[LU-15827] BUG: KASAN: slab-out-of-bounds in osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs] - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Minor
Fix Version/s: Lustre 2.16.0, Lustre 2.15.0
Affects Version/s: None
Labels:
None

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

There is a slab out of bounds write with encryption on master.

Apr 26 08:27:15 l kernel: BUG: KASAN: slab-out-of-bounds in osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: Write of size 1 at addr ffff888005123400 by task mdt_rdpg00_001/518707
Apr 26 08:27:15 l kernel: 
Apr 26 08:27:15 l kernel: CPU: 1 PID: 518707 Comm: mdt_rdpg00_001 Kdump: loaded Tainted: G        W  OE    --------- -  - 4.18.0-348.7.1.el8.x86_64+debug #1
Apr 26 08:27:15 l kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Apr 26 08:27:15 l kernel: Call Trace:
Apr 26 08:27:15 l kernel: dump_stack+0x8e/0xd0
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: print_address_description.constprop.5+0x1e/0x230
Apr 26 08:27:15 l kernel: ? kmsg_dump_rewind_nolock+0xd9/0xd9
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: __kasan_report.cold.7+0x37/0x86
Apr 26 08:27:15 l kernel: ? ldiskfs_htree_fill_tree+0x6c1/0x880 [ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: kasan_report+0x37/0x50
Apr 26 08:27:15 l kernel: osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? kfree+0xdd/0x570
Apr 26 08:27:15 l kernel: ? osd_declare_xattr_del+0x520/0x520 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? free_rb_tree_fname+0x67/0xb0 [ldiskfs]
Apr 26 08:27:15 l kernel: ? free_rb_tree_fname+0x67/0xb0 [ldiskfs]
Apr 26 08:27:15 l kernel: call_filldir+0x277/0x7a0 [ldiskfs]
Apr 26 08:27:15 l kernel: ldiskfs_readdir+0x19f7/0x2a40 [ldiskfs]
Apr 26 08:27:15 l kernel: ? __ldiskfs_check_dir_entry+0x5e0/0x5e0 [ldiskfs]
Apr 26 08:27:15 l kernel: ? down_read_killable+0x1d0/0x780
Apr 26 08:27:15 l kernel: ? fsnotify_first_mark+0x150/0x150
Apr 26 08:27:15 l kernel: ? down_read+0x770/0x770
Apr 26 08:27:15 l kernel: iterate_dir+0x3b0/0x610
Apr 26 08:27:15 l kernel: ? ldiskfs_htree_lock+0x151/0x3a0 [ldiskfs]
Apr 26 08:27:15 l kernel: osd_ldiskfs_it_fill+0x2f8/0x830 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_it_ea_fini+0x250/0x250 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_declare_xattr_del+0x520/0x520 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_dirent_check_repair+0x52a0/0x52a0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: osd_it_ea_next+0x34b/0x3f0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: mdd_dir_page_build+0x318/0xef0 [mdd]
Apr 26 08:27:15 l kernel: dt_index_walk+0x4b4/0xcd0 [obdclass]
Apr 26 08:27:15 l kernel: ? dt_xattr_del+0x2e0/0x2e0 [mdd]
Apr 26 08:27:15 l kernel: mdd_readpage+0x7e4/0x10d0 [mdd]
Apr 26 08:27:15 l kernel: mdt_readpage+0xdd7/0x1bc0 [mdt]
Apr 26 08:27:15 l kernel: tgt_request_handle+0x1d84/0x43c0 [ptlrpc]
Apr 26 08:27:15 l kernel: ? tgt_brw_read+0x5400/0x5400 [ptlrpc]
Apr 26 08:27:15 l kernel: ptlrpc_server_handle_request+0xa5e/0x1fe0 [ptlrpc]
Apr 26 08:27:15 l kernel: ptlrpc_main+0x1a6e/0x2e00 [ptlrpc]
Apr 26 08:27:15 l kernel: ? __kthread_parkme+0xc4/0x190
Apr 26 08:27:15 l kernel: ? ptlrpc_register_service+0x2de0/0x2de0 [ptlrpc]
Apr 26 08:27:15 l kernel: kthread+0x344/0x410
Apr 26 08:27:15 l kernel: ? kthread_insert_work_sanity_check+0xd0/0xd0
Apr 26 08:27:15 l kernel: ret_from_fork+0x24/0x50
Apr 26 08:27:15 l kernel: 
Apr 26 08:27:15 l kernel: Allocated by task 518707:
Apr 26 08:27:15 l kernel: kasan_save_stack+0x19/0x80
Apr 26 08:27:15 l kernel: __kasan_kmalloc.constprop.9+0xc1/0xd0
Apr 26 08:27:15 l kernel: kmem_cache_alloc_trace+0x142/0x320
Apr 26 08:27:15 l kernel: osd_key_init+0x101/0x9b0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: keys_fill+0x1c1/0x5c0 [obdclass]
Apr 26 08:27:15 l kernel: lu_context_init+0x279/0x440 [obdclass]
Apr 26 08:27:15 l kernel: ptlrpc_main+0x9c3/0x2e00 [ptlrpc]
Apr 26 08:27:15 l kernel: kthread+0x344/0x410
Apr 26 08:27:15 l kernel: ret_from_fork+0x24/0x50
Apr 26 08:27:15 l kernel:

In osd_ldiskfs_filldir() we check that the buffer has enough space for namelen bytes but we do not account for the possibility that it does not have enough space for presented_len.

        if ((void *)ent - it->oie_buf + sizeof(*ent) + namelen >
            OSD_IT_EA_BUFSIZE)
                RETURN(1);
....
                int presented_len = critical_chars(name, namelen);

                if (presented_len == namelen)
                        memcpy(ent->oied_name, name, namelen);
		else
                        namelen = critical_encode(name, namelen,
                                                  ent->oied_name);

                ent->oied_name[namelen] = '\0'; /* osd_ldiskfs_filldir+0x16c2 */

It also seems like the original check is wrong. It seems to be missing a +1 for the trailing NUL.

Attachments

Issue Links

is related to

LU-13717 Client-side encryption - support file name encryption

Resolved

Activity

[LU-15827] BUG: KASAN: slab-out-of-bounds in osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]

Peter Jones made changes - 11/Oct/24 8:30 PM

Fix Version/s

New: Lustre 2.16.0 [ 15190 ]

Peter Jones made changes - 09/May/22 8:47 PM

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

Peter Jones made changes - 05/May/22 7:23 PM

Assignee

Original: Sebastien Buisson [ sebastien ]

New: John Hammond [ jhammond ]

Peter Jones made changes - 05/May/22 4:41 PM

Fix Version/s

New: Lustre 2.15.0 [ 14791 ]

Peter Jones made changes - 05/May/22 4:41 PM

Assignee

Original: WC Triage [ wc-triage ]

New: Sebastien Buisson [ sebastien ]

John Hammond made changes - 05/May/22 4:18 PM

Component/s	Original: Core Lustre [ 12687 ]
Key	Original: ~~EX-5172~~	New: ~~LU-15827~~
Workflow	Original: Software Simplified Workflow for Project EX [ 87390 ]	New: Sub-task Blocking [ 87527 ]
Project	Original: Exascaler [ 12911 ]	New: Lustre [ 10000 ]
Status	Original: To Do [ 10206 ]	New: Open [ 1 ]

John Hammond made changes - 05/May/22 4:17 PM

Description

Original: There is a slab out of bounds write with encryption on 2.14.0-ddn40 (and likely on master).
{noformat}
Apr 26 08:27:15 l kernel: BUG: KASAN: slab-out-of-bounds in osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: Write of size 1 at addr ffff888005123400 by task mdt_rdpg00_001/518707
Apr 26 08:27:15 l kernel:
Apr 26 08:27:15 l kernel: CPU: 1 PID: 518707 Comm: mdt_rdpg00_001 Kdump: loaded Tainted: G W OE --------- - - 4.18.0-348.7.1.el8.x86_64+debug #1
Apr 26 08:27:15 l kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Apr 26 08:27:15 l kernel: Call Trace:
Apr 26 08:27:15 l kernel: dump_stack+0x8e/0xd0
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: print_address_description.constprop.5+0x1e/0x230
Apr 26 08:27:15 l kernel: ? kmsg_dump_rewind_nolock+0xd9/0xd9
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: __kasan_report.cold.7+0x37/0x86
Apr 26 08:27:15 l kernel: ? ldiskfs_htree_fill_tree+0x6c1/0x880 [ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: kasan_report+0x37/0x50
Apr 26 08:27:15 l kernel: osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? kfree+0xdd/0x570
Apr 26 08:27:15 l kernel: ? osd_declare_xattr_del+0x520/0x520 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? free_rb_tree_fname+0x67/0xb0 [ldiskfs]
Apr 26 08:27:15 l kernel: ? free_rb_tree_fname+0x67/0xb0 [ldiskfs]
Apr 26 08:27:15 l kernel: call_filldir+0x277/0x7a0 [ldiskfs]
Apr 26 08:27:15 l kernel: ldiskfs_readdir+0x19f7/0x2a40 [ldiskfs]
Apr 26 08:27:15 l kernel: ? __ldiskfs_check_dir_entry+0x5e0/0x5e0 [ldiskfs]
Apr 26 08:27:15 l kernel: ? down_read_killable+0x1d0/0x780
Apr 26 08:27:15 l kernel: ? fsnotify_first_mark+0x150/0x150
Apr 26 08:27:15 l kernel: ? down_read+0x770/0x770
Apr 26 08:27:15 l kernel: iterate_dir+0x3b0/0x610
Apr 26 08:27:15 l kernel: ? ldiskfs_htree_lock+0x151/0x3a0 [ldiskfs]
Apr 26 08:27:15 l kernel: osd_ldiskfs_it_fill+0x2f8/0x830 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_it_ea_fini+0x250/0x250 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_declare_xattr_del+0x520/0x520 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_dirent_check_repair+0x52a0/0x52a0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: osd_it_ea_next+0x34b/0x3f0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: mdd_dir_page_build+0x318/0xef0 [mdd]
Apr 26 08:27:15 l kernel: dt_index_walk+0x4b4/0xcd0 [obdclass]
Apr 26 08:27:15 l kernel: ? dt_xattr_del+0x2e0/0x2e0 [mdd]
Apr 26 08:27:15 l kernel: mdd_readpage+0x7e4/0x10d0 [mdd]
Apr 26 08:27:15 l kernel: mdt_readpage+0xdd7/0x1bc0 [mdt]
Apr 26 08:27:15 l kernel: tgt_request_handle+0x1d84/0x43c0 [ptlrpc]
Apr 26 08:27:15 l kernel: ? tgt_brw_read+0x5400/0x5400 [ptlrpc]
Apr 26 08:27:15 l kernel: ptlrpc_server_handle_request+0xa5e/0x1fe0 [ptlrpc]
Apr 26 08:27:15 l kernel: ptlrpc_main+0x1a6e/0x2e00 [ptlrpc]
Apr 26 08:27:15 l kernel: ? __kthread_parkme+0xc4/0x190
Apr 26 08:27:15 l kernel: ? ptlrpc_register_service+0x2de0/0x2de0 [ptlrpc]
Apr 26 08:27:15 l kernel: kthread+0x344/0x410
Apr 26 08:27:15 l kernel: ? kthread_insert_work_sanity_check+0xd0/0xd0
Apr 26 08:27:15 l kernel: ret_from_fork+0x24/0x50
Apr 26 08:27:15 l kernel:
Apr 26 08:27:15 l kernel: Allocated by task 518707:
Apr 26 08:27:15 l kernel: kasan_save_stack+0x19/0x80
Apr 26 08:27:15 l kernel: __kasan_kmalloc.constprop.9+0xc1/0xd0
Apr 26 08:27:15 l kernel: kmem_cache_alloc_trace+0x142/0x320
Apr 26 08:27:15 l kernel: osd_key_init+0x101/0x9b0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: keys_fill+0x1c1/0x5c0 [obdclass]
Apr 26 08:27:15 l kernel: lu_context_init+0x279/0x440 [obdclass]
Apr 26 08:27:15 l kernel: ptlrpc_main+0x9c3/0x2e00 [ptlrpc]
Apr 26 08:27:15 l kernel: kthread+0x344/0x410
Apr 26 08:27:15 l kernel: ret_from_fork+0x24/0x50
Apr 26 08:27:15 l kernel:
{noformat}

In {{osd_ldiskfs_filldir()}} we check that the buffer has enough space for namelen bytes but we do not account for the possibility that it does not have enough space for presented_len.
{code}
        if ((void *)ent - it->oie_buf + sizeof(*ent) + namelen >
            OSD_IT_EA_BUFSIZE)
                RETURN(1);
....
                int presented_len = critical_chars(name, namelen);

                if (presented_len == namelen)
                        memcpy(ent->oied_name, name, namelen);
else
                        namelen = critical_encode(name, namelen,
                                                  ent->oied_name);

                ent->oied_name[namelen] = '\0'; /* osd_ldiskfs_filldir+0x16c2 */
{code}
It also seems like the original check is wrong. It seems to be missing a +1 for the trailing NUL.

New: # There is a slab out of bounds write with encryption on master.
{noformat}
Apr 26 08:27:15 l kernel: BUG: KASAN: slab-out-of-bounds in osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: Write of size 1 at addr ffff888005123400 by task mdt_rdpg00_001/518707
Apr 26 08:27:15 l kernel:
Apr 26 08:27:15 l kernel: CPU: 1 PID: 518707 Comm: mdt_rdpg00_001 Kdump: loaded Tainted: G W OE --------- - - 4.18.0-348.7.1.el8.x86_64+debug #1
Apr 26 08:27:15 l kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Apr 26 08:27:15 l kernel: Call Trace:
Apr 26 08:27:15 l kernel: dump_stack+0x8e/0xd0
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: print_address_description.constprop.5+0x1e/0x230
Apr 26 08:27:15 l kernel: ? kmsg_dump_rewind_nolock+0xd9/0xd9
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: __kasan_report.cold.7+0x37/0x86
Apr 26 08:27:15 l kernel: ? ldiskfs_htree_fill_tree+0x6c1/0x880 [ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: kasan_report+0x37/0x50
Apr 26 08:27:15 l kernel: osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? kfree+0xdd/0x570
Apr 26 08:27:15 l kernel: ? osd_declare_xattr_del+0x520/0x520 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? free_rb_tree_fname+0x67/0xb0 [ldiskfs]
Apr 26 08:27:15 l kernel: ? free_rb_tree_fname+0x67/0xb0 [ldiskfs]
Apr 26 08:27:15 l kernel: call_filldir+0x277/0x7a0 [ldiskfs]
Apr 26 08:27:15 l kernel: ldiskfs_readdir+0x19f7/0x2a40 [ldiskfs]
Apr 26 08:27:15 l kernel: ? __ldiskfs_check_dir_entry+0x5e0/0x5e0 [ldiskfs]
Apr 26 08:27:15 l kernel: ? down_read_killable+0x1d0/0x780
Apr 26 08:27:15 l kernel: ? fsnotify_first_mark+0x150/0x150
Apr 26 08:27:15 l kernel: ? down_read+0x770/0x770
Apr 26 08:27:15 l kernel: iterate_dir+0x3b0/0x610
Apr 26 08:27:15 l kernel: ? ldiskfs_htree_lock+0x151/0x3a0 [ldiskfs]
Apr 26 08:27:15 l kernel: osd_ldiskfs_it_fill+0x2f8/0x830 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_it_ea_fini+0x250/0x250 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_declare_xattr_del+0x520/0x520 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_dirent_check_repair+0x52a0/0x52a0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: osd_it_ea_next+0x34b/0x3f0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: mdd_dir_page_build+0x318/0xef0 [mdd]
Apr 26 08:27:15 l kernel: dt_index_walk+0x4b4/0xcd0 [obdclass]
Apr 26 08:27:15 l kernel: ? dt_xattr_del+0x2e0/0x2e0 [mdd]
Apr 26 08:27:15 l kernel: mdd_readpage+0x7e4/0x10d0 [mdd]
Apr 26 08:27:15 l kernel: mdt_readpage+0xdd7/0x1bc0 [mdt]
Apr 26 08:27:15 l kernel: tgt_request_handle+0x1d84/0x43c0 [ptlrpc]
Apr 26 08:27:15 l kernel: ? tgt_brw_read+0x5400/0x5400 [ptlrpc]
Apr 26 08:27:15 l kernel: ptlrpc_server_handle_request+0xa5e/0x1fe0 [ptlrpc]
Apr 26 08:27:15 l kernel: ptlrpc_main+0x1a6e/0x2e00 [ptlrpc]
Apr 26 08:27:15 l kernel: ? __kthread_parkme+0xc4/0x190
Apr 26 08:27:15 l kernel: ? ptlrpc_register_service+0x2de0/0x2de0 [ptlrpc]
Apr 26 08:27:15 l kernel: kthread+0x344/0x410
Apr 26 08:27:15 l kernel: ? kthread_insert_work_sanity_check+0xd0/0xd0
Apr 26 08:27:15 l kernel: ret_from_fork+0x24/0x50
Apr 26 08:27:15 l kernel:
Apr 26 08:27:15 l kernel: Allocated by task 518707:
Apr 26 08:27:15 l kernel: kasan_save_stack+0x19/0x80
Apr 26 08:27:15 l kernel: __kasan_kmalloc.constprop.9+0xc1/0xd0
Apr 26 08:27:15 l kernel: kmem_cache_alloc_trace+0x142/0x320
Apr 26 08:27:15 l kernel: osd_key_init+0x101/0x9b0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: keys_fill+0x1c1/0x5c0 [obdclass]
Apr 26 08:27:15 l kernel: lu_context_init+0x279/0x440 [obdclass]
Apr 26 08:27:15 l kernel: ptlrpc_main+0x9c3/0x2e00 [ptlrpc]
Apr 26 08:27:15 l kernel: kthread+0x344/0x410
Apr 26 08:27:15 l kernel: ret_from_fork+0x24/0x50
Apr 26 08:27:15 l kernel:
{noformat}

In {{osd_ldiskfs_filldir()}} we check that the buffer has enough space for namelen bytes but we do not account for the possibility that it does not have enough space for presented_len.
{code}
        if ((void *)ent - it->oie_buf + sizeof(*ent) + namelen >
            OSD_IT_EA_BUFSIZE)
                RETURN(1);
....
                int presented_len = critical_chars(name, namelen);

                if (presented_len == namelen)
                        memcpy(ent->oied_name, name, namelen);
else
                        namelen = critical_encode(name, namelen,
                                                  ent->oied_name);

                ent->oied_name[namelen] = '\0'; /* osd_ldiskfs_filldir+0x16c2 */
{code}
It also seems like the original check is wrong. It seems to be missing a +1 for the trailing NUL.

Minh Diep made changes - 28/Apr/22 1:42 PM

Component/s

New: Core Lustre [ 12687 ]

John Hammond made changes - 26/Apr/22 6:54 PM

Link

New: This issue is related to ~~LU-13717~~ [ ~~LU-13717~~ ]

John Hammond created issue - 26/Apr/22 6:54 PM

People

Assignee:: John Hammond

Reporter:: John Hammond

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 26/Apr/22 6:54 PM

Updated:: 11/Oct/24 8:30 PM

Resolved:: 09/May/22 8:47 PM