tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

xfs: validate log record version against superblock log version

Syzbot creates a fuzzed record where xfs_has_logv2() but the
xlog_rec_header h_version != XLOG_VERSION_2. This causes a
KASAN: slab-out-of-bounds read in xlog_do_recovery_pass() ->
xlog_recover_process() -> xlog_cksum().

Fix by adding a check to xlog_valid_rec_header() to abort journal
recovery if the xlog_rec_header h_version does not match the super
block log version.

A file system with a version 2 log will only ever set
XLOG_VERSION_2 in its headers (and v1 will only ever set V_1), so if
there is any mismatch, either the journal or the superblock has been
corrupted and therefore we abort processing with a -EFSCORRUPTED error
immediately.

Also, refactor the structure of the validity checks for better
readability. At the default error level (LOW), XFS_IS_CORRUPT() emits
the condition that failed, the file and line number it is
located at, then dumps the stack. This gives us everything we need
to know about the failure if we do a single validity check per
XFS_IS_CORRUPT().

Reported-by: syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9f6d080dece587cfdd4c
Tested-by: syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
Fixes: 45cf976008dd ("xfs: fix log recovery buffer allocation for the legacy h_size fixup")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>

authored by

Raphael Pinsonneault-Thibeault and committed by
Carlos Maiolino 44b9553c 0ead3b72

+16 -11
+16 -11
fs/xfs/xfs_log_recover.c
··· 2953 2953 xfs_daddr_t blkno, 2954 2954 int bufsize) 2955 2955 { 2956 + struct xfs_mount *mp = log->l_mp; 2957 + u32 h_version = be32_to_cpu(rhead->h_version); 2956 2958 int hlen; 2957 2959 2958 - if (XFS_IS_CORRUPT(log->l_mp, 2960 + if (XFS_IS_CORRUPT(mp, 2959 2961 rhead->h_magicno != cpu_to_be32(XLOG_HEADER_MAGIC_NUM))) 2960 2962 return -EFSCORRUPTED; 2961 - if (XFS_IS_CORRUPT(log->l_mp, 2962 - (!rhead->h_version || 2963 - (be32_to_cpu(rhead->h_version) & 2964 - (~XLOG_VERSION_OKBITS))))) { 2965 - xfs_warn(log->l_mp, "%s: unrecognised log version (%d).", 2966 - __func__, be32_to_cpu(rhead->h_version)); 2967 - return -EFSCORRUPTED; 2963 + 2964 + /* 2965 + * The log version must match the superblock 2966 + */ 2967 + if (xfs_has_logv2(mp)) { 2968 + if (XFS_IS_CORRUPT(mp, h_version != XLOG_VERSION_2)) 2969 + return -EFSCORRUPTED; 2970 + } else { 2971 + if (XFS_IS_CORRUPT(mp, h_version != XLOG_VERSION_1)) 2972 + return -EFSCORRUPTED; 2968 2973 } 2969 2974 2970 2975 /* ··· 2977 2972 * and h_len must not be greater than LR buffer size. 2978 2973 */ 2979 2974 hlen = be32_to_cpu(rhead->h_len); 2980 - if (XFS_IS_CORRUPT(log->l_mp, hlen <= 0 || hlen > bufsize)) 2975 + if (XFS_IS_CORRUPT(mp, hlen <= 0 || hlen > bufsize)) 2981 2976 return -EFSCORRUPTED; 2982 2977 2983 - if (XFS_IS_CORRUPT(log->l_mp, 2984 - blkno > log->l_logBBsize || blkno > INT_MAX)) 2978 + if (XFS_IS_CORRUPT(mp, blkno > log->l_logBBsize || blkno > INT_MAX)) 2985 2979 return -EFSCORRUPTED; 2980 + 2986 2981 return 0; 2987 2982 } 2988 2983