[LU-15827] BUG: KASAN: slab-out-of-bounds in osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]

Related — Fri, 13 May 2022 17:20:32 +0000

There is a slab out of bounds write with encryption on master.

Apr 26 08:27:15 l kernel: BUG: KASAN: slab-out-of-bounds in osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: Write of size 1 at addr ffff888005123400 by task mdt_rdpg00_001/518707
Apr 26 08:27:15 l kernel: 
Apr 26 08:27:15 l kernel: CPU: 1 PID: 518707 Comm: mdt_rdpg00_001 Kdump: loaded Tainted: G        W  OE    --------- -  - 4.18.0-348.7.1.el8.x86_64+debug #1
Apr 26 08:27:15 l kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Apr 26 08:27:15 l kernel: Call Trace:
Apr 26 08:27:15 l kernel: dump_stack+0x8e/0xd0
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: print_address_description.constprop.5+0x1e/0x230
Apr 26 08:27:15 l kernel: ? kmsg_dump_rewind_nolock+0xd9/0xd9
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: __kasan_report.cold.7+0x37/0x86
Apr 26 08:27:15 l kernel: ? ldiskfs_htree_fill_tree+0x6c1/0x880 [ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: kasan_report+0x37/0x50
Apr 26 08:27:15 l kernel: osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? kfree+0xdd/0x570
Apr 26 08:27:15 l kernel: ? osd_declare_xattr_del+0x520/0x520 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? free_rb_tree_fname+0x67/0xb0 [ldiskfs]
Apr 26 08:27:15 l kernel: ? free_rb_tree_fname+0x67/0xb0 [ldiskfs]
Apr 26 08:27:15 l kernel: call_filldir+0x277/0x7a0 [ldiskfs]
Apr 26 08:27:15 l kernel: ldiskfs_readdir+0x19f7/0x2a40 [ldiskfs]
Apr 26 08:27:15 l kernel: ? __ldiskfs_check_dir_entry+0x5e0/0x5e0 [ldiskfs]
Apr 26 08:27:15 l kernel: ? down_read_killable+0x1d0/0x780
Apr 26 08:27:15 l kernel: ? fsnotify_first_mark+0x150/0x150
Apr 26 08:27:15 l kernel: ? down_read+0x770/0x770
Apr 26 08:27:15 l kernel: iterate_dir+0x3b0/0x610
Apr 26 08:27:15 l kernel: ? ldiskfs_htree_lock+0x151/0x3a0 [ldiskfs]
Apr 26 08:27:15 l kernel: osd_ldiskfs_it_fill+0x2f8/0x830 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_it_ea_fini+0x250/0x250 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_declare_xattr_del+0x520/0x520 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: ? osd_dirent_check_repair+0x52a0/0x52a0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: osd_it_ea_next+0x34b/0x3f0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: mdd_dir_page_build+0x318/0xef0 [mdd]
Apr 26 08:27:15 l kernel: dt_index_walk+0x4b4/0xcd0 [obdclass]
Apr 26 08:27:15 l kernel: ? dt_xattr_del+0x2e0/0x2e0 [mdd]
Apr 26 08:27:15 l kernel: mdd_readpage+0x7e4/0x10d0 [mdd]
Apr 26 08:27:15 l kernel: mdt_readpage+0xdd7/0x1bc0 [mdt]
Apr 26 08:27:15 l kernel: tgt_request_handle+0x1d84/0x43c0 [ptlrpc]
Apr 26 08:27:15 l kernel: ? tgt_brw_read+0x5400/0x5400 [ptlrpc]
Apr 26 08:27:15 l kernel: ptlrpc_server_handle_request+0xa5e/0x1fe0 [ptlrpc]
Apr 26 08:27:15 l kernel: ptlrpc_main+0x1a6e/0x2e00 [ptlrpc]
Apr 26 08:27:15 l kernel: ? __kthread_parkme+0xc4/0x190
Apr 26 08:27:15 l kernel: ? ptlrpc_register_service+0x2de0/0x2de0 [ptlrpc]
Apr 26 08:27:15 l kernel: kthread+0x344/0x410
Apr 26 08:27:15 l kernel: ? kthread_insert_work_sanity_check+0xd0/0xd0
Apr 26 08:27:15 l kernel: ret_from_fork+0x24/0x50
Apr 26 08:27:15 l kernel: 
Apr 26 08:27:15 l kernel: Allocated by task 518707:
Apr 26 08:27:15 l kernel: kasan_save_stack+0x19/0x80
Apr 26 08:27:15 l kernel: __kasan_kmalloc.constprop.9+0xc1/0xd0
Apr 26 08:27:15 l kernel: kmem_cache_alloc_trace+0x142/0x320
Apr 26 08:27:15 l kernel: osd_key_init+0x101/0x9b0 [osd_ldiskfs]
Apr 26 08:27:15 l kernel: keys_fill+0x1c1/0x5c0 [obdclass]
Apr 26 08:27:15 l kernel: lu_context_init+0x279/0x440 [obdclass]
Apr 26 08:27:15 l kernel: ptlrpc_main+0x9c3/0x2e00 [ptlrpc]
Apr 26 08:27:15 l kernel: kthread+0x344/0x410
Apr 26 08:27:15 l kernel: ret_from_fork+0x24/0x50
Apr 26 08:27:15 l kernel:

In osd_ldiskfs_filldir() we check that the buffer has enough space for namelen bytes but we do not account for the possibility that it does not have enough space for presented_len.

        if ((void *)ent - it->oie_buf + sizeof(*ent) + namelen >
            OSD_IT_EA_BUFSIZE)
                RETURN(1);
....
                int presented_len = critical_chars(name, namelen);

                if (presented_len == namelen)
                        memcpy(ent->oied_name, name, namelen);
		else
                        namelen = critical_encode(name, namelen,
                                                  ent->oied_name);

                ent->oied_name[namelen] = '\0'; /* osd_ldiskfs_filldir+0x16c2 */

It also seems like the original check is wrong. It seems to be missing a +1 for the trailing NUL.

Whamcloud Community JIRA

[LU-15827] BUG: KASAN: slab-out-of-bounds in osd_ldiskfs_filldir+0x16c2/0x1860 [osd_ldiskfs]