From: "Darrick J. Wong" <djwong@kernel.org>
To: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Cc: cem@kernel.org, chandanbabu@kernel.org, bfoster@redhat.com,
linux-xfs@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org,
syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
Subject: Re: [PATCH] xfs: reject log records with v2 size but v1 header version to avoid OOB
Date: Wed, 12 Nov 2025 10:45:04 -0800 [thread overview]
Message-ID: <20251112184504.GA196370@frogsfrogsfrogs> (raw)
In-Reply-To: <20251112181817.2027616-2-rpthibeault@gmail.com>
On Wed, Nov 12, 2025 at 01:18:18PM -0500, Raphael Pinsonneault-Thibeault wrote:
> In xlog_do_recovery_pass(),
> commit 45cf976008dd ("xfs: fix log recovery buffer allocation for the
> legacy h_size fixup")
> added a fix to take the corrected h_size (from the xfsprogs bug
> workaround) into consideration for the log recovery buffer calculation.
> Without it, we would still allocate the buffer based on the incorrect
> on-disk size.
>
> However, in a scenario similar to 45cf976008dd, syzbot creates a fuzzed
> record where xfs_has_logv2() but the xlog_rec_header h_version !=
> XLOG_VERSION_2. Meaning, we skip the log recover buffer calculation
> fix and allocate the buffer based on the incorrect on-disk size. Hence,
> a KASAN: slab-out-of-bounds read in xlog_do_recovery_pass() ->
> xlog_recover_process() -> xlog_cksum().
>
> Fix by rejecting the record header for
> h_size > XLOG_HEADER_CYCLE_SIZE && !XLOG_VERSION_2
> since the larger h_size cannot work for v1 logs, and the log stripe unit
> adjustment is only a v2 feature.
>
> Reported-by: syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=9f6d080dece587cfdd4c
> Tested-by: syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
> Fixes: 45cf976008dd ("xfs: fix log recovery buffer allocation for the legacy h_size fixup")
> Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
> ---
> changelog
> v1 -> v2:
> - reject the mount for h_size > XLOG_HEADER_CYCLE_SIZE && !XLOG_VERSION_2
> - update commit subject and message
>
> fs/xfs/xfs_log_recover.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
> index e6ed9e09c027..99a903e01869 100644
> --- a/fs/xfs/xfs_log_recover.c
> +++ b/fs/xfs/xfs_log_recover.c
> @@ -3064,8 +3064,12 @@ xlog_do_recovery_pass(
> * still allocate the buffer based on the incorrect on-disk
> * size.
> */
> - if (h_size > XLOG_HEADER_CYCLE_SIZE &&
> - (rhead->h_version & cpu_to_be32(XLOG_VERSION_2))) {
Just out of curiosity, why is this a bit flag test? Did XFS ever emit a
log record with both XLOG_VERSION_2 *and* XLOG_VERSION_1 set? The code
that writes new log records only sets h_version to 1 or 2, not 3.
(I can't tell if this is a hysterical raisins compatibility thing, or
just bugs)
--D
> + if (h_size > XLOG_HEADER_CYCLE_SIZE) {
> + if (!(rhead->h_version & cpu_to_be32(XLOG_VERSION_2))) {
> + error = -EFSCORRUPTED;
> + goto bread_err1;
> + }
> +
> hblks = DIV_ROUND_UP(h_size, XLOG_HEADER_CYCLE_SIZE);
> if (hblks > 1) {
> kvfree(hbp);
> --
> 2.43.0
>
>
next prev parent reply other threads:[~2025-11-12 18:45 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-12 14:10 [PATCH] xfs: ensure log recovery buffer is resized to avoid OOB Raphael Pinsonneault-Thibeault
2025-11-12 15:28 ` Christoph Hellwig
2025-11-12 18:18 ` [PATCH] xfs: reject log records with v2 size but v1 header version " Raphael Pinsonneault-Thibeault
2025-11-12 18:45 ` Darrick J. Wong [this message]
2025-11-13 6:55 ` Christoph Hellwig
2025-11-12 22:19 ` [PATCH] xfs: ensure log recovery buffer is resized " Dave Chinner
2025-11-13 19:01 ` [PATCH v3] xfs: validate log record version against superblock log version Raphael Pinsonneault-Thibeault
2025-11-18 20:19 ` Dave Chinner
2025-11-19 15:37 ` [PATCH v4] " Raphael Pinsonneault-Thibeault
2025-11-19 20:16 ` Dave Chinner
2025-11-20 6:57 ` Christoph Hellwig
2025-11-24 17:47 ` [PATCH v5] " Raphael Pinsonneault-Thibeault
2025-11-24 18:52 ` Darrick J. Wong
2025-11-25 6:31 ` Christoph Hellwig
2025-11-25 17:06 ` Darrick J. Wong
2025-11-25 6:31 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251112184504.GA196370@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=bfoster@redhat.com \
--cc=cem@kernel.org \
--cc=chandanbabu@kernel.org \
--cc=linux-kernel-mentees@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=rpthibeault@gmail.com \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.