From: "Pankaj Raghav (Samsung)" <kernel@pankajraghav.com>
To: Dave Chinner <david@fromorbit.com>
Cc: "Darrick J. Wong" <djwong@kernel.org>,
linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
mcgrof@kernel.org, gost.dev@samsung.com,
akpm@linux-foundation.org, kbusch@kernel.org,
chandan.babu@oracle.com, p.raghav@samsung.com,
linux-kernel@vger.kernel.org, hare@suse.de, willy@infradead.org,
linux-mm@kvack.org
Subject: Re: [RFC v2 12/14] xfs: make the calculation generic in xfs_sb_validate_fsb_count()
Date: Wed, 14 Feb 2024 16:51:22 +0100 [thread overview]
Message-ID: <2h5ikaxcij2rpekaenf2fnlh4dquwpnkjy7eaqfwk75tbkkmuw@ehbfsjjumgdp> (raw)
In-Reply-To: <Zcvw1rrE4CiVzkmc@dread.disaster.area>
> > I was thinking of possibility of an overflow but at the moment the
> > blocklog is capped at 16 (65536 bytes) right? mkfs refuses any block
> > sizes more than 64k. And we have check for this in xfs_validate_sb_common()
> > in the kernel, which will catch it before this happens?
>
> The sb_blocklog is checked in the superblock verifier when we first read in the
> superblock:
>
> sbp->sb_blocksize < XFS_MIN_BLOCKSIZE ||
> sbp->sb_blocksize > XFS_MAX_BLOCKSIZE ||
> sbp->sb_blocklog < XFS_MIN_BLOCKSIZE_LOG ||
> sbp->sb_blocklog > XFS_MAX_BLOCKSIZE_LOG ||
> sbp->sb_blocksize != (1 << sbp->sb_blocklog) ||
>
> #define XFS_MAX_BLOCKSIZE_LOG 16
>
> However, we pass mp->m_sb.sb_dblocks or m_sb.sb_rblocks to this
> function, and they are validated by the same verifier as invalid
> if:
>
> sbp->sb_dblocks > XFS_MAX_DBLOCKS(sbp)
>
> #define XFS_MAX_DBLOCKS(s) ((xfs_rfsblock_t)(s)->sb_agcount *
> (s)->sb_agblocks)
>
> Which means as long as someone can corrupt some combination of
> sb_dblocks, sb_agcount and sb_agblocks that allows sb_dblocks to be
> greater than 2^48 on a 64kB fsb fs, then that the above code:
>
> uint64_t bytes = nblocks << sbp->sb_blocklog;
>
> will overflow.
>
> I also suspect that we can feed a huge rtdev to this new code
> and have it overflow without needing to corrupt the superblock in
> any way....
So we could use the check_mul_overflow to detect these cases:
diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
index 596aa2cdefbc..23faa993fb80 100644
--- a/fs/xfs/xfs_mount.c
+++ b/fs/xfs/xfs_mount.c
@@ -132,8 +132,12 @@ xfs_sb_validate_fsb_count(
uint64_t nblocks)
{
ASSERT(sbp->sb_blocklog >= BBSHIFT);
- unsigned long mapping_count;
- uint64_t bytes = nblocks << sbp->sb_blocklog;
+ uint64_t mapping_count;
+ uint64_t bytes;
+
+ if (check_mul_overflow(nblocks, (1 << sbp->sb_blocklog), &bytes))
+ return -EFBIG;
if (!IS_ENABLED(CONFIG_XFS_LBS))
ASSERT(PAGE_SHIFT >= sbp->sb_blocklog);
>
> -Dave.
> --
> Dave Chinner
> david@fromorbit.com
next prev parent reply other threads:[~2024-02-14 15:51 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-13 9:36 [RFC v2 00/14] enable bs > ps in XFS Pankaj Raghav (Samsung)
2024-02-13 9:37 ` [RFC v2 01/14] fs: Allow fine-grained control of folio sizes Pankaj Raghav (Samsung)
2024-02-13 12:03 ` Hannes Reinecke
2024-02-13 16:34 ` Darrick J. Wong
2024-02-13 21:05 ` Pankaj Raghav (Samsung)
2024-02-13 21:29 ` Darrick J. Wong
2024-02-14 19:00 ` Matthew Wilcox
2024-02-15 10:34 ` Pankaj Raghav (Samsung)
2024-02-14 18:49 ` Matthew Wilcox
2024-02-15 10:21 ` Pankaj Raghav (Samsung)
2024-02-13 9:37 ` [RFC v2 02/14] filemap: align the index to mapping_min_order in the page cache Pankaj Raghav (Samsung)
2024-02-13 12:20 ` Hannes Reinecke
2024-02-13 21:13 ` Pankaj Raghav (Samsung)
2024-02-13 22:00 ` Dave Chinner
2024-02-13 9:37 ` [RFC v2 03/14] filemap: use mapping_min_order while allocating folios Pankaj Raghav (Samsung)
2024-02-13 14:58 ` Hannes Reinecke
2024-02-13 16:38 ` Darrick J. Wong
2024-02-13 22:05 ` Dave Chinner
2024-02-14 10:13 ` Pankaj Raghav (Samsung)
2024-02-13 9:37 ` [RFC v2 04/14] readahead: set file_ra_state->ra_pages to be at least mapping_min_order Pankaj Raghav (Samsung)
2024-02-13 14:59 ` Hannes Reinecke
2024-02-13 16:46 ` Darrick J. Wong
2024-02-13 22:09 ` Dave Chinner
2024-02-14 13:32 ` Pankaj Raghav (Samsung)
2024-02-14 13:53 ` Pankaj Raghav (Samsung)
2024-02-13 9:37 ` [RFC v2 05/14] readahead: align index to mapping_min_order in ondemand_ra and force_ra Pankaj Raghav (Samsung)
2024-02-13 15:00 ` Hannes Reinecke
2024-02-13 16:46 ` Darrick J. Wong
2024-02-13 22:29 ` Dave Chinner
2024-02-14 15:10 ` Pankaj Raghav (Samsung)
2024-02-13 9:37 ` [RFC v2 06/14] readahead: rework loop in page_cache_ra_unbounded() Pankaj Raghav (Samsung)
2024-02-13 16:47 ` Darrick J. Wong
2024-02-13 9:37 ` [RFC v2 07/14] readahead: allocate folios with mapping_min_order in ra_(unbounded|order) Pankaj Raghav (Samsung)
2024-02-13 15:01 ` Hannes Reinecke
2024-02-13 16:47 ` Darrick J. Wong
2024-02-13 9:37 ` [RFC v2 08/14] mm: do not split a folio if it has minimum folio order requirement Pankaj Raghav (Samsung)
2024-02-13 15:02 ` Hannes Reinecke
2024-02-13 9:37 ` [RFC v2 09/14] mm: Support order-1 folios in the page cache Pankaj Raghav (Samsung)
2024-02-13 15:03 ` Hannes Reinecke
2024-02-13 9:37 ` [RFC v2 10/14] iomap: fix iomap_dio_zero() for fs bs > system page size Pankaj Raghav (Samsung)
2024-02-13 15:06 ` Hannes Reinecke
2024-02-13 16:30 ` Darrick J. Wong
2024-02-13 21:27 ` Pankaj Raghav (Samsung)
2024-02-13 21:30 ` Darrick J. Wong
2024-02-14 15:13 ` Pankaj Raghav (Samsung)
2024-02-13 9:37 ` [RFC v2 11/14] xfs: expose block size in stat Pankaj Raghav (Samsung)
2024-02-13 16:27 ` Darrick J. Wong
2024-02-13 21:32 ` Pankaj Raghav (Samsung)
2024-02-13 9:37 ` [RFC v2 12/14] xfs: make the calculation generic in xfs_sb_validate_fsb_count() Pankaj Raghav (Samsung)
2024-02-13 16:26 ` Darrick J. Wong
2024-02-13 21:48 ` Pankaj Raghav (Samsung)
2024-02-13 22:44 ` Dave Chinner
2024-02-14 15:51 ` Pankaj Raghav (Samsung) [this message]
2024-02-13 9:37 ` [RFC v2 13/14] xfs: add an experimental CONFIG_XFS_LBS option Pankaj Raghav (Samsung)
2024-02-13 16:39 ` Darrick J. Wong
2024-02-13 21:19 ` Dave Chinner
2024-02-13 21:54 ` Pankaj Raghav (Samsung)
2024-02-13 22:45 ` Dave Chinner
2024-02-13 9:37 ` [RFC v2 14/14] xfs: enable block size larger than page size support Pankaj Raghav (Samsung)
2024-02-13 16:20 ` Darrick J. Wong
2024-02-14 16:40 ` Pankaj Raghav (Samsung)
2024-02-13 21:34 ` Dave Chinner
2024-02-14 16:35 ` Pankaj Raghav (Samsung)
2024-02-15 22:17 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2h5ikaxcij2rpekaenf2fnlh4dquwpnkjy7eaqfwk75tbkkmuw@ehbfsjjumgdp \
--to=kernel@pankajraghav.com \
--cc=akpm@linux-foundation.org \
--cc=chandan.babu@oracle.com \
--cc=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=gost.dev@samsung.com \
--cc=hare@suse.de \
--cc=kbusch@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-xfs@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=p.raghav@samsung.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox