From: Jaegeuk Kim via Linux-f2fs-devel <linux-f2fs-devel@lists.sourceforge.net>
To: Chao Yu <chao@kernel.org>
Cc: syzbot+69f5379a1717a0b982a1@syzkaller.appspotmail.com,
linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [f2fs-dev] [PATCH] f2fs: fix to do sanity check correctly on i_inline_xattr_size
Date: Tue, 7 Jan 2025 19:28:06 +0000 [thread overview]
Message-ID: <Z32ARgIkX_Iazx41@google.com> (raw)
In-Reply-To: <20241216134600.8308-1-chao@kernel.org>
On 12/16, Chao Yu wrote:
> syzbot reported an out-of-range access issue as below:
>
> UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3292:19
> index 18446744073709550491 is out of range for type '__le32[923]' (aka 'unsigned int[923]')
> CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> ubsan_epilogue lib/ubsan.c:231 [inline]
> __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
> read_inline_xattr+0x273/0x280
> lookup_all_xattrs fs/f2fs/xattr.c:341 [inline]
> f2fs_getxattr+0x57b/0x13b0 fs/f2fs/xattr.c:533
> vfs_getxattr_alloc+0x472/0x5c0 fs/xattr.c:393
> ima_read_xattr+0x38/0x60 security/integrity/ima/ima_appraise.c:229
> process_measurement+0x117a/0x1fb0 security/integrity/ima/ima_main.c:353
> ima_file_check+0xd9/0x120 security/integrity/ima/ima_main.c:572
> security_file_post_open+0xb9/0x280 security/security.c:3121
> do_open fs/namei.c:3830 [inline]
> path_openat+0x2ccd/0x3590 fs/namei.c:3987
> do_file_open_root+0x3a7/0x720 fs/namei.c:4039
> file_open_root+0x247/0x2a0 fs/open.c:1382
> do_handle_open+0x85b/0x9d0 fs/fhandle.c:414
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> index: 18446744073709550491 (decimal, unsigned long long)
> = 0xfffffffffffffb9b (hexadecimal) = -1125 (decimal, long long)
> UBSAN detects that inline_xattr_addr() tries to access .i_addr[-1125].
>
> w/ below testcase, it can reproduce this bug easily:
> - mkfs.f2fs -f -O extra_attr,flexible_inline_xattr /dev/sdb
> - mount -o inline_xattr_size=512 /dev/sdb /mnt/f2fs
> - touch /mnt/f2fs/file
> - umount /mnt/f2fs
> - inject.f2fs --node --mb i_inline --nid 4 --val 0x1 /dev/sdb
> - inject.f2fs --node --mb i_inline_xattr_size --nid 4 --val 2048 /dev/sdb
> - mount /dev/sdb /mnt/f2fs
> - getfattr /mnt/f2fs/file
>
> The root cause is if metadata of filesystem and inode were fuzzed as below:
> - extra_attr feature is enabled
> - flexible_inline_xattr feature is enabled
> - ri.i_inline_xattr_size = 2048
> - F2FS_EXTRA_ATTR bit in ri.i_inline was not set
>
> sanity_check_inode() will skip doing sanity check on fi->i_inline_xattr_size,
> result in using invalid inline_xattr_size later incorrectly, fix it.
>
> Meanwhile, let's fix to check lower boundary for .i_inline_xattr_size w/
> MIN_INLINE_XATTR_SIZE like we did in parse_options().
>
> Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size")
> Reported-by: syzbot+69f5379a1717a0b982a1@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/linux-f2fs-devel/674f4e7d.050a0220.17bd51.004f.GAE@google.com
> Signed-off-by: Chao Yu <chao@kernel.org>
> ---
> fs/f2fs/inode.c | 19 ++++++++++---------
> 1 file changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> index 282fd320bdb3..29ccc64faae9 100644
> --- a/fs/f2fs/inode.c
> +++ b/fs/f2fs/inode.c
> @@ -302,15 +302,6 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page)
> F2FS_TOTAL_EXTRA_ATTR_SIZE);
> return false;
> }
> - if (f2fs_sb_has_flexible_inline_xattr(sbi) &&
> - f2fs_has_inline_xattr(inode) &&
> - (!fi->i_inline_xattr_size ||
> - fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) {
> - f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, max: %lu",
> - __func__, inode->i_ino, fi->i_inline_xattr_size,
> - MAX_INLINE_XATTR_SIZE);
> - return false;
> - }
> if (f2fs_sb_has_compression(sbi) &&
> fi->i_flags & F2FS_COMPR_FL &&
> F2FS_FITS_IN_INODE(ri, fi->i_extra_isize,
> @@ -320,6 +311,16 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page)
> }
> }
>
> + if (f2fs_sb_has_flexible_inline_xattr(sbi) &&
> + f2fs_has_inline_xattr(inode) &&
> + (fi->i_inline_xattr_size < MIN_INLINE_XATTR_SIZE ||
> + fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) {
> + f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, min: %u, max: %lu",
--> %lu?
> + __func__, inode->i_ino, fi->i_inline_xattr_size,
> + MIN_INLINE_XATTR_SIZE, MAX_INLINE_XATTR_SIZE);
> + return false;
> + }
> +
> if (!f2fs_sb_has_extra_attr(sbi)) {
> if (f2fs_sb_has_project_quota(sbi)) {
> f2fs_warn(sbi, "%s: corrupted inode ino=%lx, wrong feature flag: %u, run fsck to fix.",
> --
> 2.40.1
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
WARNING: multiple messages have this Message-ID (diff)
From: Jaegeuk Kim <jaegeuk@kernel.org>
To: Chao Yu <chao@kernel.org>
Cc: linux-f2fs-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org,
syzbot+69f5379a1717a0b982a1@syzkaller.appspotmail.com
Subject: Re: [PATCH] f2fs: fix to do sanity check correctly on i_inline_xattr_size
Date: Tue, 7 Jan 2025 19:28:06 +0000 [thread overview]
Message-ID: <Z32ARgIkX_Iazx41@google.com> (raw)
In-Reply-To: <20241216134600.8308-1-chao@kernel.org>
On 12/16, Chao Yu wrote:
> syzbot reported an out-of-range access issue as below:
>
> UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3292:19
> index 18446744073709550491 is out of range for type '__le32[923]' (aka 'unsigned int[923]')
> CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> ubsan_epilogue lib/ubsan.c:231 [inline]
> __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
> read_inline_xattr+0x273/0x280
> lookup_all_xattrs fs/f2fs/xattr.c:341 [inline]
> f2fs_getxattr+0x57b/0x13b0 fs/f2fs/xattr.c:533
> vfs_getxattr_alloc+0x472/0x5c0 fs/xattr.c:393
> ima_read_xattr+0x38/0x60 security/integrity/ima/ima_appraise.c:229
> process_measurement+0x117a/0x1fb0 security/integrity/ima/ima_main.c:353
> ima_file_check+0xd9/0x120 security/integrity/ima/ima_main.c:572
> security_file_post_open+0xb9/0x280 security/security.c:3121
> do_open fs/namei.c:3830 [inline]
> path_openat+0x2ccd/0x3590 fs/namei.c:3987
> do_file_open_root+0x3a7/0x720 fs/namei.c:4039
> file_open_root+0x247/0x2a0 fs/open.c:1382
> do_handle_open+0x85b/0x9d0 fs/fhandle.c:414
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> index: 18446744073709550491 (decimal, unsigned long long)
> = 0xfffffffffffffb9b (hexadecimal) = -1125 (decimal, long long)
> UBSAN detects that inline_xattr_addr() tries to access .i_addr[-1125].
>
> w/ below testcase, it can reproduce this bug easily:
> - mkfs.f2fs -f -O extra_attr,flexible_inline_xattr /dev/sdb
> - mount -o inline_xattr_size=512 /dev/sdb /mnt/f2fs
> - touch /mnt/f2fs/file
> - umount /mnt/f2fs
> - inject.f2fs --node --mb i_inline --nid 4 --val 0x1 /dev/sdb
> - inject.f2fs --node --mb i_inline_xattr_size --nid 4 --val 2048 /dev/sdb
> - mount /dev/sdb /mnt/f2fs
> - getfattr /mnt/f2fs/file
>
> The root cause is if metadata of filesystem and inode were fuzzed as below:
> - extra_attr feature is enabled
> - flexible_inline_xattr feature is enabled
> - ri.i_inline_xattr_size = 2048
> - F2FS_EXTRA_ATTR bit in ri.i_inline was not set
>
> sanity_check_inode() will skip doing sanity check on fi->i_inline_xattr_size,
> result in using invalid inline_xattr_size later incorrectly, fix it.
>
> Meanwhile, let's fix to check lower boundary for .i_inline_xattr_size w/
> MIN_INLINE_XATTR_SIZE like we did in parse_options().
>
> Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size")
> Reported-by: syzbot+69f5379a1717a0b982a1@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/linux-f2fs-devel/674f4e7d.050a0220.17bd51.004f.GAE@google.com
> Signed-off-by: Chao Yu <chao@kernel.org>
> ---
> fs/f2fs/inode.c | 19 ++++++++++---------
> 1 file changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
> index 282fd320bdb3..29ccc64faae9 100644
> --- a/fs/f2fs/inode.c
> +++ b/fs/f2fs/inode.c
> @@ -302,15 +302,6 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page)
> F2FS_TOTAL_EXTRA_ATTR_SIZE);
> return false;
> }
> - if (f2fs_sb_has_flexible_inline_xattr(sbi) &&
> - f2fs_has_inline_xattr(inode) &&
> - (!fi->i_inline_xattr_size ||
> - fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) {
> - f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, max: %lu",
> - __func__, inode->i_ino, fi->i_inline_xattr_size,
> - MAX_INLINE_XATTR_SIZE);
> - return false;
> - }
> if (f2fs_sb_has_compression(sbi) &&
> fi->i_flags & F2FS_COMPR_FL &&
> F2FS_FITS_IN_INODE(ri, fi->i_extra_isize,
> @@ -320,6 +311,16 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page)
> }
> }
>
> + if (f2fs_sb_has_flexible_inline_xattr(sbi) &&
> + f2fs_has_inline_xattr(inode) &&
> + (fi->i_inline_xattr_size < MIN_INLINE_XATTR_SIZE ||
> + fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) {
> + f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, min: %u, max: %lu",
--> %lu?
> + __func__, inode->i_ino, fi->i_inline_xattr_size,
> + MIN_INLINE_XATTR_SIZE, MAX_INLINE_XATTR_SIZE);
> + return false;
> + }
> +
> if (!f2fs_sb_has_extra_attr(sbi)) {
> if (f2fs_sb_has_project_quota(sbi)) {
> f2fs_warn(sbi, "%s: corrupted inode ino=%lx, wrong feature flag: %u, run fsck to fix.",
> --
> 2.40.1
next prev parent reply other threads:[~2025-01-07 19:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-16 13:46 [f2fs-dev] [PATCH] f2fs: fix to do sanity check correctly on i_inline_xattr_size Chao Yu via Linux-f2fs-devel
2024-12-16 13:46 ` Chao Yu
2025-01-07 19:28 ` Jaegeuk Kim via Linux-f2fs-devel [this message]
2025-01-07 19:28 ` Jaegeuk Kim
2025-01-10 3:23 ` [f2fs-dev] " Chao Yu via Linux-f2fs-devel
2025-01-10 3:23 ` Chao Yu
2025-01-13 18:46 ` [f2fs-dev] " Jaegeuk Kim via Linux-f2fs-devel
2025-01-13 18:46 ` Jaegeuk Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z32ARgIkX_Iazx41@google.com \
--to=linux-f2fs-devel@lists.sourceforge.net \
--cc=chao@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+69f5379a1717a0b982a1@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.