From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 778552153DE for ; Thu, 9 Jan 2025 09:02:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736413325; cv=none; b=eI38LwuInJO31IPi8fo35VY3gNRY+BOqm/dztZAoeb7GBbfCIpV9kHLMdVLNd/lnz9y34ZKriC74rBO0KGdkg2+BgoMeCd4WSofmblzjuTCXkJDqzJ9Se/ZqTXfXnuf8o6RZNz/3aPwzmS4aUIer2KZkhi5vNJLnXxgoB3QdrzI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736413325; c=relaxed/simple; bh=L7LvL2tSo6jWe5a0UOxf4F5AmXJpLLXOk6B1qOWWyVY=; h=Message-ID:Date:MIME-Version:Cc:Subject:To:References:From: In-Reply-To:Content-Type; b=qmSkUvacfj+JGxH0khbhtiEijFMwZsh7zpBb9wxItqoCp3ddW0GoRiO3GT/13KtAEb7z7IPweUCI2nzRhFyOTJ4/wFoUdv7Pur4yBla/NDRMnaDA8EILqAen2vEEK1vYuaT8ionpO8L9j3V8vUlPSzsw7E/Ryou89TtkJwnR0dg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Vb3ZyM16; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Vb3ZyM16" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 21DDEC4CED2; Thu, 9 Jan 2025 09:02:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1736413325; bh=L7LvL2tSo6jWe5a0UOxf4F5AmXJpLLXOk6B1qOWWyVY=; h=Date:Cc:Subject:To:References:From:In-Reply-To:From; b=Vb3ZyM16hycfV0urU8ENHsRKuBqVVEQb8QehUWL0Ew22d1lj7OmUJe4qPaj6RBWmA ziKFteqife6TYai2nC2QdM5yJL0EjQWkbzeHYOT6thHA9je9xQR9+qveSziX2Pf5Q9 kQ7t5zbSx7c5Fxrj/28XJahKBaF+puBO9EQdcvByxj9Ea/3N+qPtZ1iX/Wu8rRUy6t Gm0FkINMhxIBiGan5r0DCvuUlc2cxqTOCIUHxZxB2uvHJVh3LanDhFpfI9d7k+vZlE zS0KUNZukgesTZywYIJ9erXW0mXDNKV3V3sCb60eupO82sjPuR1bDGf1OWgSy2pCKC IF44RqPu5jGVQ== Message-ID: <08098e46-0468-4fec-b2fb-9ea7414eaea0@kernel.org> Date: Thu, 9 Jan 2025 17:02:02 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Cc: chao@kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org Subject: Re: [PATCH] f2fs: Fix slab-out-of-bounds Read KASAN bug in f2fs_getxattr() To: qasdev , Jaegeuk Kim References: Content-Language: en-US From: Chao Yu In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 1/9/25 00:23, qasdev wrote: > On Wed, Jan 08, 2025 at 07:44:03PM +0800, Chao Yu wrote: >> Hi Qasim, >> >> On 2025/1/8 07:03, qasdev wrote: >>> In f2fs_getxattr(), the function lookup_all_xattrs() allocates a 12-byte >>> (base_size) buffer for an inline extended attribute. However, when >>> __find_inline_xattr() calls __find_xattr(), it uses the macro >>> "list_for_each_xattr(entry, addr)", which starts by calling >>> XATTR_FIRST_ENTRY(addr). This skips a 24-byte struct f2fs_xattr_header >>> at the beginning of the buffer, causing an immediate out-of-bounds read >>> in a 12-byte allocation. The subsequent !IS_XATTR_LAST_ENTRY(entry) >>> check then dereferences memory outside the allocated region, triggering >>> the slab-out-of bounds read. >>> >>> This patch prevents the out-of-bounds read by adding a check to bail >>> out early if inline_size is too small and does not account for the >>> header plus the 4-byte value that IS_XATTR_LAST_ENTRY reads. >> >> Thank you very much for analyzing this issue, the root cause you figured out >> makes sense to me. >> >> Can you please check the patch in below link? It seems it can fix this issue >> as well? IIUC. >> >> https://lore.kernel.org/linux-f2fs-devel/20241216134600.8308-1-chao@kernel.org/ >> >> Thanks, > > Hi Chao, > > I tested the patch you linked on my machine and with syzbot, and both tests succeeded. The patch you linked works very well. Hi Qasdev, Thanks for the test! > > Here is the link to the results of the testing of both patches: https://syzkaller.appspot.com/bug?extid=f5e74075e096e757bdbf > > Would it be possible to include me in the Tested-by header and any other contribution acknowledgments you feel appropriate? > > Thanks! > > Best regards, > Qasim > >> >>> >>> Reported-by: syzbot >>> Closes: https://syzkaller.appspot.com/bug?extid=f5e74075e096e757bdbf >>> Tested-by: syzbot >>> Tested-by: Qasim Ijaz IMO, it will be better to quoted your comment description and all above tags into the patch, what do you think? Thanks, >>> Fixes: 388a2a0640e1 ("f2fs: remove redundant sanity check in sanity_check_inode()") >>> Signed-off-by: Qasim Ijaz >>> --- >>> fs/f2fs/xattr.c | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c >>> index 3f3874943679..cf82646bca0e 100644 >>> --- a/fs/f2fs/xattr.c >>> +++ b/fs/f2fs/xattr.c >>> @@ -329,6 +329,9 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, >>> if (!xnid && !inline_size) >>> return -ENODATA; >>> + if (inline_size < sizeof(struct f2fs_xattr_header) + sizeof(__u32)) >>> + return -ENODATA; >>> + >>> *base_size = XATTR_SIZE(inode) + XATTR_PADDING_SIZE; >>> txattr_addr = xattr_alloc(F2FS_I_SB(inode), *base_size, is_inline); >>> if (!txattr_addr) >>