iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
882,099 Commits 104 Branches 1,843 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Johannes Thumshirn aded5dee7f btrfs: fix overflow when copying corrupt csums for a message 
commit 35be8851d172c6e3db836c0f28c19087b10c9e00 upstream.

Syzkaller reported a buffer overflow in btree_readpage_end_io_hook()
when loop mounting a crafted image:

  detected buffer overflow in memcpy
  ------------[ cut here ]------------
  kernel BUG at lib/string.c:1129!
  invalid opcode: 0000 [#1] PREEMPT SMP KASAN
  CPU: 1 PID: 26 Comm: kworker/u4:2 Not tainted 5.9.0-rc4-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  Workqueue: btrfs-endio-meta btrfs_work_helper
  RIP: 0010:fortify_panic+0xf/0x20 lib/string.c:1129
  RSP: 0018:ffffc90000e27980 EFLAGS: 00010286
  RAX: 0000000000000022 RBX: ffff8880a80dca64 RCX: 0000000000000000
  RDX: ffff8880a90860c0 RSI: ffffffff815dba07 RDI: fffff520001c4f22
  RBP: ffff8880a80dca00 R08: 0000000000000022 R09: ffff8880ae7318e7
  R10: 0000000000000000 R11: 0000000000077578 R12: 00000000ffffff6e
  R13: 0000000000000008 R14: ffffc90000e27a40 R15: 1ffff920001c4f3c
  FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000557335f440d0 CR3: 000000009647d000 CR4: 00000000001506e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   memcpy include/linux/string.h:405 [inline]
   btree_readpage_end_io_hook.cold+0x206/0x221 fs/btrfs/disk-io.c:642
   end_bio_extent_readpage+0x4de/0x10c0 fs/btrfs/extent_io.c:2854
   bio_endio+0x3cf/0x7f0 block/bio.c:1449
   end_workqueue_fn+0x114/0x170 fs/btrfs/disk-io.c:1695
   btrfs_work_helper+0x221/0xe20 fs/btrfs/async-thread.c:318
   process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
   worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
   kthread+0x3b5/0x4a0 kernel/kthread.c:292
   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
  Modules linked in:
  ---[ end trace b68924293169feef ]---
  RIP: 0010:fortify_panic+0xf/0x20 lib/string.c:1129
  RSP: 0018:ffffc90000e27980 EFLAGS: 00010286
  RAX: 0000000000000022 RBX: ffff8880a80dca64 RCX: 0000000000000000
  RDX: ffff8880a90860c0 RSI: ffffffff815dba07 RDI: fffff520001c4f22
  RBP: ffff8880a80dca00 R08: 0000000000000022 R09: ffff8880ae7318e7
  R10: 0000000000000000 R11: 0000000000077578 R12: 00000000ffffff6e
  R13: 0000000000000008 R14: ffffc90000e27a40 R15: 1ffff920001c4f3c
  FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007f95b7c4d008 CR3: 000000009647d000 CR4: 00000000001506e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

The overflow happens, because in btree_readpage_end_io_hook() we assume
that we have found a 4 byte checksum instead of the real possible 32
bytes we have for the checksums.

With the fix applied:

[   35.726623] BTRFS: device fsid 815caf9a-dc43-4d2a-ac54-764b8333d765 devid 1 transid 5 /dev/loop0 scanned by syz-repro (215)
[   35.738994] BTRFS info (device loop0): disk space caching is enabled
[   35.738998] BTRFS info (device loop0): has skinny extents
[   35.743337] BTRFS warning (device loop0): loop0 checksum verify failed on 1052672 wanted 0xf9c035fc8d239a54 found 0x67a25c14b7eabcf9 level 0
[   35.743420] BTRFS error (device loop0): failed to read chunk root
[   35.745899] BTRFS error (device loop0): open_ctree failed

Reported-by: syzbot+e864a35d361e1d4e29a5@syzkaller.appspotmail.com
Fixes: d5178578bcd4 ("btrfs: directly call into crypto framework for checksumming")
CC: stable@vger.kernel.org # 5.4+
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-10-01 13:18:24 +02:00
arch
x86/ioapic: Unbreak check_timer()
2020-10-01 13:18:22 +02:00
block
block: only call sched requeue_request() for scheduled requests
2020-09-23 12:40:37 +02:00
certs
PKCS#7: Refactor verify_pkcs7_signature()
2019-08-05 18:40:18 -04:00
crypto
crypto: af_alg - Work around empty control messages without MSG_MORE
2020-09-03 11:27:05 +02:00
Documentation
dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion
2020-10-01 13:17:58 +02:00
drivers
s390/dasd: Fix zero write for FBA devices
2020-10-01 13:18:23 +02:00
fs
btrfs: fix overflow when copying corrupt csums for a message
2020-10-01 13:18:24 +02:00
include
kprobes: tracing/kprobes: Fix to kill kprobes on initmem after boot
2020-10-01 13:18:23 +02:00
init
kprobes: tracing/kprobes: Fix to kill kprobes on initmem after boot
2020-10-01 13:18:23 +02:00
ipc
ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
2020-05-20 08:20:16 +02:00
kernel
kprobes: tracing/kprobes: Fix to kill kprobes on initmem after boot
2020-10-01 13:18:23 +02:00
lib
lib/string.c: implement stpcpy
2020-10-01 13:18:23 +02:00
LICENSES
LICENSES: Rename other to deprecated
2019-05-03 06:34:32 -06:00
mm
mm: validate pmd after splitting
2020-10-01 13:18:21 +02:00
net
lib80211: fix unmet direct dependendices config warning when !CRYPTO
2020-10-01 13:18:20 +02:00
samples
bpf: Fix fds_example SIGSEGV error
2020-08-19 08:16:03 +02:00
scripts
checkpatch: fix the usage of capture group ( ... )
2020-09-09 19:12:37 +02:00
security
device_cgroup: Fix RCU list debugging warning
2020-10-01 13:18:13 +02:00
sound
ALSA: hda/realtek: Enable front panel headset LED on Lenovo ThinkStation P520
2020-10-01 13:18:22 +02:00
tools
objtool: Fix noreturn detection for ignored functions
2020-10-01 13:18:15 +02:00
usr
initramfs: restore default compression behavior
2020-04-08 09:08:38 +02:00
virt
KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi()
2020-10-01 13:17:56 +02:00
.clang-format
clang-format: Update with the latest for_each macro list
2019-08-31 10:00:51 +02:00
.cocciconfig
.get_maintainer.ignore
Opt out of scripts/get_maintainer.pl
2019-05-16 10:53:40 -07:00
.gitattributes
.gitignore
Modules updates for v5.4
2019-09-22 10:34:46 -07:00
.mailmap
ARM: SoC fixes
2019-11-10 13:41:59 -08:00
COPYING
COPYING: use the new text with points to the license files
2018-03-23 12:41:45 -06:00
CREDITS
MAINTAINERS: Remove Simon as Renesas SoC Co-Maintainer
2019-10-10 08:12:51 -07:00
Kbuild
kbuild: do not descend to ./Kbuild when cleaning
2019-08-21 21:03:58 +09:00
Kconfig
docs: kbuild: convert docs to ReST and rename to *.rst
2019-06-14 14:21:21 -06:00
MAINTAINERS
Documentation/llvm: add documentation on building w/ Clang/LLVM
2020-08-26 10:40:46 +02:00
Makefile
Linux 5.4.68
2020-09-26 18:03:16 +02:00
README
Drop all 00-INDEX files from Documentation/
2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.
Description
No description provided
Readme 5.7 GiB
Languages
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%