From: Nikolay Borisov <nborisov@suse.com>
To: Qu Wenruo <wqu@suse.com>, linux-btrfs@vger.kernel.org
Subject: Re: [PATCH 1/5] btrfs: extent_io: Do extra check for extent buffer read write functions
Date: Wed, 10 Jul 2019 13:42:29 +0300 [thread overview]
Message-ID: <0c6525ff-63f5-6342-4c6c-2e229d0e98b2@suse.com> (raw)
In-Reply-To: <20190710080243.15988-2-wqu@suse.com>
On 10.07.19 г. 11:02 ч., Qu Wenruo wrote:
> Although we have start, len check for extent buffer reader/write (e.g.
> read_extent_buffer()), those checks has its limitations:
> - No overflow check
> Values like start = 1024 len = -1024 can still pass the basic
> (start + len) > eb->len check.
>
> - Checks are not consistent
> For read_extent_buffer() we only check (start + len) against eb->len.
> While for memcmp_extent_buffer() we also check start against eb->len.
>
> - Different error reporting mechanism
> We use WARN() in read_extent_buffer() but BUG() in
> memcpy_extent_buffer().
>
> - Still modify memory if the request is obviously wrong
> In read_extent_buffer() even we find (start + len) > eb->len, we still
> call memset(dst, 0, len), which can eaisly cause memory access error
> if start + len overflows.
>
> To address above problems, this patch creates a new common function to
> check such access, check_eb_range().
> - Add overflow check
> This function checks start, start + len against eb->len and overflow
> check.
>
> - Unified checks
>
> - Unified error reports
> Will call WARN() if CONFIG_BTRFS_DEBUG is configured.
> And also do btrfs_warn() message for non-debug build.
>
> - Exit ASAP if check fails
> No more possible memory corruption.
>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=202817
> [ Inspired by above report, the report itself is already addressed ]
> Signed-off-by: Qu Wenruo <wqu@suse.com>
> ---
> fs/btrfs/extent_io.c | 79 +++++++++++++++++++++++---------------------
> 1 file changed, 42 insertions(+), 37 deletions(-)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index db337e53aab3..b072ef5bceac 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -5429,6 +5429,31 @@ int read_extent_buffer_pages(struct extent_buffer *eb, int wait, int mirror_num)
> return ret;
> }
>
> +/*
> + * Check if the [start, start + len) range is valid before reading/writing
> + * the eb.
> + *
> + * Caller should not touch the dst/src memory if this function returns error.
> + */
> +static int check_eb_range(const struct extent_buffer *eb, unsigned long start,
> + unsigned long len)
> +{
> + unsigned long end;
> +
> + /* start, start + len should not go beyond eb->len nor overflow */
> + if (unlikely(start > eb->len || start + len > eb->len ||
I think your check here is wrong, it should be start + len > start +
eb->len. start is the logical address hence it can be a lot bigger than
the size of the eb which is 16k by default.
> + check_add_overflow(start, len, &end))) {
> + WARN(IS_ENABLED(CONFIG_BTRFS_DEBUG), KERN_ERR
> +"btrfs: bad eb rw request, eb bytenr=%llu len=%lu rw start=%lu len=%lu\n",
> + eb->start, eb->len, start, len);
> + btrfs_warn(eb->fs_info,
> +"btrfs: bad eb rw request, eb bytenr=%llu len=%lu rw start=%lu len=%lu\n",
> + eb->start, eb->len, start, len);
If CONFIG_BTRFS_DEBUG is enabled then we will print the warning text
twice. Simply make it:
WARN_ON(IS_ENABLED()) and leave the btrfs_Warn to always print the text.
> + return -EINVAL;
> + }
> + return 0;
> +}
> +
> void read_extent_buffer(const struct extent_buffer *eb, void *dstv,
> unsigned long start, unsigned long len)
> {
> @@ -5440,12 +5465,8 @@ void read_extent_buffer(const struct extent_buffer *eb, void *dstv,
> size_t start_offset = offset_in_page(eb->start);
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
>
> - if (start + len > eb->len) {
> - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n",
> - eb->start, eb->len, start, len);
> - memset(dst, 0, len);
> + if (check_eb_range(eb, start, len))
> return;
> - }
>
> offset = offset_in_page(start_offset + start);
>
> @@ -5554,8 +5575,8 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
> int ret = 0;
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (check_eb_range(eb, start, len))
> + return -EINVAL;
>
> offset = offset_in_page(start_offset + start);
>
> @@ -5609,8 +5630,8 @@ void write_extent_buffer(struct extent_buffer *eb, const void *srcv,
> size_t start_offset = offset_in_page(eb->start);
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (check_eb_range(eb, start, len))
> + return;
>
> offset = offset_in_page(start_offset + start);
>
> @@ -5639,8 +5660,8 @@ void memzero_extent_buffer(struct extent_buffer *eb, unsigned long start,
> size_t start_offset = offset_in_page(eb->start);
> unsigned long i = (start_offset + start) >> PAGE_SHIFT;
>
> - WARN_ON(start > eb->len);
> - WARN_ON(start + len > eb->start + eb->len);
> + if (check_eb_range(eb, start, len))
> + return;
>
> offset = offset_in_page(start_offset + start);
>
> @@ -5684,6 +5705,10 @@ void copy_extent_buffer(struct extent_buffer *dst, struct extent_buffer *src,
> size_t start_offset = offset_in_page(dst->start);
> unsigned long i = (start_offset + dst_offset) >> PAGE_SHIFT;
>
> + if (check_eb_range(dst, dst_offset, len) ||
> + check_eb_range(src, src_offset, len))
> + return;
> +
> WARN_ON(src->len != dst_len);
>
> offset = offset_in_page(start_offset + dst_offset);
> @@ -5872,7 +5897,6 @@ static void copy_pages(struct page *dst_page, struct page *src_page,
> void memcpy_extent_buffer(struct extent_buffer *dst, unsigned long dst_offset,
> unsigned long src_offset, unsigned long len)
> {
> - struct btrfs_fs_info *fs_info = dst->fs_info;
> size_t cur;
> size_t dst_off_in_page;
> size_t src_off_in_page;
> @@ -5880,18 +5904,9 @@ void memcpy_extent_buffer(struct extent_buffer *dst, unsigned long dst_offset,
> unsigned long dst_i;
> unsigned long src_i;
>
> - if (src_offset + len > dst->len) {
> - btrfs_err(fs_info,
> - "memmove bogus src_offset %lu move len %lu dst len %lu",
> - src_offset, len, dst->len);
> - BUG();
> - }
> - if (dst_offset + len > dst->len) {
> - btrfs_err(fs_info,
> - "memmove bogus dst_offset %lu move len %lu dst len %lu",
> - dst_offset, len, dst->len);
> - BUG();
> - }
> + if (check_eb_range(dst, dst_offset, len) ||
> + check_eb_range(dst, src_offset, len))
> + return;
>
> while (len > 0) {
> dst_off_in_page = offset_in_page(start_offset + dst_offset);
> @@ -5917,7 +5932,6 @@ void memcpy_extent_buffer(struct extent_buffer *dst, unsigned long dst_offset,
> void memmove_extent_buffer(struct extent_buffer *dst, unsigned long dst_offset,
> unsigned long src_offset, unsigned long len)
> {
> - struct btrfs_fs_info *fs_info = dst->fs_info;
> size_t cur;
> size_t dst_off_in_page;
> size_t src_off_in_page;
> @@ -5927,18 +5941,9 @@ void memmove_extent_buffer(struct extent_buffer *dst, unsigned long dst_offset,
> unsigned long dst_i;
> unsigned long src_i;
>
> - if (src_offset + len > dst->len) {
> - btrfs_err(fs_info,
> - "memmove bogus src_offset %lu move len %lu len %lu",
> - src_offset, len, dst->len);
> - BUG();
> - }
> - if (dst_offset + len > dst->len) {
> - btrfs_err(fs_info,
> - "memmove bogus dst_offset %lu move len %lu len %lu",
> - dst_offset, len, dst->len);
> - BUG();
> - }
> + if (check_eb_range(dst, dst_offset, len) ||
> + check_eb_range(dst, src_offset, len))
> + return;
> if (dst_offset < src_offset) {
> memcpy_extent_buffer(dst, dst_offset, src_offset, len);
> return;
>
next prev parent reply other threads:[~2019-07-10 10:42 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-10 8:02 [PATCH 0/5] btrfs: Enhanced runtime defence against fuzzed images Qu Wenruo
2019-07-10 8:02 ` [PATCH 1/5] btrfs: extent_io: Do extra check for extent buffer read write functions Qu Wenruo
2019-07-10 10:42 ` Nikolay Borisov [this message]
2019-07-10 10:58 ` WenRuo Qu
2019-07-24 16:00 ` David Sterba
2019-07-24 22:54 ` Qu Wenruo
2019-07-25 6:39 ` Nikolay Borisov
2019-07-10 8:02 ` [PATCH 2/5] btrfs: extent-tree: Kill BUG_ON() in __btrfs_free_extent() and do better comment Qu Wenruo
2019-07-10 10:48 ` Nikolay Borisov
2019-07-10 11:00 ` WenRuo Qu
2019-07-10 8:02 ` [PATCH 3/5] btrfs: Detect unbalanced tree with empty leaf before crashing btree operations Qu Wenruo
2019-07-10 10:54 ` Nikolay Borisov
2019-07-10 8:02 ` [PATCH 4/5] btrfs: extent-tree: Kill the BUG_ON() in insert_inline_extent_backref() Qu Wenruo
2019-07-10 11:12 ` Nikolay Borisov
2019-07-10 8:02 ` [PATCH 5/5] btrfs: ctree: Checking key orders before merged tree blocks Qu Wenruo
2019-07-10 11:19 ` Nikolay Borisov
2019-07-10 12:02 ` Qu Wenruo
2019-07-10 12:12 ` Nikolay Borisov
2019-07-24 16:24 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0c6525ff-63f5-6342-4c6c-2e229d0e98b2@suse.com \
--to=nborisov@suse.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=wqu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox