] ? __mnt_want_write+0x98/0xe0
[ 1843.491397] __x64_sys_fsetxattr+0xba/0xe0
[ 1843.492201] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 1843.493201] do_syscall_64+0x6c/0x230
[ 1843.493988] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1843.495041] RIP: 0033:0x7fa7a8a7707a
[ 1843.495819] Code: 48 8b 0d 21 de 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 be 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ee dd 2b 00 f7 d8 64 89 01 48
[ 1843.499203] RSP: 002b:00007ffcb73bca38 EFLAGS: 00000202 ORIG_RAX: 00000000000000be
[ 1843.500210] RAX: ffffffffffffffda RBX: 00007ffcb73bda9d RCX: 00007fa7a8a7707a
[ 1843.501170] RDX: 00007ffcb73bda9d RSI: 00000000006dc050 RDI: 0000000000000003
[ 1843.502152] RBP: 00000000006dc050 R08: 0000000000000000 R09: 0000000000000000
[ 1843.503109] R10: 0000000000000002 R11: 0000000000000202 R12: 00007ffcb73bda91
[ 1843.504055] R13: 0000000000000003 R14: 00007ffcb73bda82 R15: ffffffffffffffff
[ 1843.505268] Allocated by task 3979:
[ 1843.505771] save_stack+0x19/0x80
[ 1843.506211] __kasan_kmalloc.constprop.5+0xa0/0xd0
[ 1843.506836] setxattr+0xeb/0x230
[ 1843.507264] __x64_sys_fsetxattr+0xba/0xe0
[ 1843.507886] do_syscall_64+0x6c/0x230
[ 1843.508429] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1843.509558] Freed by task 0:
[ 1843.510188] (stack is not available)
[ 1843.511309] The buggy address belongs to the object at ffff888111e369e0
which belongs to the cache kmalloc-8 of size 8
[ 1843.514095] The buggy address is located 2 bytes inside of
8-byte region [ffff888111e369e0, ffff888111e369e8)
[ 1843.516524] The buggy address belongs to the page:
[ 1843.517561] page:ffff88813f478d80 refcount:1 mapcount:0 mapping:ffff88811940c300 index:0xffff888111e373b8 compound_mapcount: 0
[ 1843.519993] flags: 0x4404000010200(slab|head)
[ 1843.520951] raw: 0004404000010200 ffff88813f48b008 ffff888119403d50 ffff88811940c300
[ 1843.522616] raw: ffff888111e373b8 000000000016000f 00000001ffffffff 0000000000000000
[ 1843.524281] page dumped because: kasan: bad access detected
[ 1843.525936] Memory state around the buggy address:
[ 1843.526975] ffff888111e36880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1843.528479] ffff888111e36900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1843.530138] >ffff888111e36980: fc fc fc fc fc fc fc fc fc fc fc fc 02 fc fc fc
[ 1843.531877] ^
[ 1843.533287] ffff888111e36a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1843.534874] ffff888111e36a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1843.536468] ==================================================================
This is caused by supplying a too short compression value ('lz') in the
test-case and comparing it to 'lzo' with strncmp() and a length of 3.
strncmp() read past the 'lz' when looking for the 'o' and thus caused an
out-of-bounds read.
Introduce a new check 'btrfs_compress_is_valid_type()' which not only
checks the user-supplied value against known compression types, but also
employs checks for too short values.
Reported-by: Nikolay Borisov <nborisov@suse.com>
Fixes: 272e5326c783 ("btrfs: prop: fix vanished compression property after failed set")
CC: stable@vger.kernel.org # 5.1+
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/compression.c | 16 ++++++++++++++++
fs/btrfs/compression.h | 1 +
fs/btrfs/props.c | 6 +-----
3 files changed, 18 insertions(+), 5 deletions(-)
--- a/fs/btrfs/compression.c
+++ b/fs/btrfs/compression.c
@@ -58,6 +58,22 @@ const char* btrfs_compress_type2str(enum
return NULL;
}
+bool btrfs_compress_is_valid_type(const char *str, size_t len)
+{
+ int i;
+
+ for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) {
+ size_t comp_len = strlen(btrfs_compress_types[i]);
+
+ if (len < comp_len)
+ continue;
+
+ if (!strncmp(btrfs_compress_types[i], str, comp_len))
+ return true;
+ }
+ return false;
+}
+
static int btrfs_decompress_bio(struct compressed_bio *cb);
static inline int compressed_bio_size(struct btrfs_fs_info *fs_info,
--- a/fs/btrfs/compression.h
+++ b/fs/btrfs/compression.h
@@ -131,6 +131,7 @@ extern const struct btrfs_compress_op bt
extern const struct btrfs_compress_op btrfs_zstd_compress;
const char* btrfs_compress_type2str(enum btrfs_compression_type type);
+bool btrfs_compress_is_valid_type(const char *str, size_t len);
int btrfs_compress_heuristic(struct inode *inode, u64 start, u64 end);
--- a/fs/btrfs/props.c
+++ b/fs/btrfs/props.c
@@ -386,11 +386,7 @@ int btrfs_subvol_inherit_props(struct bt
static int prop_compression_validate(const char *value, size_t len)
{
- if (!strncmp("lzo", value, 3))
- return 0;
- else if (!strncmp("zlib", value, 4))
- return 0;
- else if (!strncmp("zstd", value, 4))
+ if (btrfs_compress_is_valid_type(value, len))
return 0;
return -EINVAL;
next prev parent reply other threads:[~2019-09-18 6:20 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-18 6:18 [PATCH 4.14 00/45] 4.14.145-stable review Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 01/45] bridge/mdb: remove wrong use of NLM_F_MULTI Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 02/45] cdc_ether: fix rndis support for Mediatek based smartphones Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 03/45] ipv6: Fix the link time qualifier of ping_v6_proc_exit_net() Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 04/45] isdn/capi: check message length in capi_write() Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 05/45] net: Fix null de-reference of device refcount Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 06/45] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 07/45] net: phylink: Fix flow control resolution Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 08/45] sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 09/45] sctp: Fix the link time qualifier of sctp_ctrlsock_exit() Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 10/45] sctp: use transport pf_retrans in sctp_do_8_2_transport_strike Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 11/45] tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 12/45] tipc: add NULL pointer check before calling kfree_rcu Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 13/45] tun: fix use-after-free when register netdev failed Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 14/45] btrfs: compression: add helper for type to string conversion Greg Kroah-Hartman
2019-09-18 6:18 ` Greg Kroah-Hartman [this message]
2019-09-18 6:18 ` [PATCH 4.14 16/45] Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur" Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 17/45] gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 18/45] gpio: fix line flag validation in linehandle_create Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 19/45] gpio: fix line flag validation in lineevent_create Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 20/45] Btrfs: fix assertion failure during fsync and use of stale transaction Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 21/45] genirq: Prevent NULL pointer dereference in resend_irqs() Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 22/45] KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 23/45] KVM: x86: work around leak of uninitialized stack contents Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 24/45] KVM: nVMX: handle page fault in vmread Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 25/45] MIPS: VDSO: Prevent use of smp_processor_id() Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 26/45] MIPS: VDSO: Use same -m%-float cflag as the kernel proper Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 27/45] powerpc: Add barrier_nospec to raw_copy_in_user() Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 28/45] drm/meson: Add support for XBGR8888 & ABGR8888 formats Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 29/45] clk: rockchip: Dont yell about bad mmc phases when getting Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 30/45] mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 31/45] PCI: Always allow probing with driver_override Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 32/45] ubifs: Correctly use tnc_next() in search_dh_cookie() Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 33/45] driver core: Fix use-after-free and double free on glue directory Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 34/45] crypto: talitos - check AES key size Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 35/45] crypto: talitos - fix CTR alg blocksize Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 36/45] crypto: talitos - check data blocksize in ablkcipher Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 37/45] crypto: talitos - fix ECB algs ivsize Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 38/45] crypto: talitos - Do not modify req->cryptlen on decryption Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 39/45] crypto: talitos - HMAC SNOOP NO AFEU mode requires SW icv checking Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 40/45] firmware: ti_sci: Always request response from firmware Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 41/45] drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 42/45] Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature" Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 43/45] platform/x86: pmc_atom: Add CB4063 Beckhoff Automation board to critclk_systems DMI table Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 44/45] nvmem: Use the same permissions for eeprom as for nvmem Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 45/45] x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning Greg Kroah-Hartman
2019-09-18 13:19 ` [PATCH 4.14 00/45] 4.14.145-stable review kernelci.org bot
2019-09-18 13:55 ` Naresh Kamboju
2019-09-18 16:28 ` Jon Hunter
2019-09-18 16:28 ` Jon Hunter
2019-09-18 19:37 ` Guenter Roeck
2019-09-19 1:26 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190918061224.441745861@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dsterba@suse.com \
--cc=jthumshirn@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=nborisov@suse.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.