From patchwork Mon Jul 1 21:54:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ghadi Elie Rahme X-Patchwork-Id: 1954957 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WCfx04Yn6z1xpN for ; Tue, 2 Jul 2024 07:55:31 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sOOzV-0005Ik-GL; Mon, 01 Jul 2024 21:55:17 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sOOzT-0005IV-Lj for kernel-team@lists.ubuntu.com; Mon, 01 Jul 2024 21:55:15 +0000 Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CDFA33F363 for ; Mon, 1 Jul 2024 21:55:14 +0000 (UTC) Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-3643d0e3831so3057809f8f.0 for ; Mon, 01 Jul 2024 14:55:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719870914; x=1720475714; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vaaEMo4Wa0bEbYQpJAhwp/7nLv8T9KvFROTEs8Nd94Q=; b=n7VehXJKPBigyFkAnNEp1Abr7Va3HXFt1d9EnkNvpQV0FhdK1g6Rin2G4Gi7DFtQjn EmnU/r6MFcPvyX1n6q17hFEn01iPg60XP0eXvzPRC2W1h5ihSnexmNgjFXABlzPvYvN6 Il3ymmxoOPlf/1qq29VnUSAcbvEZAPXa5v9SeujsEwtTWbe3ePhKUOeZ51UVe4tlmNtP 8BZAIamYcvaRXqYloshQkNsc/pcl+8SujzejEk4vemsXPKxNVZedwgRiKBcJwDdggCC3 Uy4M6SvWGqpDkwALYGEctzV8JSm11UZkdjKjVSjbFSnodsFcI+OH6o6yTzTB3a594j0L I+cA== X-Gm-Message-State: AOJu0YwPVQyuC2CKsyDW9DgiilNuqXCCF/uTxyhzb3b2Xz5/x92jw0br QLQYnp6YoP39ftgHZQnHo1ihe6gLKjWzqKN5SJamqBtcFt8KX6k4UT0mMmhzhS/sQbHsowD72dO riO2H/rFp47oETSypzG5JocTFvG1h8OyLwAQOowxYoq02BZO2RHgFtSVmc3hiPpxWfbASPf4/W1 lOUerWLOUwJxXl X-Received: by 2002:a5d:5f52:0:b0:367:4dce:1ff7 with SMTP id ffacd0b85a97d-36775699821mr4246635f8f.6.1719870913834; Mon, 01 Jul 2024 14:55:13 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE3iuCkLBWAKoRkvwo8hpoEE4xIQG4raHztH2tEmopEhl1wiciNA7VEK9No2z0p7dCrsPUkyA== X-Received: by 2002:a5d:5f52:0:b0:367:4dce:1ff7 with SMTP id ffacd0b85a97d-36775699821mr4246625f8f.6.1719870913226; Mon, 01 Jul 2024 14:55:13 -0700 (PDT) Received: from XPS-17-9720.han-hoki.ts.net (uk.sesame.canonical.com. [185.125.190.60]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3675a0fba2dsm11179074f8f.73.2024.07.01.14.55.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jul 2024 14:55:12 -0700 (PDT) From: Ghadi Elie Rahme To: kernel-team@lists.ubuntu.com Subject: [PATCH 0/1] [SRU][O, N, M][PATCH 0/1] Fix UBSAN array-index-out-of-bounds in bcache/bset.c Date: Tue, 2 Jul 2024 00:54:49 +0300 Message-ID: <20240701215450.812112-1-ghadi.rahme@canonical.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/2039368 [Impact] Currently there are UBSAN warnings that show up when running bcache on jammy HWE, Mantic and noble. For now no side effects have been observed but such an issue could potentially cause a crash or corrupt data. [Fix] There is currently a fix upstream provided by the following patch: * 3a861560ccb3 "bcache: fix variable length array abuse in btree_iter" [Test Case] 1. Setup bcache on a jammy HWE kernel or mantic or noble machine. This can be done following the steps in this wiki: https://wiki.ubuntu.com/ServerTeam/Bcache 2. Restart the machine 3. After restarting the machine, the following UBSAN warnings and call traces can be seen in dmesg: [ 3.824281] UBSAN: array-index-out-of-bounds in /build/linux-hwe-6.5-QmAt2N/linux-hwe-6.5-6.5.0/drivers/md/bcache/bset.c:1098:3 [ 3.826338] index 4 is out of range for type 'btree_iter_set [4]' [ 3.826812] CPU: 13 PID: 184 Comm: kworker/13:1 Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu [ 3.827817] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 3.828835] Workqueue: events register_cache_worker [bcache] [ 3.829429] Call Trace: [ 3.830626] [ 3.831638] dump_stack_lvl+0x48/0x70 [ 3.832227] dump_stack+0x10/0x20 [ 3.832785] __ubsan_handle_out_of_bounds+0xc6/0x110 [ 3.833357] bch_btree_iter_push+0x4e6/0x4f0 [bcache] [ 3.834052] bch_btree_node_read_done+0xfc/0x450 [bcache] [ 3.834653] ? mempool_kfree+0xe/0x20 [ 3.835211] bch_btree_node_read+0xf8/0x1e0 [bcache] [ 3.835832] ? __pfx_closure_sync_fn+0x10/0x10 [bcache] [ 3.836474] bch_btree_node_get.part.0+0x160/0x340 [bcache] [ 3.837161] ? __bch_btree_ptr_invalid+0x60/0xd0 [bcache] [ 3.837838] ? __pfx_up_write+0x10/0x10 [ 3.838739] bch_btree_node_get+0x16/0x30 [bcache] [ 3.844949] [ 4.029242] UBSAN: array-index-out-of-bounds in /build/linux-hwe-6.5-QmAt2N/linux-hwe-6.5-6.5.0/drivers/md/bcache/bset.c:1207:3 [ 4.030496] index 14 is out of range for type 'btree_iter_set [4]' [ 4.030930] CPU: 13 PID: 184 Comm: kworker/13:1 Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu [ 4.031841] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 4.032650] Workqueue: events register_cache_worker [bcache] [ 4.033149] Call Trace: [ 4.033549] [ 4.033972] dump_stack_lvl+0x48/0x70 [ 4.034418] dump_stack+0x10/0x20 [ 4.034839] __ubsan_handle_out_of_bounds+0xc6/0x110 [ 4.035279] btree_mergesort+0x4d4/0x520 [bcache] [ 4.035730] ? __pfx_bch_ptr_invalid+0x10/0x10 [bcache] [ 4.036191] ? __pfx_bch_extent_sort_cmp+0x10/0x10 [bcache] [ 4.036691] __btree_sort+0x96/0x2d0 [bcache] [ 4.037182] bch_btree_sort_and_fix_extents+0x1d/0x40 [bcache] [ 4.037674] bch_btree_node_read_done+0x34d/0x450 [bcache] [ 4.038172] ? mempool_kfree+0xe/0x20 [ 4.038617] bch_btree_node_read+0xf8/0x1e0 [bcache] [ 4.039120] ? __pfx_closure_sync_fn+0x10/0x10 [bcache] [ 4.039659] bch_btree_node_get.part.0+0x160/0x340 [bcache] [ 4.040220] ? __bch_btree_ptr_invalid+0x60/0xd0 [bcache] [ 4.040806] ? __pfx_up_write+0x10/0x10 [ 4.041371] bch_btree_node_get+0x16/0x30 [bcache] [ 4.048339] [ 4.227653] UBSAN: array-index-out-of-bounds in /build/linux-hwe-6.5-QmAt2N/linux-hwe-6.5-6.5.0/drivers/md/bcache/extents.c:281:4 [ 4.228847] index 4 is out of range for type 'btree_iter_set [4]' [ 4.229472] CPU: 13 PID: 184 Comm: kworker/13:1 Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu [ 4.230680] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 4.231954] Workqueue: events register_cache_worker [bcache] [ 4.232690] Call Trace: [ 4.233327] [ 4.233935] dump_stack_lvl+0x48/0x70 [ 4.234568] dump_stack+0x10/0x20 [ 4.235219] __ubsan_handle_out_of_bounds+0xc6/0x110 [ 4.235833] bch_extent_sort_fixup+0xb95/0xd70 [bcache] [ 4.236524] ? __ubsan_handle_out_of_bounds+0xee/0x110 [ 4.237159] ? __pfx_bch_ptr_invalid+0x10/0x10 [bcache] [ 4.237839] btree_mergesort+0x221/0x520 [bcache] [ 4.238823] ? __pfx_bch_ptr_invalid+0x10/0x10 [bcache] [ 4.239800] __btree_sort+0x96/0x2d0 [bcache] [ 4.240880] bch_btree_sort_and_fix_extents+0x1d/0x40 [bcache] [ 4.243046] bch_btree_node_read_done+0x34d/0x450 [bcache] [ 4.245223] ? mempool_kfree+0xe/0x20 [ 4.246311] bch_btree_node_read+0xf8/0x1e0 [bcache] [ 4.247410] ? __pfx_closure_sync_fn+0x10/0x10 [bcache] [ 4.248471] bch_btree_node_get.part.0+0x160/0x340 [bcache] [ 4.248959] ? __bch_btree_ptr_invalid+0x60/0xd0 [bcache] [ 4.249454] ? __pfx_up_write+0x10/0x10 [ 4.249904] bch_btree_node_get+0x16/0x30 [bcache] [ 4.255145] [ 4.257388] UBSAN: array-index-out-of-bounds in /build/linux-hwe-6.5-QmAt2N/linux-hwe-6.5-6.5.0/drivers/md/bcache/extents.c:36:18 [ 4.258429] index 14 is out of range for type 'btree_iter_set [4]' [ 4.258964] CPU: 13 PID: 184 Comm: kworker/13:1 Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu [ 4.260073] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 4.261188] Workqueue: events register_cache_worker [bcache] [ 4.261811] Call Trace: [ 4.262374] [ 4.262912] dump_stack_lvl+0x48/0x70 [ 4.263502] dump_stack+0x10/0x20 [ 4.264042] __ubsan_handle_out_of_bounds+0xc6/0x110 [ 4.264605] bch_extent_sort_fixup+0xbe5/0xd70 [bcache] [ 4.265218] ? __ubsan_handle_out_of_bounds+0xee/0x110 [ 4.265821] ? __pfx_bch_ptr_invalid+0x10/0x10 [bcache] [ 4.266514] btree_mergesort+0x221/0x520 [bcache] [ 4.267234] ? __pfx_bch_ptr_invalid+0x10/0x10 [bcache] [ 4.267882] __btree_sort+0x96/0x2d0 [bcache] [ 4.268508] bch_btree_sort_and_fix_extents+0x1d/0x40 [bcache] [ 4.269144] bch_btree_node_read_done+0x34d/0x450 [bcache] [ 4.269825] ? mempool_kfree+0xe/0x20 [ 4.270489] bch_btree_node_read+0xf8/0x1e0 [bcache] [ 4.271243] ? __pfx_closure_sync_fn+0x10/0x10 [bcache] [ 4.272293] bch_btree_node_get.part.0+0x160/0x340 [bcache] [ 4.273260] ? __bch_btree_ptr_invalid+0x60/0xd0 [bcache] [ 4.274182] ? __pfx_up_write+0x10/0x10 [ 4.274973] bch_btree_node_get+0x16/0x30 [bcache] [ 4.284807] [ 4.286129] UBSAN: array-index-out-of-bounds in /build/linux-hwe-6.5-QmAt2N/linux-hwe-6.5-6.5.0/drivers/md/bcache/extents.c:291:4 [ 4.286791] index 4 is out of range for type 'btree_iter_set [4]' [ 4.287231] CPU: 13 PID: 184 Comm: kworker/13:1 Not tainted 6.5.0-41-generic #41~22.04.2-Ubuntu [ 4.288033] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 4.288863] Workqueue: events register_cache_worker [bcache] [ 4.289340] Call Trace: [ 4.289753] [ 4.290168] dump_stack_lvl+0x48/0x70 [ 4.290581] dump_stack+0x10/0x20 [ 4.290984] __ubsan_handle_out_of_bounds+0xc6/0x110 [ 4.291432] bch_extent_sort_fixup+0xb77/0xd70 [bcache] [ 4.291882] ? __ubsan_handle_out_of_bounds+0xee/0x110 [ 4.292309] ? __pfx_bch_ptr_invalid+0x10/0x10 [bcache] [ 4.292764] btree_mergesort+0x221/0x520 [bcache] [ 4.293225] ? __pfx_bch_ptr_invalid+0x10/0x10 [bcache] [ 4.293683] __btree_sort+0x96/0x2d0 [bcache] [ 4.294153] bch_btree_sort_and_fix_extents+0x1d/0x40 [bcache] [ 4.294631] bch_btree_node_read_done+0x34d/0x450 [bcache] [ 4.295175] ? mempool_kfree+0xe/0x20 [ 4.295671] bch_btree_node_read+0xf8/0x1e0 [bcache] [ 4.296257] ? __pfx_closure_sync_fn+0x10/0x10 [bcache] [ 4.296834] bch_btree_node_get.part.0+0x160/0x340 [bcache] [ 4.297446] ? __bch_btree_ptr_invalid+0x60/0xd0 [bcache] [ 4.298087] ? __pfx_up_write+0x10/0x10 [ 4.298678] bch_btree_node_get+0x16/0x30 [bcache] [ 4.306037] [Where problems could occur] * The patch modifies the way bcache allocates space to the btree iterator. The main problems that could occur are different UBSAN warnings showing up that could possibly trigger a crash much easier than the current array index-out-of-bounds being observed. Matthew Mirvish (1): bcache: fix variable length array abuse in btree_iter drivers/md/bcache/bset.c | 44 +++++++++++++++++------------------ drivers/md/bcache/bset.h | 28 ++++++++++++++-------- drivers/md/bcache/btree.c | 40 ++++++++++++++++--------------- drivers/md/bcache/super.c | 5 ++-- drivers/md/bcache/sysfs.c | 2 +- drivers/md/bcache/writeback.c | 10 ++++---- 6 files changed, 70 insertions(+), 59 deletions(-) Acked-by: Stefan Bader Acked-by: Paolo Pisati