Re: KASAN: use-after-free Read in iov_iter_alignment

Jan Kara <jack@xxxxxxx> · Mon, 16 Dec 2019 11:58:07 +0100

On Mon 16-12-19 11:48:36, Jan Kara wrote:
> On Tue 03-12-19 08:10:37, Dave Chinner wrote:
> > [cc linux-ext4@xxxxxxxxxxxxxxx - this is reported from the new ext4
> > dio->iomap code]
> > 
> > On Mon, Dec 02, 2019 at 09:15:08AM -0800, syzbot wrote:
> > > Hello,
> > > 
> > > syzbot found the following crash on:
> > > 
> > > HEAD commit:    b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=135a8d7ae00000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=c2e464ae414aee8c
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=bea68382bae9490e7dd6
> > > compiler:       clang version 9.0.0 (/home/glider/llvm/clang
> > > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1135cb36e00000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14e90abce00000
> > > 
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+bea68382bae9490e7dd6@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > 
...

> > Looks like buffered read IO on a loopback device on an ext4 image
> > file, and something is being tripped over in the new ext4 direct IO
> > path.  Might be an iomap issue, might be an ext4 issue, but it looks
> > like the buffered read bio completion is running while the iov is
> > still being submitted...
> 
> Looking a bit more into this, I'm pretty sure this is caused by commit
> 8cefc107ca54c "pipe: Use head and tail pointers for the ring, not cursor
> and length". The pipe dereference it has added to iov_iter_alignment() is
> just bogus for all iter types except for pipes. I'll send a fix.

For reference the fix I've sent is attached.

								Honza

-- 
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
>From bc27e20fdd29b97b45015e1443128b4d3ff9455e Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@xxxxxxx>
Date: Mon, 16 Dec 2019 11:44:14 +0100
Subject: [PATCH] pipe: Fix bogus dereference in iov_iter_alignment()

We cannot look at 'i->pipe' unless we know the iter is a pipe. Move the
ring_size load to a branch in iov_iter_alignment() where we've already
checked the iter is a pipe to avoid bogus dereference.

Reported-by: syzbot+bea68382bae9490e7dd6@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 8cefc107ca54 ("pipe: Use head and tail pointers for the ring, not cursor and length")
Signed-off-by: Jan Kara <jack@xxxxxxx>
---
 lib/iov_iter.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

 Al, David, not sure who's going to merge this so sending to both :).

								Honza

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index fb29c02c6a3c..51595bf3af85 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1222,11 +1222,12 @@ EXPORT_SYMBOL(iov_iter_discard);
 
 unsigned long iov_iter_alignment(const struct iov_iter *i)
 {
-	unsigned int p_mask = i->pipe->ring_size - 1;
 	unsigned long res = 0;
 	size_t size = i->count;
 
 	if (unlikely(iov_iter_is_pipe(i))) {
+		unsigned int p_mask = i->pipe->ring_size - 1;
+
 		if (size && i->iov_offset && allocated(&i->pipe->bufs[i->head & p_mask]))
 			return size | i->iov_offset;
 		return size;
-- 
2.16.4





