From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+e864a35d361e1d4e29a5@syzkaller.appspotmail.com,
Johannes Thumshirn <johannes.thumshirn@wdc.com>,
David Sterba <dsterba@suse.com>
Subject: [PATCH 5.8 87/99] btrfs: fix overflow when copying corrupt csums for a message
Date: Tue, 29 Sep 2020 13:02:10 +0200 [thread overview]
Message-ID: <20200929105934.019236407@linuxfoundation.org> (raw)
In-Reply-To: <20200929105929.719230296@linuxfoundation.org>
From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
commit 35be8851d172c6e3db836c0f28c19087b10c9e00 upstream.
Syzkaller reported a buffer overflow in btree_readpage_end_io_hook()
when loop mounting a crafted image:
detected buffer overflow in memcpy
------------[ cut here ]------------
kernel BUG at lib/string.c:1129!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 26 Comm: kworker/u4:2 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: btrfs-endio-meta btrfs_work_helper
RIP: 0010:fortify_panic+0xf/0x20 lib/string.c:1129
RSP: 0018:ffffc90000e27980 EFLAGS: 00010286
RAX: 0000000000000022 RBX: ffff8880a80dca64 RCX: 0000000000000000
RDX: ffff8880a90860c0 RSI: ffffffff815dba07 RDI: fffff520001c4f22
RBP: ffff8880a80dca00 R08: 0000000000000022 R09: ffff8880ae7318e7
R10: 0000000000000000 R11: 0000000000077578 R12: 00000000ffffff6e
R13: 0000000000000008 R14: ffffc90000e27a40 R15: 1ffff920001c4f3c
FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557335f440d0 CR3: 000000009647d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
memcpy include/linux/string.h:405 [inline]
btree_readpage_end_io_hook.cold+0x206/0x221 fs/btrfs/disk-io.c:642
end_bio_extent_readpage+0x4de/0x10c0 fs/btrfs/extent_io.c:2854
bio_endio+0x3cf/0x7f0 block/bio.c:1449
end_workqueue_fn+0x114/0x170 fs/btrfs/disk-io.c:1695
btrfs_work_helper+0x221/0xe20 fs/btrfs/async-thread.c:318
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
---[ end trace b68924293169feef ]---
RIP: 0010:fortify_panic+0xf/0x20 lib/string.c:1129
RSP: 0018:ffffc90000e27980 EFLAGS: 00010286
RAX: 0000000000000022 RBX: ffff8880a80dca64 RCX: 0000000000000000
RDX: ffff8880a90860c0 RSI: ffffffff815dba07 RDI: fffff520001c4f22
RBP: ffff8880a80dca00 R08: 0000000000000022 R09: ffff8880ae7318e7
R10: 0000000000000000 R11: 0000000000077578 R12: 00000000ffffff6e
R13: 0000000000000008 R14: ffffc90000e27a40 R15: 1ffff920001c4f3c
FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f95b7c4d008 CR3: 000000009647d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
The overflow happens, because in btree_readpage_end_io_hook() we assume
that we have found a 4 byte checksum instead of the real possible 32
bytes we have for the checksums.
With the fix applied:
[ 35.726623] BTRFS: device fsid 815caf9a-dc43-4d2a-ac54-764b8333d765 devid 1 transid 5 /dev/loop0 scanned by syz-repro (215)
[ 35.738994] BTRFS info (device loop0): disk space caching is enabled
[ 35.738998] BTRFS info (device loop0): has skinny extents
[ 35.743337] BTRFS warning (device loop0): loop0 checksum verify failed on 1052672 wanted 0xf9c035fc8d239a54 found 0x67a25c14b7eabcf9 level 0
[ 35.743420] BTRFS error (device loop0): failed to read chunk root
[ 35.745899] BTRFS error (device loop0): open_ctree failed
Reported-by: syzbot+e864a35d361e1d4e29a5@syzkaller.appspotmail.com
Fixes: d5178578bcd4 ("btrfs: directly call into crypto framework for checksumming")
CC: stable@vger.kernel.org # 5.4+
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/disk-io.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -636,16 +636,15 @@ static int btree_readpage_end_io_hook(st
csum_tree_block(eb, result);
if (memcmp_extent_buffer(eb, result, 0, csum_size)) {
- u32 val;
- u32 found = 0;
-
- memcpy(&found, result, csum_size);
+ u8 val[BTRFS_CSUM_SIZE] = { 0 };
read_extent_buffer(eb, &val, 0, csum_size);
btrfs_warn_rl(fs_info,
- "%s checksum verify failed on %llu wanted %x found %x level %d",
+ "%s checksum verify failed on %llu wanted " CSUM_FMT " found " CSUM_FMT " level %d",
fs_info->sb->s_id, eb->start,
- val, found, btrfs_header_level(eb));
+ CSUM_FMT_VALUE(csum_size, val),
+ CSUM_FMT_VALUE(csum_size, result),
+ btrfs_header_level(eb));
ret = -EUCLEAN;
goto err;
}
next prev parent reply other threads:[~2020-09-29 11:50 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-29 11:00 [PATCH 5.8 00/99] 5.8.13-rc1 review Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 01/99] device_cgroup: Fix RCU list debugging warning Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 02/99] ASoC: pcm3168a: ignore 0 Hz settings Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 03/99] ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 04/99] ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 05/99] ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 06/99] clk: versatile: Add of_node_put() before return statement Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 07/99] RISC-V: Take text_mutex in ftrace_init_nop() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 08/99] i2c: aspeed: Mask IRQ status to relevant bits Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 09/99] s390/init: add missing __init annotations Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 10/99] lockdep: fix order in trace_hardirqs_off_caller() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 11/99] EDAC/ghes: Check whether the driver is on the safe list correctly Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 12/99] drm/amdkfd: fix a memory leak issue Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 13/99] drm/amd/display: Dont use DRM_ERROR() for DTM add topology Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 14/99] drm/amd/display: update nv1x stutter latencies Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 15/99] drm/amdgpu/dc: Require primary plane to be enabled whenever the CRTC is Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 5.8 16/99] drm/amd/display: Dont log hdcp module warnings in dmesg Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 17/99] i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 18/99] objtool: Fix noreturn detection for ignored functions Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 19/99] i2c: mediatek: Send i2c master code at more than 1MHz Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 20/99] riscv: Fix Kendryte K210 device tree Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 21/99] ieee802154: fix one possible memleak in ca8210_dev_com_init Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 22/99] ieee802154/adf7242: check status of adf7242_read_reg Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 23/99] clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 24/99] mwifiex: Increase AES key storage size to 256 bits Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 25/99] batman-adv: bla: fix type misuse for backbone_gw hash indexing Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 26/99] libbpf: Fix build failure from uninitialized variable warning Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 27/99] atm: eni: fix the missed pci_disable_device() for eni_init_one() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 28/99] batman-adv: mcast/TT: fix wrongly dropped or rerouted packets Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 29/99] netfilter: ctnetlink: add a range check for l3/l4 protonum Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 30/99] netfilter: ctnetlink: fix mark based dump filtering regression Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 31/99] netfilter: conntrack: nf_conncount_init is failing with IPv6 disabled Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 32/99] netfilter: nft_meta: use socket user_ns to retrieve skuid and skgid Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 33/99] mac802154: tx: fix use-after-free Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 34/99] bpf: Fix clobbering of r2 in bpf_gen_ld_abs Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 35/99] tools/libbpf: Avoid counting local symbols in ABI check Greg Kroah-Hartman
2020-09-29 21:54 ` Justin Forbes
2020-09-30 5:02 ` Tony Ambardar
2020-09-30 15:40 ` Justin Forbes
2020-09-29 11:01 ` [PATCH 5.8 36/99] drm/vc4/vc4_hdmi: fill ASoC card owner Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 37/99] net: qed: Disable aRFS for NPAR and 100G Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 38/99] net: qede: " Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 39/99] net: qed: RDMA personality shouldnt fail VF load Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 40/99] igc: Fix wrong timestamp latency numbers Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 41/99] igc: Fix not considering the TX delay for timestamps Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 42/99] drm/sun4i: sun8i-csc: Secondary CSC register correction Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 43/99] hv_netvsc: Switch the data path at the right time during hibernation Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 44/99] spi: spi-fsl-dspi: use XSPI mode instead of DMA for DPAA2 SoCs Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 45/99] RDMA/core: Fix ordering of CQ pool destruction Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 46/99] batman-adv: Add missing include for in_interrupt() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 47/99] xsk: Fix number of pinned pages/umem size discrepancy Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 48/99] nvme-tcp: fix kconfig dependency warning when !CRYPTO Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 49/99] batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 50/99] batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 51/99] batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 52/99] bpf: Fix a rcu warning for bpffs map pretty-print Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 53/99] lib80211: fix unmet direct dependendices config warning when !CRYPTO Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 54/99] mac80211: do not disable HE if HT is missing on 2.4 GHz Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 55/99] cfg80211: fix 6 GHz channel conversion Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 56/99] mac80211: fix 80 MHz association to 160/80+80 AP on 6 GHz Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 57/99] ALSA: asihpi: fix iounmap in error handler Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 58/99] io_uring: fix openat/openat2 unified prep handling Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 59/99] SUNRPC: Fix svc_flush_dcache() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 60/99] regmap: fix page selection for noinc reads Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 61/99] regmap: fix page selection for noinc writes Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 62/99] net/mlx5e: mlx5e_fec_in_caps() returns a boolean Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 63/99] MIPS: Loongson-3: Fix fp register access if MSA enabled Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 64/99] PM / devfreq: tegra30: Disable clock on error in probe Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 65/99] MIPS: Add the missing CPU_1074K into __get_cpu_type() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 66/99] regulator: axp20x: fix LDO2/4 description Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 67/99] spi: bcm-qspi: Fix probe regression on iProc platforms Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 68/99] KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 69/99] KVM: SVM: Add a dedicated INVD intercept routine Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 70/99] mm: validate pmd after splitting Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 71/99] arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 72/99] x86/irq: Make run_on_irqstack_cond() typesafe Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 73/99] x86/ioapic: Unbreak check_timer() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 74/99] scsi: lpfc: Fix initial FLOGI failure due to BBSCN not supported Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 75/99] ALSA: usb-audio: Add delay quirk for H570e USB headsets Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 5.8 76/99] ALSA: hda/realtek - Couldnt detect Mic if booting with headset plugged Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 77/99] ALSA: hda/realtek: Enable front panel headset LED on Lenovo ThinkStation P520 Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 78/99] lib/string.c: implement stpcpy Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 79/99] tracing: fix double free Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 80/99] s390/dasd: Fix zero write for FBA devices Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 81/99] mt76: mt7615: use v1 MCU API on MT7615 to fix issues with adding/removing stations Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 82/99] lib/bootconfig: Fix a bug of breaking existing tree nodes Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 83/99] lib/bootconfig: Fix to remove tailing spaces after value Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 84/99] kprobes: Fix to check probe enabled before disarm_kprobe_ftrace() Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 85/99] kprobes: tracing/kprobes: Fix to kill kprobes on initmem after boot Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 86/99] btrfs: fix put of uninitialized kobject after seed device delete Greg Kroah-Hartman
2020-09-29 11:02 ` Greg Kroah-Hartman [this message]
2020-09-29 11:02 ` [PATCH 5.8 88/99] media: cec-adap.c: dont use flush_scheduled_work() Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 89/99] MIPS: Loongson2ef: Disable Loongson MMI instructions Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 90/99] dmabuf: fix NULL pointer dereference in dma_buf_release() Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 91/99] mm, THP, swap: fix allocating cluster for swapfile by mistake Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 92/99] mm/gup: fix gup_fast with dynamic page table folding Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 93/99] mm: replace memmap_context by meminit_context Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 94/99] mm: dont rely on system state to detect hot-plug operations Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 95/99] s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 96/99] io_uring: ensure open/openat2 name is cleaned on cancelation Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 97/99] KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 98/99] dm: fix bio splitting and its bio completion order for regular IO Greg Kroah-Hartman
2020-09-29 11:02 ` [PATCH 5.8 99/99] clocksource/drivers/timer-ti-dm: Do reset before enable Greg Kroah-Hartman
2020-09-29 13:39 ` [PATCH 5.8 00/99] 5.8.13-rc1 review Jeffrin Jose T
2020-09-29 15:15 ` Jon Hunter
2020-10-01 19:23 ` Greg Kroah-Hartman
2020-09-29 20:54 ` Guenter Roeck
2020-10-01 19:23 ` Greg Kroah-Hartman
2020-09-30 7:28 ` Naresh Kamboju
2020-10-01 19:24 ` Greg Kroah-Hartman
2020-09-30 14:26 ` Shuah Khan
2020-10-01 19:24 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200929105934.019236407@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dsterba@suse.com \
--cc=johannes.thumshirn@wdc.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+e864a35d361e1d4e29a5@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).