Re: [PATCH] bcache: fix 0day error of setting writeback_rate by sysfs interface

[Coly Li <colyli@suse.de>]

On 2018/8/11 2:13 AM, Stefan Priebe - Profihost AG wrote:
> Thanks for cc. How is this exploitable? I mean only root can write to
> sysfs? Or do you mean by allowing a user via sudo to write to that entry?

Hi Stefan,

This is not a security 0day bug, this is an error reported by Linux
kernel 0day test service
(https://01.org/zh/lkp/documentation/0-day-test-service). My development
tree is registered and monitored by 0day testing service, so if there is
any static code error or boot failure, I can be noticed in very early stage.

The bug in previous patch is, writeback_rate cannot be set by sysfs
interface, because sysfs_strtoul_clamp() directly returns. This patch
fixes this and allows writeback_rate can be manually set again.

Coly Li

> 
> Am 10.08.2018 um 17:45 schrieb Coly Li:
>> Commit ea8c5356d390 ("bcache: set max writeback rate when I/O request
>> is idle") changes struct bch_ratelimit member rate from uint32_t to
>> atomic_long_t and uses atomic_long_set() in drivers/md/bcache/sysfs.c
>> to set new writeback rate, after the input is converted from memory
>> buf to long int by sysfs_strtoul_clamp().
>>
>> The above change has a problem because there is an implicit return
>> inside sysfs_strtoul_clamp() so the following atomic_long_set()
>> won't be called. This error is detected by 0day system with following
>> snipped smatch warnings:
>>
>> drivers/md/bcache/sysfs.c:271 __cached_dev_store() error: uninitialized
>> symbol 'v'.
>> 270  sysfs_strtoul_clamp(writeback_rate, v, 1, INT_MAX);
>>      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> @271 atomic_long_set(&dc->writeback_rate.rate, v);
>>
>> This patch fixes the above error by using strtoul_safe_clamp() to
>> convert the input buffer into a long int type result.
>>
>> Fixes: Commit ea8c5356d390 ("bcache: set max writeback rate when I/O request is idle")
>> Signed-off-by: Coly Li <colyli@suse.de>
>> Cc: stable@vger.kernel.org #4.16+
>> Cc: Kai Krakow <kai@kaishome.de>
>> Cc: Stefan Priebe <s.priebe@profihost.ag>
>> ---
>>  drivers/md/bcache/sysfs.c | 13 ++++++++++---
>>  1 file changed, 10 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
>> index 543b06408321..150cf4f4cf74 100644
>> --- a/drivers/md/bcache/sysfs.c
>> +++ b/drivers/md/bcache/sysfs.c
>> @@ -267,10 +267,17 @@ STORE(__cached_dev)
>>  	sysfs_strtoul_clamp(writeback_percent, dc->writeback_percent, 0, 40);
>>  
>>  	if (attr == &sysfs_writeback_rate) {
>> -		int v;
>> +		ssize_t ret;
>> +		long int v = atomic_long_read(&dc->writeback_rate.rate);
>> +
>> +		ret = strtoul_safe_clamp(buf, v, 1, INT_MAX);
>>  
>> -		sysfs_strtoul_clamp(writeback_rate, v, 1, INT_MAX);
>> -		atomic_long_set(&dc->writeback_rate.rate, v);
>> +		if (!ret) {
>> +			atomic_long_set(&dc->writeback_rate.rate, v);
>> +			ret = size;
>> +		}
>> +
>> +		return ret;
>>  	}
>>  
>>  	sysfs_strtoul_clamp(writeback_rate_update_seconds,
>>