From: Qu Wenruo <quwenruo.btrfs@gmx.com>
To: Jeongjun Park <aha310510@gmail.com>,
clm@fb.com, dsterba@suse.com, josef@toxicpanda.com
Cc: syzbot+a0d1f7e26910be4dc171@syzkaller.appspotmail.com,
fdmanana@suse.com, linux-btrfs@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] btrfs: qgroup: fix slab-out-of-bounds in btrfs_qgroup_inherit
Date: Mon, 24 Jun 2024 15:10:41 +0930 [thread overview]
Message-ID: <c5646885-3368-4c49-9cbd-092d4b7b7551@gmx.com> (raw)
In-Reply-To: <a0840520-929a-4973-8ce9-91db07d6a9ec@gmx.com>
在 2024/6/24 14:40, Qu Wenruo 写道:
>
>
> 在 2024/6/24 12:37, Jeongjun Park 写道:
>> If a value exists in inherit->num_ref_copies or inherit->num_excl_copies,
>> an out-of-bounds vulnerability occurs.
>>
>
> Thanks for the fix.
>
> Although I'm still not 100% sure what's going wrong.
>
> The original report
> (https://lore.kernel.org/lkml/000000000000bc19ba061a67ca77@google.com/T/)
> is showing a backtrace when creating snapshot.
>
> In that case they should all go through __btrfs_ioctl_snap_create(), and
> since it has qgroup_inherit, it can only come from
> btrfs_ioctl_snap_create_v2().
>
> But in that function, we have just called btrfs_qgroup_check_inherit()
> function and it already has the check on num_ref_copies/num_excl_copies.
>
> So in that case it should not even happen.
>
> I think the root cause is why the existing btrfs_qgroup_check_inherit()
> doesn't catch the problem in the first place.
OK, the root cause is the qgroup enable/disable race and delayed
snapshot creation. So that we can have a btrfs_qgroup_inherit structure
passed in with qgroup disabled.
But at transaction commitment, the qgroup is enabled, so some unchecked
inherit structure is passed in.
In that case, the added check is not strong enough (lacks the structure
size and flags checks etc).
A better fix would be only let btrfs_qgroup_check_inherit() to skip the
source qgroup checks.
I'll send a fix using the findings above.
Thanks,
Qu
>
> Thanks,
> Qu
>
>> Therefore, you need to add code to check the presence or absence of
>> that value.
>>
>> Regards.
>> Jeongjun Park.
>>
>> Reported-by: syzbot+a0d1f7e26910be4dc171@syzkaller.appspotmail.com
>> Fixes: 3f5e2d3b3877 ("Btrfs: fix missing check in the
>> btrfs_qgroup_inherit()")
>> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>> ---
>> fs/btrfs/qgroup.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/fs/btrfs/qgroup.c b /fs/btrfs/qgroup.c
>> index fc2a7ea26354..23beac746637 100644
>> --- a/fs/btrfs/qgroup.c
>> +++ b/fs/btrfs/qgroup.c
>> @@ -3270,6 +3270,10 @@ int btrfs_qgroup_inherit(struct
>> btrfs_trans_handle *trans, u64 srcid,
>> }
>>
>> if (inherit) {
>> + if (inherit->num_ref_copies > 0 || inherit->num_excl_copies >
>> 0) {
>> + ret = -EINVAL;
>> + goto out;
>> + }
>> i_qgroups = (u64 *)(inherit + 1);
>> nums = inherit->num_qgroups + 2 * inherit->num_ref_copies +
>> 2 * inherit->num_excl_copies;
>> --
>>
>
next prev parent reply other threads:[~2024-06-24 5:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-24 3:07 [PATCH] btrfs: qgroup: fix slab-out-of-bounds in btrfs_qgroup_inherit Jeongjun Park
2024-06-24 5:10 ` Qu Wenruo
2024-06-24 5:40 ` Qu Wenruo [this message]
[not found] ` <CAO9qdTEJaM=gEgQJLXuhKnh2jNA2KPyU9b4_kMWn6YNa3CU4SQ@mail.gmail.com>
2024-06-24 6:41 ` Qu Wenruo
2024-06-28 1:21 ` Jeongjun Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c5646885-3368-4c49-9cbd-092d4b7b7551@gmx.com \
--to=quwenruo.btrfs@gmx.com \
--cc=aha310510@gmail.com \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=fdmanana@suse.com \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+a0d1f7e26910be4dc171@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox