diff mbox series

btrfs: correctly validate compression type

Message ID 20190606080106.10640-1-jthumshirn@suse.de (mailing list archive)
State New, archived
Headers show
Series btrfs: correctly validate compression type | expand

Commit Message

Johannes Thumshirn June 6, 2019, 8:01 a.m. UTC 
Nikolay reported the following KASAN splat when running btrfs/048:

[ 1843.470920] ==================================================================
[ 1843.471971] BUG: KASAN: slab-out-of-bounds in strncmp+0x66/0xb0
[ 1843.472775] Read of size 1 at addr ffff888111e369e2 by task btrfs/3979

[ 1843.473904] CPU: 3 PID: 3979 Comm: btrfs Not tainted 5.2.0-rc3-default #536
[ 1843.475009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 1843.476322] Call Trace:
[ 1843.476674]  dump_stack+0x7c/0xbb
[ 1843.477132]  ? strncmp+0x66/0xb0
[ 1843.477587]  print_address_description+0x114/0x320
[ 1843.478256]  ? strncmp+0x66/0xb0
[ 1843.478740]  ? strncmp+0x66/0xb0
[ 1843.479185]  __kasan_report+0x14e/0x192
[ 1843.479759]  ? strncmp+0x66/0xb0
[ 1843.480209]  kasan_report+0xe/0x20
[ 1843.480679]  strncmp+0x66/0xb0
[ 1843.481105]  prop_compression_validate+0x24/0x70
[ 1843.481798]  btrfs_xattr_handler_set_prop+0x65/0x160
[ 1843.482509]  __vfs_setxattr+0x71/0x90
[ 1843.483012]  __vfs_setxattr_noperm+0x84/0x130
[ 1843.483606]  vfs_setxattr+0xac/0xb0
[ 1843.484085]  setxattr+0x18c/0x230
[ 1843.484546]  ? vfs_setxattr+0xb0/0xb0
[ 1843.485048]  ? __mod_node_page_state+0x1f/0xa0
[ 1843.485672]  ? _raw_spin_unlock+0x24/0x40
[ 1843.486233]  ? __handle_mm_fault+0x988/0x1290
[ 1843.486823]  ? lock_acquire+0xb4/0x1e0
[ 1843.487330]  ? lock_acquire+0xb4/0x1e0
[ 1843.487842]  ? mnt_want_write_file+0x3c/0x80
[ 1843.488442]  ? debug_lockdep_rcu_enabled+0x22/0x40
[ 1843.489089]  ? rcu_sync_lockdep_assert+0xe/0x70
[ 1843.489707]  ? __sb_start_write+0x158/0x200
[ 1843.490278]  ? mnt_want_write_file+0x3c/0x80
[ 1843.490855]  ? __mnt_want_write+0x98/0xe0
[ 1843.491397]  __x64_sys_fsetxattr+0xba/0xe0
[ 1843.492201]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 1843.493201]  do_syscall_64+0x6c/0x230
[ 1843.493988]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1843.495041] RIP: 0033:0x7fa7a8a7707a
[ 1843.495819] Code: 48 8b 0d 21 de 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 be 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ee dd 2b 00 f7 d8 64 89 01 48
[ 1843.499203] RSP: 002b:00007ffcb73bca38 EFLAGS: 00000202 ORIG_RAX: 00000000000000be
[ 1843.500210] RAX: ffffffffffffffda RBX: 00007ffcb73bda9d RCX: 00007fa7a8a7707a
[ 1843.501170] RDX: 00007ffcb73bda9d RSI: 00000000006dc050 RDI: 0000000000000003
[ 1843.502152] RBP: 00000000006dc050 R08: 0000000000000000 R09: 0000000000000000
[ 1843.503109] R10: 0000000000000002 R11: 0000000000000202 R12: 00007ffcb73bda91
[ 1843.504055] R13: 0000000000000003 R14: 00007ffcb73bda82 R15: ffffffffffffffff

[ 1843.505268] Allocated by task 3979:
[ 1843.505771]  save_stack+0x19/0x80
[ 1843.506211]  __kasan_kmalloc.constprop.5+0xa0/0xd0
[ 1843.506836]  setxattr+0xeb/0x230
[ 1843.507264]  __x64_sys_fsetxattr+0xba/0xe0
[ 1843.507886]  do_syscall_64+0x6c/0x230
[ 1843.508429]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

[ 1843.509558] Freed by task 0:
[ 1843.510188] (stack is not available)

[ 1843.511309] The buggy address belongs to the object at ffff888111e369e0
                which belongs to the cache kmalloc-8 of size 8
[ 1843.514095] The buggy address is located 2 bytes inside of
                8-byte region [ffff888111e369e0, ffff888111e369e8)
[ 1843.516524] The buggy address belongs to the page:
[ 1843.517561] page:ffff88813f478d80 refcount:1 mapcount:0 mapping:ffff88811940c300 index:0xffff888111e373b8 compound_mapcount: 0
[ 1843.519993] flags: 0x4404000010200(slab|head)
[ 1843.520951] raw: 0004404000010200 ffff88813f48b008 ffff888119403d50 ffff88811940c300
[ 1843.522616] raw: ffff888111e373b8 000000000016000f 00000001ffffffff 0000000000000000
[ 1843.524281] page dumped because: kasan: bad access detected

[ 1843.525936] Memory state around the buggy address:
[ 1843.526975]  ffff888111e36880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1843.528479]  ffff888111e36900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1843.530138] >ffff888111e36980: fc fc fc fc fc fc fc fc fc fc fc fc 02 fc fc fc
[ 1843.531877]                                                        ^
[ 1843.533287]  ffff888111e36a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1843.534874]  ffff888111e36a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1843.536468] ==================================================================

This is caused by supplying a too short compression value ('lz') in the
test-case and comparing it to 'lzo' with strncmp() and a length of 3.
strncmp() read past the 'lz' when looking for the 'o' and thus caused an
out-of-bounds read.

Introduce a new check 'btrfs_compress_is_valid_type()' which not only
checks the user-supplied value against known compression types, but also
employs checks for too short values.

Fixes: 272e5326c783 ("btrfs: prop: fix vanished compression property after failed set")
Reported-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
---
 fs/btrfs/compression.c | 16 ++++++++++++++++
 fs/btrfs/compression.h |  1 +
 fs/btrfs/props.c       |  6 +-----
 3 files changed, 18 insertions(+), 5 deletions(-)

Comments

Nikolay Borisov June 6, 2019, 8:02 a.m. UTC | #1 
On 6.06.19 г. 11:01 ч., Johannes Thumshirn wrote:
> Nikolay reported the following KASAN splat when running btrfs/048:
> 
> [ 1843.470920] ==================================================================
> [ 1843.471971] BUG: KASAN: slab-out-of-bounds in strncmp+0x66/0xb0
> [ 1843.472775] Read of size 1 at addr ffff888111e369e2 by task btrfs/3979
> 
> [ 1843.473904] CPU: 3 PID: 3979 Comm: btrfs Not tainted 5.2.0-rc3-default #536
> [ 1843.475009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
> [ 1843.476322] Call Trace:
> [ 1843.476674]  dump_stack+0x7c/0xbb
> [ 1843.477132]  ? strncmp+0x66/0xb0
> [ 1843.477587]  print_address_description+0x114/0x320
> [ 1843.478256]  ? strncmp+0x66/0xb0
> [ 1843.478740]  ? strncmp+0x66/0xb0
> [ 1843.479185]  __kasan_report+0x14e/0x192
> [ 1843.479759]  ? strncmp+0x66/0xb0
> [ 1843.480209]  kasan_report+0xe/0x20
> [ 1843.480679]  strncmp+0x66/0xb0
> [ 1843.481105]  prop_compression_validate+0x24/0x70
> [ 1843.481798]  btrfs_xattr_handler_set_prop+0x65/0x160
> [ 1843.482509]  __vfs_setxattr+0x71/0x90
> [ 1843.483012]  __vfs_setxattr_noperm+0x84/0x130
> [ 1843.483606]  vfs_setxattr+0xac/0xb0
> [ 1843.484085]  setxattr+0x18c/0x230
> [ 1843.484546]  ? vfs_setxattr+0xb0/0xb0
> [ 1843.485048]  ? __mod_node_page_state+0x1f/0xa0
> [ 1843.485672]  ? _raw_spin_unlock+0x24/0x40
> [ 1843.486233]  ? __handle_mm_fault+0x988/0x1290
> [ 1843.486823]  ? lock_acquire+0xb4/0x1e0
> [ 1843.487330]  ? lock_acquire+0xb4/0x1e0
> [ 1843.487842]  ? mnt_want_write_file+0x3c/0x80
> [ 1843.488442]  ? debug_lockdep_rcu_enabled+0x22/0x40
> [ 1843.489089]  ? rcu_sync_lockdep_assert+0xe/0x70
> [ 1843.489707]  ? __sb_start_write+0x158/0x200
> [ 1843.490278]  ? mnt_want_write_file+0x3c/0x80
> [ 1843.490855]  ? __mnt_want_write+0x98/0xe0
> [ 1843.491397]  __x64_sys_fsetxattr+0xba/0xe0
> [ 1843.492201]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [ 1843.493201]  do_syscall_64+0x6c/0x230
> [ 1843.493988]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> [ 1843.495041] RIP: 0033:0x7fa7a8a7707a
> [ 1843.495819] Code: 48 8b 0d 21 de 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 be 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ee dd 2b 00 f7 d8 64 89 01 48
> [ 1843.499203] RSP: 002b:00007ffcb73bca38 EFLAGS: 00000202 ORIG_RAX: 00000000000000be
> [ 1843.500210] RAX: ffffffffffffffda RBX: 00007ffcb73bda9d RCX: 00007fa7a8a7707a
> [ 1843.501170] RDX: 00007ffcb73bda9d RSI: 00000000006dc050 RDI: 0000000000000003
> [ 1843.502152] RBP: 00000000006dc050 R08: 0000000000000000 R09: 0000000000000000
> [ 1843.503109] R10: 0000000000000002 R11: 0000000000000202 R12: 00007ffcb73bda91
> [ 1843.504055] R13: 0000000000000003 R14: 00007ffcb73bda82 R15: ffffffffffffffff
> 
> [ 1843.505268] Allocated by task 3979:
> [ 1843.505771]  save_stack+0x19/0x80
> [ 1843.506211]  __kasan_kmalloc.constprop.5+0xa0/0xd0
> [ 1843.506836]  setxattr+0xeb/0x230
> [ 1843.507264]  __x64_sys_fsetxattr+0xba/0xe0
> [ 1843.507886]  do_syscall_64+0x6c/0x230
> [ 1843.508429]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> [ 1843.509558] Freed by task 0:
> [ 1843.510188] (stack is not available)
> 
> [ 1843.511309] The buggy address belongs to the object at ffff888111e369e0
>                 which belongs to the cache kmalloc-8 of size 8
> [ 1843.514095] The buggy address is located 2 bytes inside of
>                 8-byte region [ffff888111e369e0, ffff888111e369e8)
> [ 1843.516524] The buggy address belongs to the page:
> [ 1843.517561] page:ffff88813f478d80 refcount:1 mapcount:0 mapping:ffff88811940c300 index:0xffff888111e373b8 compound_mapcount: 0
> [ 1843.519993] flags: 0x4404000010200(slab|head)
> [ 1843.520951] raw: 0004404000010200 ffff88813f48b008 ffff888119403d50 ffff88811940c300
> [ 1843.522616] raw: ffff888111e373b8 000000000016000f 00000001ffffffff 0000000000000000
> [ 1843.524281] page dumped because: kasan: bad access detected
> 
> [ 1843.525936] Memory state around the buggy address:
> [ 1843.526975]  ffff888111e36880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 1843.528479]  ffff888111e36900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 1843.530138] >ffff888111e36980: fc fc fc fc fc fc fc fc fc fc fc fc 02 fc fc fc
> [ 1843.531877]                                                        ^
> [ 1843.533287]  ffff888111e36a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 1843.534874]  ffff888111e36a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 1843.536468] ==================================================================
> 
> This is caused by supplying a too short compression value ('lz') in the
> test-case and comparing it to 'lzo' with strncmp() and a length of 3.
> strncmp() read past the 'lz' when looking for the 'o' and thus caused an
> out-of-bounds read.
> 
> Introduce a new check 'btrfs_compress_is_valid_type()' which not only
> checks the user-supplied value against known compression types, but also
> employs checks for too short values.
> 
> Fixes: 272e5326c783 ("btrfs: prop: fix vanished compression property after failed set")
> Reported-by: Nikolay Borisov <nborisov@suse.com>
> Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>

Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Tested-by: Nikolay Borisov <nborisov@suse.com>

> ---
>  fs/btrfs/compression.c | 16 ++++++++++++++++
>  fs/btrfs/compression.h |  1 +
>  fs/btrfs/props.c       |  6 +-----
>  3 files changed, 18 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
> index 66e21a4e9ea2..d21ae92c172c 100644
> --- a/fs/btrfs/compression.c
> +++ b/fs/btrfs/compression.c
> @@ -43,6 +43,22 @@ const char* btrfs_compress_type2str(enum btrfs_compression_type type)
>  	return NULL;
>  }
>  
> +bool btrfs_compress_is_valid_type(const char *str, size_t len)
> +{
> +	int i;
> +
> +	for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) {
> +		size_t comp_len = strlen(btrfs_compress_types[i]);
> +
> +		if (comp_len != len)
> +			continue;
> +
> +		if (!strncmp(btrfs_compress_types[i], str, comp_len))
> +			return true;
> +	}
> +	return false;
> +}
> +
>  static int btrfs_decompress_bio(struct compressed_bio *cb);
>  
>  static inline int compressed_bio_size(struct btrfs_fs_info *fs_info,
> diff --git a/fs/btrfs/compression.h b/fs/btrfs/compression.h
> index 191e5f4e3523..2035b8eb1290 100644
> --- a/fs/btrfs/compression.h
> +++ b/fs/btrfs/compression.h
> @@ -173,6 +173,7 @@ extern const struct btrfs_compress_op btrfs_lzo_compress;
>  extern const struct btrfs_compress_op btrfs_zstd_compress;
>  
>  const char* btrfs_compress_type2str(enum btrfs_compression_type type);
> +bool btrfs_compress_is_valid_type(const char *str, size_t len);
>  
>  int btrfs_compress_heuristic(struct inode *inode, u64 start, u64 end);
>  
> diff --git a/fs/btrfs/props.c b/fs/btrfs/props.c
> index a9e2e66152ee..af109c0ba720 100644
> --- a/fs/btrfs/props.c
> +++ b/fs/btrfs/props.c
> @@ -257,11 +257,7 @@ static int prop_compression_validate(const char *value, size_t len)
>  	if (!value)
>  		return 0;
>  
> -	if (!strncmp("lzo", value, 3))
> -		return 0;
> -	else if (!strncmp("zlib", value, 4))
> -		return 0;
> -	else if (!strncmp("zstd", value, 4))
> +	if (btrfs_compress_is_valid_type(value, len))
>  		return 0;
>  
>  	return -EINVAL;
>
Naohiro Aota June 6, 2019, 8:43 a.m. UTC | #2 
On 2019/06/06 17:01, Johannes Thumshirn wrote:
> Nikolay reported the following KASAN splat when running btrfs/048:
> 
(snip)
> 
> This is caused by supplying a too short compression value ('lz') in the
> test-case and comparing it to 'lzo' with strncmp() and a length of 3.
> strncmp() read past the 'lz' when looking for the 'o' and thus caused an
> out-of-bounds read.
> 
> Introduce a new check 'btrfs_compress_is_valid_type()' which not only
> checks the user-supplied value against known compression types, but also
> employs checks for too short values.
> 
> Fixes: 272e5326c783 ("btrfs: prop: fix vanished compression property after failed set")
> Reported-by: Nikolay Borisov <nborisov@suse.com>
> Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
> ---
>   fs/btrfs/compression.c | 16 ++++++++++++++++
>   fs/btrfs/compression.h |  1 +
>   fs/btrfs/props.c       |  6 +-----
>   3 files changed, 18 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
> index 66e21a4e9ea2..d21ae92c172c 100644
> --- a/fs/btrfs/compression.c
> +++ b/fs/btrfs/compression.c
> @@ -43,6 +43,22 @@ const char* btrfs_compress_type2str(enum btrfs_compression_type type)
>   	return NULL;
>   }
>   
> +bool btrfs_compress_is_valid_type(const char *str, size_t len)
> +{
> +	int i;
> +
> +	for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) {
> +		size_t comp_len = strlen(btrfs_compress_types[i]);
> +
> +		if (comp_len != len)

Should this be "if (comp_len > len)"?

a7164fa4e055 ("btrfs: prepare for extensions in compression options") 
allowed compression property to have compression options. If we have the 
options, we will have "len" larger than "comp_len".

> +			continue;
> +
> +		if (!strncmp(btrfs_compress_types[i], str, comp_len))
> +			return true;
> +	}
> +	return false;
> +}
> +
>   static int btrfs_decompress_bio(struct compressed_bio *cb);
>   
>   static inline int compressed_bio_size(struct btrfs_fs_info *fs_info,
> diff --git a/fs/btrfs/compression.h b/fs/btrfs/compression.h
> index 191e5f4e3523..2035b8eb1290 100644
> --- a/fs/btrfs/compression.h
> +++ b/fs/btrfs/compression.h
> @@ -173,6 +173,7 @@ extern const struct btrfs_compress_op btrfs_lzo_compress;
>   extern const struct btrfs_compress_op btrfs_zstd_compress;
>   
>   const char* btrfs_compress_type2str(enum btrfs_compression_type type);
> +bool btrfs_compress_is_valid_type(const char *str, size_t len);
>   
>   int btrfs_compress_heuristic(struct inode *inode, u64 start, u64 end);
>   
> diff --git a/fs/btrfs/props.c b/fs/btrfs/props.c
> index a9e2e66152ee..af109c0ba720 100644
> --- a/fs/btrfs/props.c
> +++ b/fs/btrfs/props.c
> @@ -257,11 +257,7 @@ static int prop_compression_validate(const char *value, size_t len)
>   	if (!value)
>   		return 0;
>   
> -	if (!strncmp("lzo", value, 3))
> -		return 0;
> -	else if (!strncmp("zlib", value, 4))
> -		return 0;
> -	else if (!strncmp("zstd", value, 4))
> +	if (btrfs_compress_is_valid_type(value, len))
>   		return 0;
>   
>   	return -EINVAL;
>
Johannes Thumshirn June 6, 2019, 8:54 a.m. UTC | #3 
On Thu, Jun 06, 2019 at 08:43:34AM +0000, Naohiro Aota wrote:
[...]
> > +bool btrfs_compress_is_valid_type(const char *str, size_t len)
> > +{
> > +	int i;
> > +
> > +	for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) {
> > +		size_t comp_len = strlen(btrfs_compress_types[i]);
> > +
> > +		if (comp_len != len)
> 
> Should this be "if (comp_len > len)"?

I thought about this as well and essentiall it is 'comp_len > len' as the
strncmp() later compares up to comp_len anyways. But your're rigth it'll fail
on values like "zlib:9".

Thanks,
	Johannes
diff mbox series

Patch

diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
index 66e21a4e9ea2..d21ae92c172c 100644
--- a/fs/btrfs/compression.c
+++ b/fs/btrfs/compression.c
@@ -43,6 +43,22 @@  const char* btrfs_compress_type2str(enum btrfs_compression_type type)
 	return NULL;
 }
 
+bool btrfs_compress_is_valid_type(const char *str, size_t len)
+{
+	int i;
+
+	for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) {
+		size_t comp_len = strlen(btrfs_compress_types[i]);
+
+		if (comp_len != len)
+			continue;
+
+		if (!strncmp(btrfs_compress_types[i], str, comp_len))
+			return true;
+	}
+	return false;
+}
+
 static int btrfs_decompress_bio(struct compressed_bio *cb);
 
 static inline int compressed_bio_size(struct btrfs_fs_info *fs_info,
diff --git a/fs/btrfs/compression.h b/fs/btrfs/compression.h
index 191e5f4e3523..2035b8eb1290 100644
--- a/fs/btrfs/compression.h
+++ b/fs/btrfs/compression.h
@@ -173,6 +173,7 @@  extern const struct btrfs_compress_op btrfs_lzo_compress;
 extern const struct btrfs_compress_op btrfs_zstd_compress;
 
 const char* btrfs_compress_type2str(enum btrfs_compression_type type);
+bool btrfs_compress_is_valid_type(const char *str, size_t len);
 
 int btrfs_compress_heuristic(struct inode *inode, u64 start, u64 end);
 
diff --git a/fs/btrfs/props.c b/fs/btrfs/props.c
index a9e2e66152ee..af109c0ba720 100644
--- a/fs/btrfs/props.c
+++ b/fs/btrfs/props.c
@@ -257,11 +257,7 @@  static int prop_compression_validate(const char *value, size_t len)
 	if (!value)
 		return 0;
 
-	if (!strncmp("lzo", value, 3))
-		return 0;
-	else if (!strncmp("zlib", value, 4))
-		return 0;
-	else if (!strncmp("zstd", value, 4))
+	if (btrfs_compress_is_valid_type(value, len))
 		return 0;
 
 	return -EINVAL;