From patchwork Thu Aug 22 16:12:18 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vasiliy Kovalev <kovalev@altlinux.org>
X-Patchwork-Id: 13773919
Received: from air.basealt.ru (air.basealt.ru [194.107.17.39])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C4D929CE8;
	Thu, 22 Aug 2024 16:19:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=194.107.17.39
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1724343578; cv=none;
 b=RUmx0XPawuGYZLDDXBjvtjT1kSwTrhyoe68sSQzCrxKPxscPQUJj88PJuvntrosJ/CFZohS5+ZDaI22gD2wsHg/99r9lV4eepFSssXhL/7D+lkOOB44RsKzl0eu4l/d06HKxsO6yLFA6j07lGHPFDZWCk2pYQFjFAg5oqwRjPrc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1724343578; c=relaxed/simple;
	bh=29iFkZR0+8piizM7eOLaTOEEcC+Kohez/RRszdWp+sc=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ONStGw4jg/muyQAO9qvQ8J6ucTr8oRhDu9qvXZSHebtuDb17km+pDNdhbyIs9GawGptfCS6mHbM1ZkuO6XINXvRXs/4KSZ1bZNAxWrnVpMj8N3YngM8fIeZArVkVMqjTfHdpwPWYqtDIHZl22uVXujJXbUUT9P0XaYk1qw5Pyaw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=altlinux.org;
 spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=194.107.17.39
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=altlinux.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=altlinux.org
Received: by air.basealt.ru (Postfix, from userid 490)
	id 62DDD2F2024E; Thu, 22 Aug 2024 16:12:23 +0000 (UTC)
X-Spam-Level: 
Received: from altlinux.malta.altlinux.ru (obninsk.basealt.ru [217.15.195.17])
	by air.basealt.ru (Postfix) with ESMTPSA id 23D162F2024C;
	Thu, 22 Aug 2024 16:12:23 +0000 (UTC)
From: kovalev@altlinux.org
To: linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	aivazian.tigran@gmail.com,
	stable@vger.kernel.org
Cc: lvc-patches@linuxtesting.org,
	dutyrok@altlinux.org,
	kovalev@altlinux.org,
	syzbot+d98fd19acd08b36ff422@syzkaller.appspotmail.com
Subject: [PATCH v3 1/2] bfs: prevent null pointer dereference in
 bfs_move_block()
Date: Thu, 22 Aug 2024 19:12:18 +0300
Message-Id: <20240822161219.459054-2-kovalev@altlinux.org>
X-Mailer: git-send-email 2.33.8
In-Reply-To: <20240822161219.459054-1-kovalev@altlinux.org>
References: <20240822161219.459054-1-kovalev@altlinux.org>
Precedence: bulk
X-Mailing-List: linux-fsdevel@vger.kernel.org
List-Id: <linux-fsdevel.vger.kernel.org>
List-Subscribe: <mailto:linux-fsdevel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-fsdevel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

From: Vasiliy Kovalev <kovalev@altlinux.org>

Detect a failed sb_getblk() call (before copying data)
so that null pointer dereferences should not happen any more.
We also decrement (brelse) the bh counter in this case.

Found when launching the reproducer generated by Syzkaller:

KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
Comm: mark_buffer_dir Tainted: G  W  6.1.105-un-def-alt1.kasan #1
RIP: 0010:bfs_get_block+0x35b/0xdf0 (fs/bfs/file.c:42) [bfs]
Call Trace:
<TASK>
 __die_body.cold (arch/x86/kernel/dumpstack.c:478)
 die_addr (arch/x86/kernel/dumpstack.c:462)
 exc_general_protection (arch/x86/kernel/traps.c:787)
 asm_exc_general_protection (./arch/x86/include/asm/idtentry.h:564)
 __getblk_gfp (fs/buffer.c:1335)
 bfs_get_block (fs/bfs/file.c:42) bfs
 bfs_get_block (fs/bfs/file.c:56) bfs
 bfs_get_block (fs/bfs/file.c:125) bfs
 bfs_write_begin (fs/bfs/file.c:66) bfs
 __block_write_begin_int (fs/buffer.c:1991)
 bfs_write_begin (fs/bfs/file.c:66) bfs
 invalidate_bh_lrus_cpu (fs/buffer.c:1955)
 fault_in_readable (mm/gup.c:1898)
 PageHeadHuge (mm/hugetlb.c:2123)
 bfs_write_begin (fs/bfs/file.c:66) bfs
 block_write_begin (fs/buffer.c:2103)
 bfs_write_begin (fs/bfs/file.c:178) bfs
 generic_perform_write (mm/filemap.c:3817)
 generic_file_readonly_mmap (mm/filemap.c:3781)
 new_inode (fs/inode.c:2126)
 generic_write_checks (fs/read_write.c:1687)
 __generic_file_write_iter (mm/filemap.c:3946)
 generic_file_write_iter (./include/linux/fs.h:763 mm/filemap.c:3978)
 vfs_write (./include/linux/fs.h:2265 fs/read_write.c:491)
 kernel_write (fs/read_write.c:565)
 __fget_files (fs/file.c:918)
 ksys_write (fs/read_write.c:638)

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+d98fd19acd08b36ff422@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=d98fd19acd08b36ff422
Link: https://syzkaller.appspot.com/text?tag=ReproC&x=16515ba3e80000
Cc: stable@vger.kernel.org
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
 fs/bfs/file.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/bfs/file.c b/fs/bfs/file.c
index 57ae5ee6deec12..23773e62994024 100644
--- a/fs/bfs/file.c
+++ b/fs/bfs/file.c
@@ -39,6 +39,10 @@ static int bfs_move_block(unsigned long from, unsigned long to,
 	if (!bh)
 		return -EIO;
 	new = sb_getblk(sb, to);
+	if (!new) {
+		brelse(bh);
+		return -EIO;
+	}
 	memcpy(new->b_data, bh->b_data, bh->b_size);
 	mark_buffer_dirty(new);
 	bforget(bh);