From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Carlos Maiolino <cmaiolino@redhat.com>,
Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: [PATCH AUTOSEL 3.18 11/41] fs: fix guard_bio_eod to check for real EOD errors
Date: Wed, 27 Mar 2019 14:24:48 -0400 [thread overview]
Message-ID: <20190327182518.19394-11-sashal@kernel.org> (raw)
In-Reply-To: <20190327182518.19394-1-sashal@kernel.org>
From: Carlos Maiolino <cmaiolino@redhat.com>
[ Upstream commit dce30ca9e3b676fb288c33c1f4725a0621361185 ]
guard_bio_eod() can truncate a segment in bio to allow it to do IO on
odd last sectors of a device.
It already checks if the IO starts past EOD, but it does not consider
the possibility of an IO request starting within device boundaries can
contain more than one segment past EOD.
In such cases, truncated_bytes can be bigger than PAGE_SIZE, and will
underflow bvec->bv_len.
Fix this by checking if truncated_bytes is lower than PAGE_SIZE.
This situation has been found on filesystems such as isofs and vfat,
which doesn't check the device size before mount, if the device is
smaller than the filesystem itself, a readahead on such filesystem,
which spans EOD, can trigger this situation, leading a call to
zero_user() with a wrong size possibly corrupting memory.
I didn't see any crash, or didn't let the system run long enough to
check if memory corruption will be hit somewhere, but adding
instrumentation to guard_bio_end() to check truncated_bytes size, was
enough to see the error.
The following script can trigger the error.
MNT=/mnt
IMG=./DISK.img
DEV=/dev/loop0
mkfs.vfat $IMG
mount $IMG $MNT
cp -R /etc $MNT &> /dev/null
umount $MNT
losetup -D
losetup --find --show --sizelimit 16247280 $IMG
mount $DEV $MNT
find $MNT -type f -exec cat {} + >/dev/null
Kudos to Eric Sandeen for coming up with the reproducer above
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/buffer.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/buffer.c b/fs/buffer.c
index 20805db2c987..47b42e8ddca2 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -2986,6 +2986,13 @@ void guard_bio_eod(int rw, struct bio *bio)
/* Uhhuh. We've got a bio that straddles the device size! */
truncated_bytes = bio->bi_iter.bi_size - (maxsector << 9);
+ /*
+ * The bio contains more than one segment which spans EOD, just return
+ * and let IO layer turn it into an EIO
+ */
+ if (truncated_bytes > bvec->bv_len)
+ return;
+
/* Truncate the bio.. */
bio->bi_iter.bi_size -= truncated_bytes;
bvec->bv_len -= truncated_bytes;
--
2.19.1
next prev parent reply other threads:[~2019-03-27 18:25 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-27 18:24 [PATCH AUTOSEL 3.18 01/41] i2c: sis630: correct format strings Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 02/41] tracing: kdb: Fix ftdump to not sleep Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 03/41] sysctl: handle overflow for file-max Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 04/41] mm/cma.c: cma_declare_contiguous: correct err handling Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 05/41] mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 06/41] mm/slab.c: kmemleak no scan alien caches Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 07/41] ocfs2: fix a panic problem caused by o2cb_ctl Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 08/41] cifs: use correct format characters Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 09/41] dm thin: add sanity checks to thin-pool and external snapshot creation Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 10/41] cifs: Fix NULL pointer dereference of devname Sasha Levin
2019-03-27 18:24 ` Sasha Levin [this message]
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 12/41] tools lib traceevent: Fix buffer overflow in arg_eval Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 13/41] scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 14/41] ARM: 8840/1: use a raw_spinlock_t in unwind Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 15/41] mmc: omap: fix the maximum timeout setting Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 16/41] e1000e: Fix -Wformat-truncation warnings Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 17/41] IB/mlx4: Increase the timeout for CM cache Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 18/41] scsi: megaraid_sas: return error when create DMA pool failed Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 19/41] SoC: imx-sgtl5000: add missing put_device() Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 20/41] leds: lp55xx: fix null deref on firmware load failure Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 21/41] kprobes: Prohibit probing on bsearch() Sasha Levin
2019-03-27 18:24 ` [PATCH AUTOSEL 3.18 22/41] ARM: 8833/1: Ensure that NEON code always compiles with Clang Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 23/41] ALSA: PCM: check if ops are defined before suspending PCM Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 24/41] bcache: fix input overflow to cache set sysfs file io_error_halflife Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 25/41] bcache: fix input overflow to sequential_cutoff Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 26/41] bcache: improve sysfs_strtoul_clamp() Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 27/41] fbdev: fbmem: fix memory access if logo is bigger than the screen Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 28/41] cdrom: Fix race condition in cdrom_sysctl_register Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 29/41] e1000e: fix cyclic resets at link up with active tx Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 30/41] locking/lockdep: Add debug_locks check in __lock_downgrade() Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 31/41] tty: increase the default flip buffer limit to 2*640K Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 32/41] media: mt9m111: set initial frame size other than 0x0 Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 33/41] hwrng: virtio - Avoid repeated init of completion Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 34/41] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 35/41] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 36/41] dmaengine: imx-dma: fix warning comparison of distinct pointer types Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 37/41] media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 38/41] wlcore: Fix memory leak in case wl12xx_fetch_firmware failure Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 39/41] x86/build: Mark per-CPU symbols as absolute explicitly for LLD Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 40/41] dmaengine: tegra: avoid overflow of byte tracking Sasha Levin
2019-03-27 18:25 ` [PATCH AUTOSEL 3.18 41/41] drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190327182518.19394-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=cmaiolino@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox