Re: KASAN: stack-out-of-bounds in iov_iter_revert

Pavel Begunkov <asml.silence@xxxxxxxxx> · Sun, 1 Aug 2021 01:10:35 +0100

On 7/31/21 7:21 PM, Sudip Mukherjee wrote:
> Hi Jens, Pavel,
> 
> We had been running syzkaller on v5.10.y and a "KASAN:
> stack-out-of-bounds in iov_iter_revert" was being reported on it. I
> got some time to check that today and have managed to get a syzkaller
> reproducer. I dont have a C reproducer which I can share but I can use
> the syz-reproducer to reproduce this with v5.14-rc3 and also with
> next-20210730.

Can you try out the diff below? Not a full-fledged fix, but need to
check a hunch.

If that's important, I was using this branch:
git://git.kernel.dk/linux-block io_uring-5.14

diff --git a/fs/io_uring.c b/fs/io_uring.c
index bf548af0426c..fdcd25eca67d 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3316,6 +3316,10 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags)
 		/* no retry on NONBLOCK nor RWF_NOWAIT */
 		if (req->flags & REQ_F_NOWAIT)
 			goto done;
+		if (WARN_ON_ONCE(iter->truncated)) {
+			iov_iter_reexpand(iter, iov_iter_count(iter) + iter->truncated);
+			iter->truncated = 0;
+		}
 		/* some cases will consume bytes even on error returns */
 		iov_iter_revert(iter, io_size - iov_iter_count(iter));
 		ret = 0;
@@ -3455,6 +3459,10 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
 		kiocb_done(kiocb, ret2, issue_flags);
 	} else {
 copy_iov:
+		if (WARN_ON_ONCE(iter->truncated)) {
+			iov_iter_reexpand(iter, iov_iter_count(iter) + iter->truncated);
+			iter->truncated = 0;
+		}
 		/* some cases will consume bytes even on error returns */
 		iov_iter_revert(iter, io_size - iov_iter_count(iter));
 		ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
diff --git a/include/linux/uio.h b/include/linux/uio.h
index 82c3c3e819e0..eff06d139fd4 100644
--- a/include/linux/uio.h
+++ b/include/linux/uio.h
@@ -30,6 +30,7 @@ enum iter_type {
 struct iov_iter {
 	u8 iter_type;
 	bool data_source;
+	u16 truncated;
 	size_t iov_offset;
 	size_t count;
 	union {
@@ -254,8 +255,10 @@ static inline void iov_iter_truncate(struct iov_iter *i, u64 count)
 	 * conversion in assignement is by definition greater than all
 	 * values of size_t, including old i->count.
 	 */
-	if (i->count > count)
+	if (i->count > count) {
+		i->truncated += i->count - count;
 		i->count = count;
+	}
 }
 
 /*
@@ -264,6 +267,8 @@ static inline void iov_iter_truncate(struct iov_iter *i, u64 count)
  */
 static inline void iov_iter_reexpand(struct iov_iter *i, size_t count)
 {
+	WARN_ON_ONCE(i->count > count);
+	i->truncated -= count - i->count;
 	i->count = count;
 }






