| Message ID | 20170809163114.19539-1-bo.li.liu@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, Aug 9, 2017 at 5:31 PM, Liu Bo <bo.li.liu@oracle.com> wrote: > There is a cornel case that slip through the checkers in functions > reading extent buffer, ie. > > if (start < eb->len) and (start + len > eb->len), > then > > a) map_private_extent_buffer() returns immediately because > it's thinking the range spans across two pages, > > b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len) > and WARN_ON(start + len > eb->start + eb->len), both are OK in this > corner case, but it'd actually try to access the eb->pages out of > bounds because of (start + len > eb->len). > > The case is found by switching extent inline ref type from shared data > ref to non-shared data ref, which is a kind of metadata corruption. > > It'd use the wrong helper to access the eb, > eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing > here is "struct btrfs_shared_data_ref". And if the extent item > happens to be the first item in the eb, then offset/length will get > over eb->len which ends up an invalid memory access. > > This is adding proper checks in order to avoid invalid memory access, > ie. 'general protection fault', before it's too late. > > Signed-off-by: Liu Bo <bo.li.liu@oracle.com> Reviewed-by: Filipe Manana <fdmanana@suse.com> > --- > > v2: Improve the commit log to clarify that this can only happen if > metadata is corrupted. Thanks for adding the clarification! > > fs/btrfs/extent_io.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) > > diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c > index 0aff9b2..d198e87 100644 > --- a/fs/btrfs/extent_io.c > +++ b/fs/btrfs/extent_io.c > @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv, > char *dst = (char *)dstv; > size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1); > unsigned long i = (start_offset + start) >> PAGE_SHIFT; > + unsigned long num_pages = num_extent_pages(eb->start, eb->len); > > - WARN_ON(start > eb->len); > - WARN_ON(start + len > eb->start + eb->len); > + if (start + len > eb->len) { > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", > + eb->start, eb->len, start, len); > + memset(dst, 0, len); > + return; > + } > > offset = (start_offset + start) & (PAGE_SIZE - 1); > > while (len > 0) { > + ASSERT(i < num_pages); > page = eb->pages[i]; > > cur = min(len, (PAGE_SIZE - offset)); > @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start, > unsigned long end_i = (start_offset + start + min_len - 1) >> > PAGE_SHIFT; > > + if (start + min_len > eb->len) { > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", > + eb->start, eb->len, start, min_len); > + return -EINVAL; > + } > + > if (i != end_i) > return 1; > > @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start, > *map_start = ((u64)i << PAGE_SHIFT) - start_offset; > } > > - if (start + min_len > eb->len) { > - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", > - eb->start, eb->len, start, min_len); > - return -EINVAL; > - } > - > p = eb->pages[i]; > kaddr = page_address(p); > *map = kaddr + offset; > -- > 2.9.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Aug 9, 2017 at 5:31 PM, Liu Bo <bo.li.liu@oracle.com> wrote: > There is a cornel case that slip through the checkers in functions > reading extent buffer, ie. > > if (start < eb->len) and (start + len > eb->len), > then > > a) map_private_extent_buffer() returns immediately because > it's thinking the range spans across two pages, > > b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len) > and WARN_ON(start + len > eb->start + eb->len), both are OK in this > corner case, but it'd actually try to access the eb->pages out of > bounds because of (start + len > eb->len). > > The case is found by switching extent inline ref type from shared data > ref to non-shared data ref, which is a kind of metadata corruption. > > It'd use the wrong helper to access the eb, > eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing > here is "struct btrfs_shared_data_ref". And if the extent item > happens to be the first item in the eb, then offset/length will get > over eb->len which ends up an invalid memory access. > > This is adding proper checks in order to avoid invalid memory access, > ie. 'general protection fault', before it's too late. > > Signed-off-by: Liu Bo <bo.li.liu@oracle.com> > --- > > v2: Improve the commit log to clarify that this can only happen if > metadata is corrupted. > > fs/btrfs/extent_io.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) > > diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c > index 0aff9b2..d198e87 100644 > --- a/fs/btrfs/extent_io.c > +++ b/fs/btrfs/extent_io.c > @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv, > char *dst = (char *)dstv; > size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1); > unsigned long i = (start_offset + start) >> PAGE_SHIFT; > + unsigned long num_pages = num_extent_pages(eb->start, eb->len); Forgot to note that if CONFIG_BTRFS_ASSERT is not set, this variable is unused and the compiler and static checkers will emit a warning. Other than that all looks fine. Thanks. > > - WARN_ON(start > eb->len); > - WARN_ON(start + len > eb->start + eb->len); > + if (start + len > eb->len) { > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", > + eb->start, eb->len, start, len); > + memset(dst, 0, len); > + return; > + } > > offset = (start_offset + start) & (PAGE_SIZE - 1); > > while (len > 0) { > + ASSERT(i < num_pages); > page = eb->pages[i]; > > cur = min(len, (PAGE_SIZE - offset)); > @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start, > unsigned long end_i = (start_offset + start + min_len - 1) >> > PAGE_SHIFT; > > + if (start + min_len > eb->len) { > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", > + eb->start, eb->len, start, min_len); > + return -EINVAL; > + } > + > if (i != end_i) > return 1; > > @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start, > *map_start = ((u64)i << PAGE_SHIFT) - start_offset; > } > > - if (start + min_len > eb->len) { > - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", > - eb->start, eb->len, start, min_len); > - return -EINVAL; > - } > - > p = eb->pages[i]; > kaddr = page_address(p); > *map = kaddr + offset; > -- > 2.9.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Aug 09, 2017 at 06:40:04PM +0100, Filipe Manana wrote: > On Wed, Aug 9, 2017 at 5:31 PM, Liu Bo <bo.li.liu@oracle.com> wrote: > > There is a cornel case that slip through the checkers in functions > > reading extent buffer, ie. > > > > if (start < eb->len) and (start + len > eb->len), > > then > > > > a) map_private_extent_buffer() returns immediately because > > it's thinking the range spans across two pages, > > > > b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len) > > and WARN_ON(start + len > eb->start + eb->len), both are OK in this > > corner case, but it'd actually try to access the eb->pages out of > > bounds because of (start + len > eb->len). > > > > The case is found by switching extent inline ref type from shared data > > ref to non-shared data ref, which is a kind of metadata corruption. > > > > It'd use the wrong helper to access the eb, > > eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing > > here is "struct btrfs_shared_data_ref". And if the extent item > > happens to be the first item in the eb, then offset/length will get > > over eb->len which ends up an invalid memory access. > > > > This is adding proper checks in order to avoid invalid memory access, > > ie. 'general protection fault', before it's too late. > > > > Signed-off-by: Liu Bo <bo.li.liu@oracle.com> > > --- > > > > v2: Improve the commit log to clarify that this can only happen if > > metadata is corrupted. > > > > fs/btrfs/extent_io.c | 22 ++++++++++++++-------- > > 1 file changed, 14 insertions(+), 8 deletions(-) > > > > diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c > > index 0aff9b2..d198e87 100644 > > --- a/fs/btrfs/extent_io.c > > +++ b/fs/btrfs/extent_io.c > > @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv, > > char *dst = (char *)dstv; > > size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1); > > unsigned long i = (start_offset + start) >> PAGE_SHIFT; > > + unsigned long num_pages = num_extent_pages(eb->start, eb->len); > > Forgot to note that if CONFIG_BTRFS_ASSERT is not set, this variable > is unused and the compiler and static checkers will emit a warning. > Other than that all looks fine. Thanks. > True, then lets remove it, I don't think we could reach that ASSERT if (start + len > eb->len). thanks, -liubo > > > > - WARN_ON(start > eb->len); > > - WARN_ON(start + len > eb->start + eb->len); > > + if (start + len > eb->len) { > > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", > > + eb->start, eb->len, start, len); > > + memset(dst, 0, len); > > + return; > > + } > > > > offset = (start_offset + start) & (PAGE_SIZE - 1); > > > > while (len > 0) { > > + ASSERT(i < num_pages); > > page = eb->pages[i]; > > > > cur = min(len, (PAGE_SIZE - offset)); > > @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start, > > unsigned long end_i = (start_offset + start + min_len - 1) >> > > PAGE_SHIFT; > > > > + if (start + min_len > eb->len) { > > + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", > > + eb->start, eb->len, start, min_len); > > + return -EINVAL; > > + } > > + > > if (i != end_i) > > return 1; > > > > @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start, > > *map_start = ((u64)i << PAGE_SHIFT) - start_offset; > > } > > > > - if (start + min_len > eb->len) { > > - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", > > - eb->start, eb->len, start, min_len); > > - return -EINVAL; > > - } > > - > > p = eb->pages[i]; > > kaddr = page_address(p); > > *map = kaddr + offset; > > -- > > 2.9.4 > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > -- > Filipe David Manana, > > “Whether you think you can, or you think you can't — you're right.” > -- > To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 0aff9b2..d198e87 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -5416,13 +5416,19 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv, char *dst = (char *)dstv; size_t start_offset = eb->start & ((u64)PAGE_SIZE - 1); unsigned long i = (start_offset + start) >> PAGE_SHIFT; + unsigned long num_pages = num_extent_pages(eb->start, eb->len); - WARN_ON(start > eb->len); - WARN_ON(start + len > eb->start + eb->len); + if (start + len > eb->len) { + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", + eb->start, eb->len, start, len); + memset(dst, 0, len); + return; + } offset = (start_offset + start) & (PAGE_SIZE - 1); while (len > 0) { + ASSERT(i < num_pages); page = eb->pages[i]; cur = min(len, (PAGE_SIZE - offset)); @@ -5491,6 +5497,12 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start, unsigned long end_i = (start_offset + start + min_len - 1) >> PAGE_SHIFT; + if (start + min_len > eb->len) { + WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", + eb->start, eb->len, start, min_len); + return -EINVAL; + } + if (i != end_i) return 1; @@ -5502,12 +5514,6 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start, *map_start = ((u64)i << PAGE_SHIFT) - start_offset; } - if (start + min_len > eb->len) { - WARN(1, KERN_ERR "btrfs bad mapping eb start %llu len %lu, wanted %lu %lu\n", - eb->start, eb->len, start, min_len); - return -EINVAL; - } - p = eb->pages[i]; kaddr = page_address(p); *map = kaddr + offset;
There is a cornel case that slip through the checkers in functions reading extent buffer, ie. if (start < eb->len) and (start + len > eb->len), then a) map_private_extent_buffer() returns immediately because it's thinking the range spans across two pages, b) and the checkers in read_extent_buffer(), WARN_ON(start > eb->len) and WARN_ON(start + len > eb->start + eb->len), both are OK in this corner case, but it'd actually try to access the eb->pages out of bounds because of (start + len > eb->len). The case is found by switching extent inline ref type from shared data ref to non-shared data ref, which is a kind of metadata corruption. It'd use the wrong helper to access the eb, eg. btrfs_extent_data_ref_root(eb, ref) is used but the %ref passing here is "struct btrfs_shared_data_ref". And if the extent item happens to be the first item in the eb, then offset/length will get over eb->len which ends up an invalid memory access. This is adding proper checks in order to avoid invalid memory access, ie. 'general protection fault', before it's too late. Signed-off-by: Liu Bo <bo.li.liu@oracle.com> --- v2: Improve the commit log to clarify that this can only happen if metadata is corrupted. fs/btrfs/extent_io.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-)