ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow

Message ID	tencent_B22CA96C8896C0E9FEEFD2CCAC795A6E500A@qq.com (mailing list archive)
State	New
Headers	show Received: from xmbghk7.mail.qq.com (xmbghk7.mail.qq.com [43.163.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 19551537FF for <ocfs2-devel@lists.linux.dev>; Wed, 9 Oct 2024 15:06:14 +0000 (UTC) Message-ID: <tencent_B22CA96C8896C0E9FEEFD2CCAC795A6E500A@qq.com> From: Edward Adam Davis <eadavis@qq.com> To: syzbot+81092778aac03460d6b7@syzkaller.appspotmail.com Cc: jlbec@evilplan.org, joseph.qi@linux.alibaba.com, linux-kernel@vger.kernel.org, mark@fasheh.com, ocfs2-devel@lists.linux.dev, syzkaller-bugs@googlegroups.com Subject: [PATCH] ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Date: Wed, 9 Oct 2024 23:05:41 +0800 In-Reply-To: <67062030.050a0220.3f80e.0024.GAE@google.com> References: <67062030.050a0220.3f80e.0024.GAE@google.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow \| expand ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow

Message ID

tencent_B22CA96C8896C0E9FEEFD2CCAC795A6E500A@qq.com (mailing list archive)

State

New

Headers

Message-ID: <tencent_B22CA96C8896C0E9FEEFD2CCAC795A6E500A@qq.com>
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+81092778aac03460d6b7@syzkaller.appspotmail.com
Cc: jlbec@evilplan.org,
	joseph.qi@linux.alibaba.com,
	linux-kernel@vger.kernel.org,
	mark@fasheh.com,
	ocfs2-devel@lists.linux.dev,
	syzkaller-bugs@googlegroups.com
Subject: [PATCH] ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow
Date: Wed,  9 Oct 2024 23:05:41 +0800
In-Reply-To: <67062030.050a0220.3f80e.0024.GAE@google.com>
References: <67062030.050a0220.3f80e.0024.GAE@google.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow | expand

Commit Message

Edward Adam Davis Oct. 9, 2024, 3:05 p.m. UTC

Syzbot reported a kernel BUG in ocfs2_truncate_inline.
There are two reasons for this: first, the parameter value passed is greater
than UINT_MAX, second, the start and end parameters of ocfs2_truncate_inline
are "unsigned int".

So, we need to add a sanity check for offset and len in ocfs2_fallocate, if
they are greater than UINT_MAX return -EFBIG.

Reported-and-tested-by: syzbot+81092778aac03460d6b7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/ocfs2/file.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Joseph Qi Oct. 10, 2024, 12:21 p.m. UTC | #1

On 10/9/24 11:05 PM, Edward Adam Davis wrote:
> Syzbot reported a kernel BUG in ocfs2_truncate_inline.
> There are two reasons for this: first, the parameter value passed is greater
> than UINT_MAX, second, the start and end parameters of ocfs2_truncate_inline
> are "unsigned int".
> 
> So, we need to add a sanity check for offset and len in ocfs2_fallocate, if
> they are greater than UINT_MAX return -EFBIG.

fallocate should accept loff_t (aka long long) offset and len.
I guess the reported bug is caused by a crafted image, which set
overflow offset and len in case of inline data (with flag
OCFS2_INLINE_DATA_FL set).
So IMO, the right place to add a sanity check is right before
ocfs2_truncate_inline() in ocfs2_remove_inode_range().

Thanks,
Joseph

> 
> Reported-and-tested-by: syzbot+81092778aac03460d6b7@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  fs/ocfs2/file.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
> index ad131a2fc58e..ed26ec8ac6b6 100644
> --- a/fs/ocfs2/file.c
> +++ b/fs/ocfs2/file.c
> @@ -2117,6 +2117,9 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset,
>  			return ret;
>  	}
>  
> +	if (offset > UINT_MAX || offset + len > UINT_MAX)
> +		return -EFBIG;
> +
>  	if (mode & FALLOC_FL_PUNCH_HOLE)
>  		cmd = OCFS2_IOC_UNRESVSP64;
>

diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
index ad131a2fc58e..ed26ec8ac6b6 100644
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -2117,6 +2117,9 @@  static long ocfs2_fallocate(struct file *file, int mode, loff_t offset,
 			return ret;
 	}
 
+	if (offset > UINT_MAX || offset + len > UINT_MAX)
+		return -EFBIG;
+
 	if (mode & FALLOC_FL_PUNCH_HOLE)
 		cmd = OCFS2_IOC_UNRESVSP64;

ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow

Commit Message

Comments

Patch