| Message ID | 155009104740.32028.193157199378698979.stgit@magnolia (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | [1/3] xfs: don't overflow xattr listent buffer | expand |
Bah, I forgot to send the cover letter. Oh well. xfs: various fixes The first patch fixes a memory corruption that syzkaller found in the attr listent code; see "generic: posix acl extended attribute memory corruption test" for the relevant regression test. Patches 2 fixes problems found in XFS's unlinked inode recovery code that were unearthed by some new testcases. We're logging nlink==1 temp files on the iunlinked list (and then the vfs sets nlink to 0 without telling us) which means that we leak them in recovery if we crash immediately after the committing the creation of the temp file. Patch 3 fixes the problem that ifree during recovery can expand the finobt but we need to force the ifree code to reserve blocks for the transaction because perag reservations aren't set up yet. See "[PATCH v2 2/2] generic: check the behavior of programs opening a lot of O_TMPFILE files" for the regression test. --D
Looks good,
Reviewed-by: Christoph Hellwig <hch@lst.de>
Darrick, Can I have your blessing on the choice of these upstream commits as stable candidates? I did not observe any xfstests regressions when testing v4.19.55 with these patches applied. Sasha, Can you run these patches though your xfstests setup? They fix nasty bugs. Make sure to update xfsprogs to very latest, because generic/530 used to blow up (OOM) my test machine... > > The first patch fixes a memory corruption that syzkaller found in the > attr listent code; 3b50086f0c0d xfs: don't overflow xattr listent buffer > see "generic: posix acl extended attribute memory > corruption test" for the relevant regression test. Fixed generic/529 > > Patches 2 fixes problems found in XFS's unlinked inode recovery code > that were unearthed by some new testcases. We're logging nlink==1 temp > files on the iunlinked list (and then the vfs sets nlink to 0 without > telling us) which means that we leak them in recovery if we crash > immediately after the committing the creation of the temp file. > > Patch 3 fixes the problem that ifree during recovery can expand the > finobt but we need to force the ifree code to reserve blocks for the > transaction because perag reservations aren't set up yet. e1f6ca113815 xfs: rename m_inotbt_nores to m_finobt_nores 15a268d9f263 xfs: reserve blocks for ifree transaction during log recovery c4a6bf7f6cc7 xfs: don't ever put nlink > 0 inodes on the unlinked list > > See "[PATCH v2 2/2] generic: check the behavior of programs opening a > lot of O_TMPFILE files" for the regression test. > Fixes generic/530 Thanks, Amir.
On Thu, Jun 27, 2019 at 07:12:48PM +0300, Amir Goldstein wrote: > Darrick, > > Can I have your blessing on the choice of these upstream commits > as stable candidates? > I did not observe any xfstests regressions when testing v4.19.55 > with these patches applied. All four commits look reasonable to me. :) --D > Sasha, > > Can you run these patches though your xfstests setup? > They fix nasty bugs. > > Make sure to update xfsprogs to very latest, because > generic/530 used to blow up (OOM) my test machine... > > > > > The first patch fixes a memory corruption that syzkaller found in the > > attr listent code; > > 3b50086f0c0d xfs: don't overflow xattr listent buffer > > > see "generic: posix acl extended attribute memory > > corruption test" for the relevant regression test. > > Fixed generic/529 > > > > > Patches 2 fixes problems found in XFS's unlinked inode recovery code > > that were unearthed by some new testcases. We're logging nlink==1 temp > > files on the iunlinked list (and then the vfs sets nlink to 0 without > > telling us) which means that we leak them in recovery if we crash > > immediately after the committing the creation of the temp file. > > > > Patch 3 fixes the problem that ifree during recovery can expand the > > finobt but we need to force the ifree code to reserve blocks for the > > transaction because perag reservations aren't set up yet. > > e1f6ca113815 xfs: rename m_inotbt_nores to m_finobt_nores > 15a268d9f263 xfs: reserve blocks for ifree transaction during log recovery > c4a6bf7f6cc7 xfs: don't ever put nlink > 0 inodes on the unlinked list > > > > > See "[PATCH v2 2/2] generic: check the behavior of programs opening a > > lot of O_TMPFILE files" for the regression test. > > > > Fixes generic/530 > > Thanks, > Amir.
On Thu, Jun 27, 2019 at 07:12:48PM +0300, Amir Goldstein wrote: >Darrick, > >Can I have your blessing on the choice of these upstream commits >as stable candidates? >I did not observe any xfstests regressions when testing v4.19.55 >with these patches applied. > >Sasha, > >Can you run these patches though your xfstests setup? >They fix nasty bugs. Will do. Tests running now - I'll update tomorrow. -- Thanks, Sasha
On Thu, Jun 27, 2019 at 07:32:17PM -0400, Sasha Levin wrote: >On Thu, Jun 27, 2019 at 07:12:48PM +0300, Amir Goldstein wrote: >>Darrick, >> >>Can I have your blessing on the choice of these upstream commits >>as stable candidates? >>I did not observe any xfstests regressions when testing v4.19.55 >>with these patches applied. >> >>Sasha, >> >>Can you run these patches though your xfstests setup? >>They fix nasty bugs. > >Will do. Tests running now - I'll update tomorrow. I gave it a few more days, and it looks good here. -- Thanks, Sasha
================================================================== BUG: KASAN: slab-out-of-bounds in strncpy+0xb3/0xd0 Write of size 1 at addr ffff88807fbd317f by task syz/1113 CPU: 3 PID: 1113 Comm: syz Not tainted 5.0.0-rc6-xfsx #rc6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: dump_stack+0xcc/0x180 print_address_description+0x6c/0x23c kasan_report.cold.3+0x1c/0x35 strncpy+0xb3/0xd0 __xfs_xattr_put_listent+0x1a9/0x2c0 [xfs] xfs_attr_list_int_ilocked+0x11af/0x1800 [xfs] xfs_attr_list_int+0x20c/0x2e0 [xfs] xfs_vn_listxattr+0x225/0x320 [xfs] listxattr+0x11f/0x1b0 path_listxattr+0xbd/0x130 do_syscall_64+0x139/0x560 While we're at it we add an assert to the other put_listent to avoid this sort of thing ever happening to the attrlist_by_handle code. Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> --- fs/xfs/xfs_attr_list.c | 1 + fs/xfs/xfs_xattr.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/fs/xfs/xfs_attr_list.c b/fs/xfs/xfs_attr_list.c index a58034049995..3d213a7394c5 100644 --- a/fs/xfs/xfs_attr_list.c +++ b/fs/xfs/xfs_attr_list.c @@ -555,6 +555,7 @@ xfs_attr_put_listent( attrlist_ent_t *aep; int arraytop; + ASSERT(!context->seen_enough); ASSERT(!(context->flags & ATTR_KERNOVAL)); ASSERT(context->count >= 0); ASSERT(context->count < (ATTR_MAX_VALUELEN/8)); diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c index 63ee1d5bf1d7..9a63016009a1 100644 --- a/fs/xfs/xfs_xattr.c +++ b/fs/xfs/xfs_xattr.c @@ -129,6 +129,9 @@ __xfs_xattr_put_listent( char *offset; int arraytop; + if (context->count < 0 || context->seen_enough) + return; + if (!context->alist) goto compute_size;
From: Darrick J. Wong <darrick.wong@oracle.com> For VFS listxattr calls, xfs_xattr_put_listent calls __xfs_xattr_put_listent twice if it sees an attribute "trusted.SGI_ACL_FILE": once for that name, and again for "system.posix_acl_access". Unfortunately, if we happen to run out of buffer space while emitting the first name, we set count to -1 (so that we can feed ERANGE to the caller). The second invocation doesn't check that the context parameters make sense and overwrites the byte before the buffer, triggering a KASAN report: