From: Jens Axboe <axboe@kernel.dk>
To: Carlos Maiolino <cmaiolino@redhat.com>, linux-fsdevel@vger.kernel.org
Cc: linux-block@vger.kernel.org, tom.leiming@gmail.com
Subject: Re: [PATCH V2] fs: fix guard_bio_eod to check for real EOD errors
Date: Thu, 28 Feb 2019 14:00:17 -0700 [thread overview]
Message-ID: <961fc518-616e-f13d-2acf-c78807109a6e@kernel.dk> (raw)
In-Reply-To: <20190226105150.10717-1-cmaiolino@redhat.com>
On 2/26/19 3:51 AM, Carlos Maiolino wrote:
> guard_bio_eod() can truncate a segment in bio to allow it to do IO on
> odd last sectors of a device.
>
> It already checks if the IO starts past EOD, but it does not consider
> the possibility of an IO request starting within device boundaries can
> contain more than one segment past EOD.
>
> In such cases, truncated_bytes can be bigger than PAGE_SIZE, and will
> underflow bvec->bv_len.
>
> Fix this by checking if truncated_bytes is lower than PAGE_SIZE.
>
> This situation has been found on filesystems such as isofs and vfat,
> which doesn't check the device size before mount, if the device is
> smaller than the filesystem itself, a readahead on such filesystem,
> which spans EOD, can trigger this situation, leading a call to
> zero_user() with a wrong size possibly corrupting memory.
>
> I didn't see any crash, or didn't let the system run long enough to
> check if memory corruption will be hit somewhere, but adding
> instrumentation to guard_bio_end() to check truncated_bytes size, was
> enough to see the error.
>
> The following script can trigger the error.
>
> MNT=/mnt
> IMG=./DISK.img
> DEV=/dev/loop0
>
> mkfs.vfat $IMG
> mount $IMG $MNT
> cp -R /etc $MNT &> /dev/null
> umount $MNT
>
> losetup -D
>
> losetup --find --show --sizelimit 16247280 $IMG
> mount $DEV $MNT
>
> find $MNT -type f -exec cat {} + >/dev/null
>
> Kudos to Eric Sandeen for coming up with the reproducer above
>
> Changelog:
>
> V2: Compare truncated_bytes agains bvec->bv_len instead of
> PAGE_SIZE
Applied - note I snipped your changelog, that should go below the ---
lines to not end up in the commit message.
--
Jens Axboe
next prev parent reply other threads:[~2019-02-28 21:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-26 10:51 [PATCH V2] fs: fix guard_bio_eod to check for real EOD errors Carlos Maiolino
2019-02-26 10:55 ` Ming Lei
2019-02-28 21:00 ` Jens Axboe [this message]
2019-03-01 10:07 ` Carlos Maiolino
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=961fc518-616e-f13d-2acf-c78807109a6e@kernel.dk \
--to=axboe@kernel.dk \
--cc=cmaiolino@redhat.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=tom.leiming@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).