From: Dan Carpenter <dan.carpenter@oracle.com>
To: eadavis@sina.com
Cc: almaz.alexandrovich@paragon-software.com,
kbuild-all@lists.01.org, linux-kernel@vger.kernel.org,
lkp@intel.com, llvm@lists.linux.dev, nathan@kernel.org,
ndesaulniers@google.com, ntfs3@lists.linux.dev,
syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com, trix@redhat.com
Subject: Re: [PATCH v3] fs/ntfs3: add a boundary check for EA_FULL
Date: Mon, 19 Sep 2022 15:04:19 +0300 [thread overview]
Message-ID: <Yyhaw8iBPulIO0Pp@kadam> (raw)
In-Reply-To: <20220919111954.283125-1-eadavis@sina.com>
This patch is useful and shows what the bug is however the fix needs
some additional work.
On Mon, Sep 19, 2022 at 07:19:54PM +0800, eadavis@sina.com wrote:
> From: Edward Adam Davis <eadavis@sina.com>
>
> the root cause is:
> The remaining space after the offset is less than the space needed to
> accommodate the next EA_FULL struct.
This commit message is not good and does not explain what how the
problem appears to the user. Don't start the commit message in the
middle of a sentence.
>
> Link: https://syzkaller.appspot.com/bug?extid=c4d950787fd5553287b7
> Reported-by: syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com
> Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Edward Adam Davis <eadavis@sina.com>
> ---
> Changes in v3:
> Add Suggested-by: and fix the syntax err.
This is not what I suggested... There several problems with this patch.
1) If we call find_ea() if "bytes" set to a number in 1-7 range then
then the unpacked_ea_size() is an out of bounds read.
2) The *off + unpacked_ea_size() can have an integer overflow.
3) The math in "next_len + ea->name_len + le16_to_cpu(ea->elength)" is
not correct. It should use unpacked_ea_size() instead. (The math
is different, this is a bug an not a style complaint).
4) My one style complaint is that "8" in "next_off + 8" is a magic
number.
So maybe we could separate out the issue with the buffer overflow from
the integer overflow.
Patch 1: Fix buffer overflow:
Add "if (bytes - *off < sizeof(*ea))" before the call to
"ea = Add2Ptr(ea_all, *off);". Then remove the "!bytes" test. That
test is wrong and useless. Also remove the if (next_off >= bytes) test.
That test is also insufficient and no longer required.
Patch 2: Fix the integer overflow bug.
- next_off = *off + unpacked_ea_size(ea);
+ next_off = size_add(*off, unpacked_ea_size(ea));
We also need to change the types of next_off and bytes to size_t for the
size_add() to be useful. I forgot about that last time I sent this.
After both patches are applied the code will look like below.
regards,
dan carpenter
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 7de8718c68a9..bf53ed96b03f 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -41,17 +41,24 @@ static inline size_t packed_ea_size(const struct EA_FULL *ea)
*
* Assume there is at least one xattr in the list.
*/
-static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
+static inline bool find_ea(const struct EA_FULL *ea_all, size_t bytes,
const char *name, u8 name_len, u32 *off)
{
+ const struct EA_FULL *ea;
+ size_t next_off;
+
*off = 0;
- if (!ea_all || !bytes)
+ if (!ea_all)
return false;
+
for (;;) {
- const struct EA_FULL *ea = Add2Ptr(ea_all, *off);
- u32 next_off = *off + unpacked_ea_size(ea);
+ if (bytes - *off < sizeof(*ea))
+ return false;
+
+ ea = Add2Ptr(ea_all, *off);
+ next_off = size_add(*off, unpacked_ea_size(ea));
if (next_off > bytes)
return false;
@@ -61,8 +68,6 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
return true;
*off = next_off;
- if (next_off >= bytes)
- return false;
}
}
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH v3] fs/ntfs3: add a boundary check for EA_FULL
Date: Mon, 19 Sep 2022 15:04:19 +0300 [thread overview]
Message-ID: <Yyhaw8iBPulIO0Pp@kadam> (raw)
In-Reply-To: <20220919111954.283125-1-eadavis@sina.com>
[-- Attachment #1: Type: text/plain, Size: 3280 bytes --]
This patch is useful and shows what the bug is however the fix needs
some additional work.
On Mon, Sep 19, 2022 at 07:19:54PM +0800, eadavis(a)sina.com wrote:
> From: Edward Adam Davis <eadavis@sina.com>
>
> the root cause is:
> The remaining space after the offset is less than the space needed to
> accommodate the next EA_FULL struct.
This commit message is not good and does not explain what how the
problem appears to the user. Don't start the commit message in the
middle of a sentence.
>
> Link: https://syzkaller.appspot.com/bug?extid=c4d950787fd5553287b7
> Reported-by: syzbot+c4d950787fd5553287b7(a)syzkaller.appspotmail.com
> Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Edward Adam Davis <eadavis@sina.com>
> ---
> Changes in v3:
> Add Suggested-by: and fix the syntax err.
This is not what I suggested... There several problems with this patch.
1) If we call find_ea() if "bytes" set to a number in 1-7 range then
then the unpacked_ea_size() is an out of bounds read.
2) The *off + unpacked_ea_size() can have an integer overflow.
3) The math in "next_len + ea->name_len + le16_to_cpu(ea->elength)" is
not correct. It should use unpacked_ea_size() instead. (The math
is different, this is a bug an not a style complaint).
4) My one style complaint is that "8" in "next_off + 8" is a magic
number.
So maybe we could separate out the issue with the buffer overflow from
the integer overflow.
Patch 1: Fix buffer overflow:
Add "if (bytes - *off < sizeof(*ea))" before the call to
"ea = Add2Ptr(ea_all, *off);". Then remove the "!bytes" test. That
test is wrong and useless. Also remove the if (next_off >= bytes) test.
That test is also insufficient and no longer required.
Patch 2: Fix the integer overflow bug.
- next_off = *off + unpacked_ea_size(ea);
+ next_off = size_add(*off, unpacked_ea_size(ea));
We also need to change the types of next_off and bytes to size_t for the
size_add() to be useful. I forgot about that last time I sent this.
After both patches are applied the code will look like below.
regards,
dan carpenter
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 7de8718c68a9..bf53ed96b03f 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -41,17 +41,24 @@ static inline size_t packed_ea_size(const struct EA_FULL *ea)
*
* Assume there is at least one xattr in the list.
*/
-static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
+static inline bool find_ea(const struct EA_FULL *ea_all, size_t bytes,
const char *name, u8 name_len, u32 *off)
{
+ const struct EA_FULL *ea;
+ size_t next_off;
+
*off = 0;
- if (!ea_all || !bytes)
+ if (!ea_all)
return false;
+
for (;;) {
- const struct EA_FULL *ea = Add2Ptr(ea_all, *off);
- u32 next_off = *off + unpacked_ea_size(ea);
+ if (bytes - *off < sizeof(*ea))
+ return false;
+
+ ea = Add2Ptr(ea_all, *off);
+ next_off = size_add(*off, unpacked_ea_size(ea));
if (next_off > bytes)
return false;
@@ -61,8 +68,6 @@ static inline bool find_ea(const struct EA_FULL *ea_all, u32 bytes,
return true;
*off = next_off;
- if (next_off >= bytes)
- return false;
}
}
next prev parent reply other threads:[~2022-09-19 12:04 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-06 16:55 [syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea syzbot
2022-09-12 3:41 ` [PATCH] fs/netfs3: add a boundary check for EA_FULL eadavis
2022-09-12 6:16 ` kernel test robot
2022-09-12 6:16 ` kernel test robot
2022-09-19 5:19 ` [PATCH] fs/ntfs3: "add a boundary check for EA_FULL" lose right parenthesis eadavis
2022-09-19 5:19 ` eadavis
2022-09-19 10:42 ` Dan Carpenter
2022-09-19 10:42 ` Dan Carpenter
2022-09-19 11:19 ` [PATCH v3] fs/ntfs3: add a boundary check for EA_FULL eadavis
2022-09-19 11:19 ` eadavis
2022-09-19 12:04 ` Dan Carpenter [this message]
2022-09-19 12:04 ` Dan Carpenter
2022-09-19 13:21 ` [PATCH v4] fs/ntfs3: Fix buffer overflow and integer overflow eadavis
2022-09-19 13:21 ` eadavis
2022-09-19 13:32 ` eadavis
2022-09-19 13:32 ` eadavis
2022-11-13 5:07 ` [PATCH v5] fs/ntfs3: Validate parameter bytes and valid size eadavis
2022-09-12 6:54 ` [PATCH v2] fs/netfs3: add a boundary check for EA_FULL eadavis
2022-09-14 15:34 ` Dan Carpenter
2023-01-26 8:13 ` [syzbot] KASAN: slab-out-of-bounds Read in ntfs_get_ea syzbot
2023-04-12 13:11 ` Aleksandr Nogikh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yyhaw8iBPulIO0Pp@kadam \
--to=dan.carpenter@oracle.com \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=eadavis@sina.com \
--cc=kbuild-all@lists.01.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ntfs3@lists.linux.dev \
--cc=syzbot+c4d950787fd5553287b7@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.