From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 98BDF1FECAD
	for <linux-kernel@vger.kernel.org>; Wed,  8 Jan 2025 16:23:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.42
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1736353400; cv=none; b=duhT/ThzaU+pErZ7Av/J72Hoek1zWUeFDx+LEZUA1Q2hi5p34IN6/muY0EqVwW/zId/TRZXFXP3+fWNRkHk94lOWf3yjXo3DXRyJOc/+ehVNQqVAxDrcnhEJSJsK5k7pvPDw6o3/TZI+gyd30hkrRY94m2HH8gGYQg+7JSuMomI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1736353400; c=relaxed/simple;
	bh=n0f1yv2sUbLgRGAQH0UDg0UW1pcQgp1ySJ/yfGJNHAU=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition; b=VrU5OsneXWWM5UKBQrnRnlaqwLfhv/DRGxD02TSwYX/9M9PbWojI/bkkMH8U/PJbV1pv1+Jm1W5pvNWsHZWe1bGJf3Xd9BSUxfu6L4Cjf3VJt5kXDSx5rY+XgaoiBICYXYTGp24LTRVyhURDF3oyUcqbCKWE3rPKqX2lKA7jSx4=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HQAsmbWT; arc=none smtp.client-ip=209.85.218.42
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HQAsmbWT"
Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-aab925654d9so632866b.2
        for <linux-kernel@vger.kernel.org>; Wed, 08 Jan 2025 08:23:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1736353397; x=1736958197; darn=vger.kernel.org;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=fIlNzfSho9TcO5quuiuSVHCQ+W+FAtjTNaDtG9jzbf0=;
        b=HQAsmbWT6hpU5ATqxhKQFrQnFD2GAN/1aGnknpa4aP7n2zvLW1j/6+dQy2P3JCGg9P
         y1urJ4tGa/JNS7AMhMdb/Pz+HRhOCNTvXrdjjyHBXwuNzrjQCXYj9V0YJbpA4797Qkg/
         64v5RwmWk/uBV5IzjqkMUwq9dZmpKz7W8bn0407xmndFRUaKE8B1XawTJdp91S5zbcyv
         FiiOYPSdNRPR7o7rXhgX9zVLPxrX32cbgLB9xPo6I4gJT4VeYJhVw/LZ3MVlEwAh/Y73
         k9HKOzv4CmiSByeNQRCTftzYv4DAWpNV9KasLF8gfJQ/3eeiac0LtiD8EEUpXIqMlC+9
         I7gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1736353397; x=1736958197;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=fIlNzfSho9TcO5quuiuSVHCQ+W+FAtjTNaDtG9jzbf0=;
        b=dhHE7mtFPW3QuLl9QpbMWNkkNH0OCW8Tmnsr2IFGzSpwh5cMt3GPNr0DO9+whXpySu
         G62lEhLiBuMBgYu+O0hkwYNvNspd/iZ7c/Z7AeZu/jbH/W1aqxuXh5hX3b2PYX0FbJsn
         7Q2PTewOocpUjOCDCXSq9dbzntoPthM9k7qDxWnCXyALgsHK6oTbRpxzFgKE5jDV0zo6
         nkE95uADkRFyairXKLN1ugmumSOl37QU8ahFXFqNsuZLMHhfCOqxERyD2We/38Nbe5CJ
         gynUW1GSj+B79ZB4G2tZzS8Dsu5JIOOd4LgKWkrYeQlhW5w4trixHd5yb6kJ4zjXxWax
         4uaQ==
X-Forwarded-Encrypted: i=1; AJvYcCXHI8KA0rkre18VMNK2H8WOhvJSDzeOKQVx4fiA+X12sIKBzcwWhiNLjfIZajD+kMJB/DvnlaSLdW7JfOc=@vger.kernel.org
X-Gm-Message-State: AOJu0YxEPzOVSGxfUaFtoW0ynfpYgJcQLcs1MfRdHruvBwCq5tK5nbBK
	5/PhMUUW5w8TuST0jfHAoIgEHXESzh3e0GI22eM5f2Fq5EFdaw2mE3nmUQ==
X-Gm-Gg: ASbGncspcunvCQFhuZovE1zCFOpiQYAWtMXnmnp0MjkparAOl7yJ6cej4UgrmGxSleY
	ybBzT8E3LUddm611RMu8CWA6Asf6spn1+uYMwbp6kkjjETiFT9jOpEl8/zuHHnB2lNxq8asslPV
	IZUcBw5ZPZUJxpMwv5In/EhYqXiMwwvVGlmn0xb2L23p0Rd4MfQUQM6Ss67OFgKAyvrHXMCkqbw
	ncApzVKD3VA3nzjeYn3H//muZaX7efb9S/NJKXIZIlt5pZtd++nrYLMCt8k
X-Google-Smtp-Source: AGHT+IFMW75ZgOq6A/QHwpomDxzzlNhpQUd9+tA5eObmSaAFNrqWOZKQq/JaXK+HRIiJmrN2+CtBxg==
X-Received: by 2002:a17:907:971e:b0:aac:832:9bf7 with SMTP id a640c23a62f3a-ab2ab70a69cmr225023366b.24.1736353396649;
        Wed, 08 Jan 2025 08:23:16 -0800 (PST)
Received: from qasdev.system ([2a02:c7c:6696:8300:397e:3977:a415:a779])
        by smtp.gmail.com with ESMTPSA id a640c23a62f3a-aac0e89617bsm2478228966b.76.2025.01.08.08.23.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 08 Jan 2025 08:23:16 -0800 (PST)
Date: Wed, 8 Jan 2025 16:23:01 +0000
From: qasdev <qasdev00@gmail.com>
To: Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org>
Cc: linux-f2fs-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] f2fs: Fix slab-out-of-bounds Read KASAN bug in
 f2fs_getxattr()
Message-ID: <Z36iKVJjiufq_Q3x@qasdev.system>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Jan 08, 2025 at 07:44:03PM +0800, Chao Yu wrote:
> Hi Qasim,
> 
> On 2025/1/8 07:03, qasdev wrote:
> > In f2fs_getxattr(), the function lookup_all_xattrs() allocates a 12-byte
> > (base_size) buffer for an inline extended attribute. However, when
> > __find_inline_xattr() calls __find_xattr(), it uses the macro
> > "list_for_each_xattr(entry, addr)", which starts by calling
> > XATTR_FIRST_ENTRY(addr). This skips a 24-byte struct f2fs_xattr_header
> > at the beginning of the buffer, causing an immediate out-of-bounds read
> > in a 12-byte allocation. The subsequent !IS_XATTR_LAST_ENTRY(entry)
> > check then dereferences memory outside the allocated region, triggering
> > the slab-out-of bounds read.
> > 
> > This patch prevents the out-of-bounds read by adding a check to bail
> > out early if inline_size is too small and does not account for the
> > header plus the 4-byte value that IS_XATTR_LAST_ENTRY reads.
> 
> Thank you very much for analyzing this issue, the root cause you figured out
> makes sense to me.
> 
> Can you please check the patch in below link? It seems it can fix this issue
> as well? IIUC.
> 
> https://lore.kernel.org/linux-f2fs-devel/20241216134600.8308-1-chao@kernel.org/
> 
> Thanks,

Hi Chao,

I tested the patch you linked on my machine and with syzbot, and both tests succeeded. The patch you linked works very well.
 
Here is the link to the results of the testing of both patches: https://syzkaller.appspot.com/bug?extid=f5e74075e096e757bdbf

Would it be possible to include me in the Tested-by header and any other contribution acknowledgments you feel appropriate?

Thanks!

Best regards,
Qasim

> 
> > 
> > Reported-by: syzbot <syzbot+f5e74075e096e757bdbf@syzkaller.appspotmail.com>
> > Closes: https://syzkaller.appspot.com/bug?extid=f5e74075e096e757bdbf
> > Tested-by: syzbot <syzbot+f5e74075e096e757bdbf@syzkaller.appspotmail.com>
> > Tested-by: Qasim Ijaz <qasdev00@gmail.com>
> > Fixes: 388a2a0640e1 ("f2fs: remove redundant sanity check in sanity_check_inode()")
> > Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
> > ---
> >   fs/f2fs/xattr.c | 3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
> > index 3f3874943679..cf82646bca0e 100644
> > --- a/fs/f2fs/xattr.c
> > +++ b/fs/f2fs/xattr.c
> > @@ -329,6 +329,9 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
> >   	if (!xnid && !inline_size)
> >   		return -ENODATA;
> > +	if (inline_size < sizeof(struct f2fs_xattr_header) + sizeof(__u32))
> > +		return -ENODATA;
> > +
> >   	*base_size = XATTR_SIZE(inode) + XATTR_PADDING_SIZE;
> >   	txattr_addr = xattr_alloc(F2FS_I_SB(inode), *base_size, is_inline);
> >   	if (!txattr_addr)
>