From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,INCLUDES_PATCH,LOTS_OF_MONEY,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB63BC43381 for ; Wed, 27 Mar 2019 18:36:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 963FC20651 for ; Wed, 27 Mar 2019 18:36:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553711811; bh=wxPyO76AaXuqJQvbqI7B9hjQquspBJoZ66xioAmbQOs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=BwUPyNfRPTmOtgwlDlKqefrM8ETGU5Aoh/UklHCM928wp5yBOcerscFkFM5Mjn6jp pj4CCzhtGvzO0ZYfkT0DMS/l7TYJbTg08h9lsEAgbGPxhnrWL7kKqOBy4bxf7Mz7Ne nz/41MewTPMLLNzHaKWnLIkgrSEHfYABt1ip2cd8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391588AbfC0Sgp (ORCPT ); Wed, 27 Mar 2019 14:36:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:42660 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403925AbfC0SXy (ORCPT ); Wed, 27 Mar 2019 14:23:54 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8B9A5217D9; Wed, 27 Mar 2019 18:23:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553711034; bh=wxPyO76AaXuqJQvbqI7B9hjQquspBJoZ66xioAmbQOs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UpHrR3Gdl/oSSGHHqHYpupXYc0otkVbEPtCZM4KshgV6YCHKZgiI6VlaUoU8F2k1T AdM2N/0zIkV86pzJxpofzFDUA/KlMBC84XU0+wzmTgqMPTs645jhIo6vkGQzA68NaT FttkEMT3Bh65D1YbdqHkd46pyCVkge+sKdpIjoso= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Carlos Maiolino , Jens Axboe , Sasha Levin , linux-fsdevel@vger.kernel.org Subject: [PATCH AUTOSEL 4.4 18/63] fs: fix guard_bio_eod to check for real EOD errors Date: Wed, 27 Mar 2019 14:22:38 -0400 Message-Id: <20190327182323.18577-18-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190327182323.18577-1-sashal@kernel.org> References: <20190327182323.18577-1-sashal@kernel.org> MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: Carlos Maiolino [ Upstream commit dce30ca9e3b676fb288c33c1f4725a0621361185 ] guard_bio_eod() can truncate a segment in bio to allow it to do IO on odd last sectors of a device. It already checks if the IO starts past EOD, but it does not consider the possibility of an IO request starting within device boundaries can contain more than one segment past EOD. In such cases, truncated_bytes can be bigger than PAGE_SIZE, and will underflow bvec->bv_len. Fix this by checking if truncated_bytes is lower than PAGE_SIZE. This situation has been found on filesystems such as isofs and vfat, which doesn't check the device size before mount, if the device is smaller than the filesystem itself, a readahead on such filesystem, which spans EOD, can trigger this situation, leading a call to zero_user() with a wrong size possibly corrupting memory. I didn't see any crash, or didn't let the system run long enough to check if memory corruption will be hit somewhere, but adding instrumentation to guard_bio_end() to check truncated_bytes size, was enough to see the error. The following script can trigger the error. MNT=/mnt IMG=./DISK.img DEV=/dev/loop0 mkfs.vfat $IMG mount $IMG $MNT cp -R /etc $MNT &> /dev/null umount $MNT losetup -D losetup --find --show --sizelimit 16247280 $IMG mount $DEV $MNT find $MNT -type f -exec cat {} + >/dev/null Kudos to Eric Sandeen for coming up with the reproducer above Reviewed-by: Ming Lei Signed-off-by: Carlos Maiolino Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- fs/buffer.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/buffer.c b/fs/buffer.c index 6f7d519a093b..f278e27bd8c0 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -2985,6 +2985,13 @@ void guard_bio_eod(int rw, struct bio *bio) /* Uhhuh. We've got a bio that straddles the device size! */ truncated_bytes = bio->bi_iter.bi_size - (maxsector << 9); + /* + * The bio contains more than one segment which spans EOD, just return + * and let IO layer turn it into an EIO + */ + if (truncated_bytes > bvec->bv_len) + return; + /* Truncate the bio.. */ bio->bi_iter.bi_size -= truncated_bytes; bvec->bv_len -= truncated_bytes; -- 2.19.1