diff mbox

[v3,01/26] block: Fix a buffer overrun in bio_integrity_split()

Message ID 20121001214241.GE26488@google.com (mailing list archive)
State Deferred, archived
Headers show

Commit Message

Kent Overstreet Oct. 1, 2012, 9:42 p.m. UTC 
On Mon, Oct 01, 2012 at 05:23:36PM -0400, Vivek Goyal wrote:
> On Mon, Sep 24, 2012 at 03:34:41PM -0700, Kent Overstreet wrote:
> > bio_integrity_split() seemed to be confusing pointers and arrays -
> > bip_vec in bio_integrity_payload is an array appended to the end of the
> > payload, so the bio_vecs in struct bio_pair need to come immediately
> > after the bio_integrity_payload they're for, and there was an assignment
> > in bio_integrity_split() that didn't make any sense.
> > 
> > Signed-off-by: Kent Overstreet <koverstreet@google.com>
> > CC: Jens Axboe <axboe@kernel.dk>
> > CC: Martin K. Petersen <martin.petersen@oracle.com>
> > ---
> >  fs/bio-integrity.c  | 3 ---
> >  include/linux/bio.h | 6 ++++--
> >  2 files changed, 4 insertions(+), 5 deletions(-)
> > 
> > diff --git a/fs/bio-integrity.c b/fs/bio-integrity.c
> > index a3f28f3..c7b6b52 100644
> > --- a/fs/bio-integrity.c
> > +++ b/fs/bio-integrity.c
> > @@ -697,9 +697,6 @@ void bio_integrity_split(struct bio *bio, struct bio_pair *bp, int sectors)
> >  	bp->iv1 = bip->bip_vec[0];
> >  	bp->iv2 = bip->bip_vec[0];
> >  
> > -	bp->bip1.bip_vec[0] = bp->iv1;
> > -	bp->bip2.bip_vec[0] = bp->iv2;
> > -
> >  	bp->iv1.bv_len = sectors * bi->tuple_size;
> >  	bp->iv2.bv_offset += sectors * bi->tuple_size;
> >  	bp->iv2.bv_len -= sectors * bi->tuple_size;
> > diff --git a/include/linux/bio.h b/include/linux/bio.h
> > index b31036f..8e2d108 100644
> > --- a/include/linux/bio.h
> > +++ b/include/linux/bio.h
> > @@ -200,8 +200,10 @@ struct bio_pair {
> >  	struct bio			bio1, bio2;
> >  	struct bio_vec			bv1, bv2;
> >  #if defined(CONFIG_BLK_DEV_INTEGRITY)
> > -	struct bio_integrity_payload	bip1, bip2;
> > -	struct bio_vec			iv1, iv2;
> > +	struct bio_integrity_payload	bip1;
> > +	struct bio_vec			iv1;
> > +	struct bio_integrity_payload	bip2;
> > +	struct bio_vec			iv2;
> >  #endif
> 
> I think it probably is a good idea to put a comment here so that we
> know that certain elements of structure assume ordering.
> 
> Also I am wondering that what's the gurantee that there are no padding
> bytes between bipi1 and iv1 (or bip2 or iv2). I think if there are padding
> bytes then the assumption that bio_vec is always following bip will be
> broken?

Here's the new patch:


commit e270c9ca843b5c86d59431b0d7a676b7846946d6
Author: Kent Overstreet <koverstreet@google.com>
Date:   Mon Oct 1 14:41:08 2012 -0700

    block: Fix a buffer overrun in bio_integrity_split()
    
    bio_integrity_split() seemed to be confusing pointers and arrays -
    bip_vec in bio_integrity_payload is an array appended to the end of the
    payload, so the bio_vecs in struct bio_pair need to come immediately
    after the bio_integrity_payload they're for, and there was an assignment
    in bio_integrity_split() that didn't make any sense.
    
    Also, changed bio_integrity_split() to not refer to the bvecs embedded
    in struct bio_pair, in case there's padding between them and
    bip->bip_vec.
    
    Signed-off-by: Kent Overstreet <koverstreet@google.com>
    CC: Jens Axboe <axboe@kernel.dk>
    CC: Martin K. Petersen <martin.petersen@oracle.com>


--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel

Comments

Vivek Goyal Oct. 2, 2012, 2:08 p.m. UTC | #1 
On Mon, Oct 01, 2012 at 02:42:41PM -0700, Kent Overstreet wrote:

[..]
> Here's the new patch:
> 
> 
> commit e270c9ca843b5c86d59431b0d7a676b7846946d6
> Author: Kent Overstreet <koverstreet@google.com>
> Date:   Mon Oct 1 14:41:08 2012 -0700
> 
>     block: Fix a buffer overrun in bio_integrity_split()
>     
>     bio_integrity_split() seemed to be confusing pointers and arrays -
>     bip_vec in bio_integrity_payload is an array appended to the end of the
>     payload, so the bio_vecs in struct bio_pair need to come immediately
>     after the bio_integrity_payload they're for, and there was an assignment
>     in bio_integrity_split() that didn't make any sense.
>     
>     Also, changed bio_integrity_split() to not refer to the bvecs embedded
>     in struct bio_pair, in case there's padding between them and
>     bip->bip_vec.
>     
>     Signed-off-by: Kent Overstreet <koverstreet@google.com>
>     CC: Jens Axboe <axboe@kernel.dk>
>     CC: Martin K. Petersen <martin.petersen@oracle.com>
> 
> diff --git a/fs/bio-integrity.c b/fs/bio-integrity.c
> index a3f28f3..4ae22a8 100644
> --- a/fs/bio-integrity.c
> +++ b/fs/bio-integrity.c
> @@ -694,15 +694,12 @@ void bio_integrity_split(struct bio *bio, struct bio_pair *bp, int sectors)
>  	bp->bio1.bi_integrity = &bp->bip1;
>  	bp->bio2.bi_integrity = &bp->bip2;
>  
> -	bp->iv1 = bip->bip_vec[0];
> -	bp->iv2 = bip->bip_vec[0];
> +	*bp->bip1.bip_vec = bip->bip_vec[0];
> +	*bp->bip2.bip_vec = bip->bip_vec[0];

I think this is horrible. Why not introduce bvec pointer in bip (like bio),
to cover the case when bvec are not inline.

Thanks
Vivek

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
Kent Overstreet Oct. 2, 2012, 8:26 p.m. UTC | #2 
On Tue, Oct 02, 2012 at 10:08:47AM -0400, Vivek Goyal wrote:
> On Mon, Oct 01, 2012 at 02:42:41PM -0700, Kent Overstreet wrote:
> 
> [..]
> > Here's the new patch:
> > 
> > 
> > commit e270c9ca843b5c86d59431b0d7a676b7846946d6
> > Author: Kent Overstreet <koverstreet@google.com>
> > Date:   Mon Oct 1 14:41:08 2012 -0700
> > 
> >     block: Fix a buffer overrun in bio_integrity_split()
> >     
> >     bio_integrity_split() seemed to be confusing pointers and arrays -
> >     bip_vec in bio_integrity_payload is an array appended to the end of the
> >     payload, so the bio_vecs in struct bio_pair need to come immediately
> >     after the bio_integrity_payload they're for, and there was an assignment
> >     in bio_integrity_split() that didn't make any sense.
> >     
> >     Also, changed bio_integrity_split() to not refer to the bvecs embedded
> >     in struct bio_pair, in case there's padding between them and
> >     bip->bip_vec.
> >     
> >     Signed-off-by: Kent Overstreet <koverstreet@google.com>
> >     CC: Jens Axboe <axboe@kernel.dk>
> >     CC: Martin K. Petersen <martin.petersen@oracle.com>
> > 
> > diff --git a/fs/bio-integrity.c b/fs/bio-integrity.c
> > index a3f28f3..4ae22a8 100644
> > --- a/fs/bio-integrity.c
> > +++ b/fs/bio-integrity.c
> > @@ -694,15 +694,12 @@ void bio_integrity_split(struct bio *bio, struct bio_pair *bp, int sectors)
> >  	bp->bio1.bi_integrity = &bp->bip1;
> >  	bp->bio2.bi_integrity = &bp->bip2;
> >  
> > -	bp->iv1 = bip->bip_vec[0];
> > -	bp->iv2 = bip->bip_vec[0];
> > +	*bp->bip1.bip_vec = bip->bip_vec[0];
> > +	*bp->bip2.bip_vec = bip->bip_vec[0];
> 
> I think this is horrible. Why not introduce bvec pointer in bip (like bio),
> to cover the case when bvec are not inline.

That's... exactly what the next patch in the series does.

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
Vivek Goyal Oct. 2, 2012, 8:32 p.m. UTC | #3 
On Tue, Oct 02, 2012 at 01:26:43PM -0700, Kent Overstreet wrote:
> On Tue, Oct 02, 2012 at 10:08:47AM -0400, Vivek Goyal wrote:
> > On Mon, Oct 01, 2012 at 02:42:41PM -0700, Kent Overstreet wrote:
> > 
> > [..]
> > > Here's the new patch:
> > > 
> > > 
> > > commit e270c9ca843b5c86d59431b0d7a676b7846946d6
> > > Author: Kent Overstreet <koverstreet@google.com>
> > > Date:   Mon Oct 1 14:41:08 2012 -0700
> > > 
> > >     block: Fix a buffer overrun in bio_integrity_split()
> > >     
> > >     bio_integrity_split() seemed to be confusing pointers and arrays -
> > >     bip_vec in bio_integrity_payload is an array appended to the end of the
> > >     payload, so the bio_vecs in struct bio_pair need to come immediately
> > >     after the bio_integrity_payload they're for, and there was an assignment
> > >     in bio_integrity_split() that didn't make any sense.
> > >     
> > >     Also, changed bio_integrity_split() to not refer to the bvecs embedded
> > >     in struct bio_pair, in case there's padding between them and
> > >     bip->bip_vec.
> > >     
> > >     Signed-off-by: Kent Overstreet <koverstreet@google.com>
> > >     CC: Jens Axboe <axboe@kernel.dk>
> > >     CC: Martin K. Petersen <martin.petersen@oracle.com>
> > > 
> > > diff --git a/fs/bio-integrity.c b/fs/bio-integrity.c
> > > index a3f28f3..4ae22a8 100644
> > > --- a/fs/bio-integrity.c
> > > +++ b/fs/bio-integrity.c
> > > @@ -694,15 +694,12 @@ void bio_integrity_split(struct bio *bio, struct bio_pair *bp, int sectors)
> > >  	bp->bio1.bi_integrity = &bp->bip1;
> > >  	bp->bio2.bi_integrity = &bp->bip2;
> > >  
> > > -	bp->iv1 = bip->bip_vec[0];
> > > -	bp->iv2 = bip->bip_vec[0];
> > > +	*bp->bip1.bip_vec = bip->bip_vec[0];
> > > +	*bp->bip2.bip_vec = bip->bip_vec[0];
> > 
> > I think this is horrible. Why not introduce bvec pointer in bip (like bio),
> > to cover the case when bvec are not inline.
> 
> That's... exactly what the next patch in the series does.

Yes, but if you want to push some of the these bug fixes in stable (as martin
had said), we need to introduce that bip->bio_vec pointer early. Also that
next patch is doing lot other other things like getting rid of bip_slabs
and we don't require all that to fix this particular bug.

In fact I would say that it is beter to fix this blk integrity bug in a
separate patchset so that it can be pushed out earlier.

Thanks
Vivek

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
Kent Overstreet Oct. 2, 2012, 9:01 p.m. UTC | #4 
On Tue, Oct 02, 2012 at 04:32:53PM -0400, Vivek Goyal wrote:
> On Tue, Oct 02, 2012 at 01:26:43PM -0700, Kent Overstreet wrote:
> > On Tue, Oct 02, 2012 at 10:08:47AM -0400, Vivek Goyal wrote:
> > > On Mon, Oct 01, 2012 at 02:42:41PM -0700, Kent Overstreet wrote:
> > > 
> > > [..]
> > > > Here's the new patch:
> > > > 
> > > > 
> > > > commit e270c9ca843b5c86d59431b0d7a676b7846946d6
> > > > Author: Kent Overstreet <koverstreet@google.com>
> > > > Date:   Mon Oct 1 14:41:08 2012 -0700
> > > > 
> > > >     block: Fix a buffer overrun in bio_integrity_split()
> > > >     
> > > >     bio_integrity_split() seemed to be confusing pointers and arrays -
> > > >     bip_vec in bio_integrity_payload is an array appended to the end of the
> > > >     payload, so the bio_vecs in struct bio_pair need to come immediately
> > > >     after the bio_integrity_payload they're for, and there was an assignment
> > > >     in bio_integrity_split() that didn't make any sense.
> > > >     
> > > >     Also, changed bio_integrity_split() to not refer to the bvecs embedded
> > > >     in struct bio_pair, in case there's padding between them and
> > > >     bip->bip_vec.
> > > >     
> > > >     Signed-off-by: Kent Overstreet <koverstreet@google.com>
> > > >     CC: Jens Axboe <axboe@kernel.dk>
> > > >     CC: Martin K. Petersen <martin.petersen@oracle.com>
> > > > 
> > > > diff --git a/fs/bio-integrity.c b/fs/bio-integrity.c
> > > > index a3f28f3..4ae22a8 100644
> > > > --- a/fs/bio-integrity.c
> > > > +++ b/fs/bio-integrity.c
> > > > @@ -694,15 +694,12 @@ void bio_integrity_split(struct bio *bio, struct bio_pair *bp, int sectors)
> > > >  	bp->bio1.bi_integrity = &bp->bip1;
> > > >  	bp->bio2.bi_integrity = &bp->bip2;
> > > >  
> > > > -	bp->iv1 = bip->bip_vec[0];
> > > > -	bp->iv2 = bip->bip_vec[0];
> > > > +	*bp->bip1.bip_vec = bip->bip_vec[0];
> > > > +	*bp->bip2.bip_vec = bip->bip_vec[0];
> > > 
> > > I think this is horrible. Why not introduce bvec pointer in bip (like bio),
> > > to cover the case when bvec are not inline.
> > 
> > That's... exactly what the next patch in the series does.
> 
> Yes, but if you want to push some of the these bug fixes in stable (as martin
> had said), we need to introduce that bip->bio_vec pointer early. Also that
> next patch is doing lot other other things like getting rid of bip_slabs
> and we don't require all that to fix this particular bug.
> 
> In fact I would say that it is beter to fix this blk integrity bug in a
> separate patchset so that it can be pushed out earlier.

I'm honestly not sure what your complaint about my bugfix patch was -
it's small and complete, it does fix the bug. I don't follow why you
think we need to introduce the bip->bio_vec pointer early...

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
Vivek Goyal Oct. 2, 2012, 9:58 p.m. UTC | #5 
On Tue, Oct 02, 2012 at 02:01:43PM -0700, Kent Overstreet wrote:
> On Tue, Oct 02, 2012 at 04:32:53PM -0400, Vivek Goyal wrote:
> > On Tue, Oct 02, 2012 at 01:26:43PM -0700, Kent Overstreet wrote:
> > > On Tue, Oct 02, 2012 at 10:08:47AM -0400, Vivek Goyal wrote:
> > > > On Mon, Oct 01, 2012 at 02:42:41PM -0700, Kent Overstreet wrote:
> > > > 
> > > > [..]
> > > > > Here's the new patch:
> > > > > 
> > > > > 
> > > > > commit e270c9ca843b5c86d59431b0d7a676b7846946d6
> > > > > Author: Kent Overstreet <koverstreet@google.com>
> > > > > Date:   Mon Oct 1 14:41:08 2012 -0700
> > > > > 
> > > > >     block: Fix a buffer overrun in bio_integrity_split()
> > > > >     
> > > > >     bio_integrity_split() seemed to be confusing pointers and arrays -
> > > > >     bip_vec in bio_integrity_payload is an array appended to the end of the
> > > > >     payload, so the bio_vecs in struct bio_pair need to come immediately
> > > > >     after the bio_integrity_payload they're for, and there was an assignment
> > > > >     in bio_integrity_split() that didn't make any sense.
> > > > >     
> > > > >     Also, changed bio_integrity_split() to not refer to the bvecs embedded
> > > > >     in struct bio_pair, in case there's padding between them and
> > > > >     bip->bip_vec.
> > > > >     
> > > > >     Signed-off-by: Kent Overstreet <koverstreet@google.com>
> > > > >     CC: Jens Axboe <axboe@kernel.dk>
> > > > >     CC: Martin K. Petersen <martin.petersen@oracle.com>
> > > > > 
> > > > > diff --git a/fs/bio-integrity.c b/fs/bio-integrity.c
> > > > > index a3f28f3..4ae22a8 100644
> > > > > --- a/fs/bio-integrity.c
> > > > > +++ b/fs/bio-integrity.c
> > > > > @@ -694,15 +694,12 @@ void bio_integrity_split(struct bio *bio, struct bio_pair *bp, int sectors)
> > > > >  	bp->bio1.bi_integrity = &bp->bip1;
> > > > >  	bp->bio2.bi_integrity = &bp->bip2;
> > > > >  
> > > > > -	bp->iv1 = bip->bip_vec[0];
> > > > > -	bp->iv2 = bip->bip_vec[0];
> > > > > +	*bp->bip1.bip_vec = bip->bip_vec[0];
> > > > > +	*bp->bip2.bip_vec = bip->bip_vec[0];
> > > > 
> > > > I think this is horrible. Why not introduce bvec pointer in bip (like bio),
> > > > to cover the case when bvec are not inline.
> > > 
> > > That's... exactly what the next patch in the series does.
> > 
> > Yes, but if you want to push some of the these bug fixes in stable (as martin
> > had said), we need to introduce that bip->bio_vec pointer early. Also that
> > next patch is doing lot other other things like getting rid of bip_slabs
> > and we don't require all that to fix this particular bug.
> > 
> > In fact I would say that it is beter to fix this blk integrity bug in a
> > separate patchset so that it can be pushed out earlier.
> 
> I'm honestly not sure what your complaint about my bugfix patch was -
> it's small and complete, it does fix the bug. I don't follow why you
> think we need to introduce the bip->bio_vec pointer early...

I think having iv1 and iv2 and then not even accessing these using 
bp->iv1 and bp->iv2 is a bad idea even for bugfix.

I have never seen a code which says, hey I have defined two fields in a
struct but, don't access those fields directly(as there might be padding
issues). These fields are just there for blocking a chunk of memory but are
never meant to be accessed directly. I think, that's what my issue is. It
is bad programming (does not matter whether it is bug fix or not).

For your series it probably is still fine as you will overide it pretty
soon but what about stable. Anybody looking at that code might want
to say, hey why not directly initialize bp->iv1 instead of trying to
do *bp->bip1.bip_vec. And everybody will say, yes looks fine and boom
a bug is introduced because we did bad programming.

Thanks
Vivek

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
Kent Overstreet Oct. 2, 2012, 10:07 p.m. UTC | #6 
On Tue, Oct 02, 2012 at 05:58:45PM -0400, Vivek Goyal wrote:
> On Tue, Oct 02, 2012 at 02:01:43PM -0700, Kent Overstreet wrote:
> > I'm honestly not sure what your complaint about my bugfix patch was -
> > it's small and complete, it does fix the bug. I don't follow why you
> > think we need to introduce the bip->bio_vec pointer early...
> 
> I think having iv1 and iv2 and then not even accessing these using 
> bp->iv1 and bp->iv2 is a bad idea even for bugfix.
> 
> I have never seen a code which says, hey I have defined two fields in a
> struct but, don't access those fields directly(as there might be padding
> issues). These fields are just there for blocking a chunk of memory but are
> never meant to be accessed directly. I think, that's what my issue is. It
> is bad programming (does not matter whether it is bug fix or not).
> 
> For your series it probably is still fine as you will overide it pretty
> soon but what about stable. Anybody looking at that code might want
> to say, hey why not directly initialize bp->iv1 instead of trying to
> do *bp->bip1.bip_vec. And everybody will say, yes looks fine and boom
> a bug is introduced because we did bad programming.

Ok. It's definitely a bit weird and unusual, and if I wasn't getting rid
of it in the next patch it would definitely merit a comment.

For stable... wtf would they be making that kind of change for, and
without reading the relevant code?

Eh, maybe I will stick in that comment and take it out in the next
patch.

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
Martin K. Petersen Oct. 2, 2012, 10:30 p.m. UTC | #7 
>>>>> "Kent" == Kent Overstreet <koverstreet@google.com> writes:

>> > + *bp->bip1.bip_vec = bip->bip_vec[0];
>> > + *bp->bip2.bip_vec = bip->bip_vec[0];
>> 
>> I think this is horrible.

Yep.


>> Why not introduce bvec pointer in bip (like bio), to cover the case
>> when bvec are not inline.

Kent> That's... exactly what the next patch in the series does.

I'm perfectly ok with a patch that introduces the pointer and fixes the
bio_pair case. As long as that's all it does.
diff mbox

Patch

diff --git a/fs/bio-integrity.c b/fs/bio-integrity.c
index a3f28f3..4ae22a8 100644
--- a/fs/bio-integrity.c
+++ b/fs/bio-integrity.c
@@ -694,15 +694,12 @@  void bio_integrity_split(struct bio *bio, struct bio_pair *bp, int sectors)
 	bp->bio1.bi_integrity = &bp->bip1;
 	bp->bio2.bi_integrity = &bp->bip2;
 
-	bp->iv1 = bip->bip_vec[0];
-	bp->iv2 = bip->bip_vec[0];
+	*bp->bip1.bip_vec = bip->bip_vec[0];
+	*bp->bip2.bip_vec = bip->bip_vec[0];
 
-	bp->bip1.bip_vec[0] = bp->iv1;
-	bp->bip2.bip_vec[0] = bp->iv2;
-
-	bp->iv1.bv_len = sectors * bi->tuple_size;
-	bp->iv2.bv_offset += sectors * bi->tuple_size;
-	bp->iv2.bv_len -= sectors * bi->tuple_size;
+	bp->bip1.bip_vec->bv_len = sectors * bi->tuple_size;
+	bp->bip2.bip_vec->bv_offset += sectors * bi->tuple_size;
+	bp->bip2.bip_vec->bv_len -= sectors * bi->tuple_size;
 
 	bp->bip1.bip_sector = bio->bi_integrity->bip_sector;
 	bp->bip2.bip_sector = bio->bi_integrity->bip_sector + nr_sectors;
diff --git a/include/linux/bio.h b/include/linux/bio.h
index b31036f..8e2d108 100644
--- a/include/linux/bio.h
+++ b/include/linux/bio.h
@@ -200,8 +200,10 @@  struct bio_pair {
 	struct bio			bio1, bio2;
 	struct bio_vec			bv1, bv2;
 #if defined(CONFIG_BLK_DEV_INTEGRITY)
-	struct bio_integrity_payload	bip1, bip2;
-	struct bio_vec			iv1, iv2;
+	struct bio_integrity_payload	bip1;
+	struct bio_vec			iv1;
+	struct bio_integrity_payload	bip2;
+	struct bio_vec			iv2;
 #endif
 	atomic_t			cnt;
 	int				error;