* [PATCH 1/2] erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails
@ 2022-12-05 15:00 Gao Xiang
2022-12-05 15:00 ` [PATCH 2/2] erofs: validate the extent length for uncompressed pclusters Gao Xiang
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Gao Xiang @ 2022-12-05 15:00 UTC (permalink / raw)
To: linux-erofs, Chao Yu; +Cc: LKML, Gao Xiang
Otherwise, meta buffers could be leaked.
Fixes: cec6e93beadf ("erofs: support parsing big pcluster compress indexes")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
---
fs/erofs/zmap.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
index 749a5ac943f4..98eff1259de4 100644
--- a/fs/erofs/zmap.c
+++ b/fs/erofs/zmap.c
@@ -694,7 +694,7 @@ static int z_erofs_do_map_blocks(struct inode *inode,
map->m_pa = blknr_to_addr(m.pblk);
err = z_erofs_get_extent_compressedlen(&m, initial_lcn);
if (err)
- goto out;
+ goto unmap_out;
}
if (m.headtype == Z_EROFS_VLE_CLUSTER_TYPE_PLAIN) {
@@ -718,14 +718,12 @@ static int z_erofs_do_map_blocks(struct inode *inode,
if (!err)
map->m_flags |= EROFS_MAP_FULL_MAPPED;
}
+
unmap_out:
erofs_unmap_metabuf(&m.map->buf);
-
-out:
erofs_dbg("%s, m_la %llu m_pa %llu m_llen %llu m_plen %llu m_flags 0%o",
__func__, map->m_la, map->m_pa,
map->m_llen, map->m_plen, map->m_flags);
-
return err;
}
--
2.24.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] erofs: validate the extent length for uncompressed pclusters
2022-12-05 15:00 [PATCH 1/2] erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails Gao Xiang
@ 2022-12-05 15:00 ` Gao Xiang
2022-12-06 15:09 ` Chao Yu
2022-12-06 6:22 ` [PATCH 1/2] erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails Yue Hu
2022-12-06 15:07 ` Chao Yu
2 siblings, 1 reply; 5+ messages in thread
From: Gao Xiang @ 2022-12-05 15:00 UTC (permalink / raw)
To: linux-erofs, Chao Yu; +Cc: LKML, Gao Xiang, syzbot+2ae90e873e97f1faf6f2
syzkaller reported a KASAN use-after-free:
https://syzkaller.appspot.com/bug?extid=2ae90e873e97f1faf6f2
The referenced fuzzed image actually has two issues:
- m_pa == 0 as a non-inlined pcluster;
- The logical length is longer than its physical length.
The first issue has already been addressed. This patch addresses
the second issue by checking the extent length validity.
Reported-by: syzbot+2ae90e873e97f1faf6f2@syzkaller.appspotmail.com
Fixes: 02827e1796b3 ("staging: erofs: add erofs_map_blocks_iter")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
---
fs/erofs/zmap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
index 98eff1259de4..0150570c33aa 100644
--- a/fs/erofs/zmap.c
+++ b/fs/erofs/zmap.c
@@ -698,6 +698,11 @@ static int z_erofs_do_map_blocks(struct inode *inode,
}
if (m.headtype == Z_EROFS_VLE_CLUSTER_TYPE_PLAIN) {
+ if (map->m_llen > map->m_plen) {
+ DBG_BUGON(1);
+ err = -EFSCORRUPTED;
+ goto unmap_out;
+ }
if (vi->z_advise & Z_EROFS_ADVISE_INTERLACED_PCLUSTER)
map->m_algorithmformat =
Z_EROFS_COMPRESSION_INTERLACED;
--
2.24.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails
2022-12-05 15:00 [PATCH 1/2] erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails Gao Xiang
2022-12-05 15:00 ` [PATCH 2/2] erofs: validate the extent length for uncompressed pclusters Gao Xiang
@ 2022-12-06 6:22 ` Yue Hu
2022-12-06 15:07 ` Chao Yu
2 siblings, 0 replies; 5+ messages in thread
From: Yue Hu @ 2022-12-06 6:22 UTC (permalink / raw)
To: Gao Xiang; +Cc: linux-erofs, Chao Yu, LKML, zhangwen
On Mon, 5 Dec 2022 23:00:49 +0800
Gao Xiang <hsiangkao@linux.alibaba.com> wrote:
> Otherwise, meta buffers could be leaked.
>
> Fixes: cec6e93beadf ("erofs: support parsing big pcluster compress indexes")
> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Yue Hu <huyue2@coolpad.com>
> ---
> fs/erofs/zmap.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c
> index 749a5ac943f4..98eff1259de4 100644
> --- a/fs/erofs/zmap.c
> +++ b/fs/erofs/zmap.c
> @@ -694,7 +694,7 @@ static int z_erofs_do_map_blocks(struct inode *inode,
> map->m_pa = blknr_to_addr(m.pblk);
> err = z_erofs_get_extent_compressedlen(&m, initial_lcn);
> if (err)
> - goto out;
> + goto unmap_out;
> }
>
> if (m.headtype == Z_EROFS_VLE_CLUSTER_TYPE_PLAIN) {
> @@ -718,14 +718,12 @@ static int z_erofs_do_map_blocks(struct inode *inode,
> if (!err)
> map->m_flags |= EROFS_MAP_FULL_MAPPED;
> }
> +
> unmap_out:
> erofs_unmap_metabuf(&m.map->buf);
> -
> -out:
> erofs_dbg("%s, m_la %llu m_pa %llu m_llen %llu m_plen %llu m_flags 0%o",
> __func__, map->m_la, map->m_pa,
> map->m_llen, map->m_plen, map->m_flags);
> -
> return err;
> }
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails
2022-12-05 15:00 [PATCH 1/2] erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails Gao Xiang
2022-12-05 15:00 ` [PATCH 2/2] erofs: validate the extent length for uncompressed pclusters Gao Xiang
2022-12-06 6:22 ` [PATCH 1/2] erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails Yue Hu
@ 2022-12-06 15:07 ` Chao Yu
2 siblings, 0 replies; 5+ messages in thread
From: Chao Yu @ 2022-12-06 15:07 UTC (permalink / raw)
To: Gao Xiang, linux-erofs; +Cc: LKML
On 2022/12/5 23:00, Gao Xiang wrote:
> Otherwise, meta buffers could be leaked.
>
> Fixes: cec6e93beadf ("erofs: support parsing big pcluster compress indexes")
> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Thanks,
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] erofs: validate the extent length for uncompressed pclusters
2022-12-05 15:00 ` [PATCH 2/2] erofs: validate the extent length for uncompressed pclusters Gao Xiang
@ 2022-12-06 15:09 ` Chao Yu
0 siblings, 0 replies; 5+ messages in thread
From: Chao Yu @ 2022-12-06 15:09 UTC (permalink / raw)
To: Gao Xiang, linux-erofs; +Cc: LKML, syzbot+2ae90e873e97f1faf6f2
On 2022/12/5 23:00, Gao Xiang wrote:
> syzkaller reported a KASAN use-after-free:
> https://syzkaller.appspot.com/bug?extid=2ae90e873e97f1faf6f2
>
> The referenced fuzzed image actually has two issues:
> - m_pa == 0 as a non-inlined pcluster;
> - The logical length is longer than its physical length.
>
> The first issue has already been addressed. This patch addresses
> the second issue by checking the extent length validity.
>
> Reported-by: syzbot+2ae90e873e97f1faf6f2@syzkaller.appspotmail.com
> Fixes: 02827e1796b3 ("staging: erofs: add erofs_map_blocks_iter")
> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Thanks,
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-12-06 15:14 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-05 15:00 [PATCH 1/2] erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails Gao Xiang
2022-12-05 15:00 ` [PATCH 2/2] erofs: validate the extent length for uncompressed pclusters Gao Xiang
2022-12-06 15:09 ` Chao Yu
2022-12-06 6:22 ` [PATCH 1/2] erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails Yue Hu
2022-12-06 15:07 ` Chao Yu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox