1. Patchew
  2. linux
  3. View series

[PATCH] exfat: Fix uninit-value access in __exfat_write_inode()

Shigeru Yoshida posted 1 patch 2 years, 1 month ago 
fs/exfat/inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] exfat: Fix uninit-value access in __exfat_write_inode()
Posted by Shigeru Yoshida 2 years, 1 month ago 
KMSAN reported the following uninit-value access issue:

=====================================================
BUG: KMSAN: uninit-value in exfat_set_entry_time+0x309/0x360 fs/exfat/misc.c:99
 exfat_set_entry_time+0x309/0x360 fs/exfat/misc.c:99
 __exfat_write_inode+0x7ae/0xdb0 fs/exfat/inode.c:59
 __exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
 exfat_truncate+0x121/0x540 fs/exfat/file.c:211
 exfat_setattr+0x116c/0x1a40 fs/exfat/file.c:312
 notify_change+0x1934/0x1a30 fs/attr.c:499
 do_truncate+0x224/0x2a0 fs/open.c:66
 handle_truncate fs/namei.c:3280 [inline]
 do_open fs/namei.c:3626 [inline]
 path_openat+0x56c6/0x5f20 fs/namei.c:3779
 do_filp_open+0x21c/0x5a0 fs/namei.c:3809
 do_sys_openat2+0x1ba/0x2f0 fs/open.c:1440
 do_sys_open fs/open.c:1455 [inline]
 __do_sys_creat fs/open.c:1531 [inline]
 __se_sys_creat fs/open.c:1525 [inline]
 __x64_sys_creat+0xe3/0x140 fs/open.c:1525
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was stored to memory at:
 exfat_set_entry_time+0x302/0x360 fs/exfat/misc.c:99
 __exfat_write_inode+0x7ae/0xdb0 fs/exfat/inode.c:59
 __exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
 exfat_truncate+0x121/0x540 fs/exfat/file.c:211
 exfat_setattr+0x116c/0x1a40 fs/exfat/file.c:312
 notify_change+0x1934/0x1a30 fs/attr.c:499
 do_truncate+0x224/0x2a0 fs/open.c:66
 handle_truncate fs/namei.c:3280 [inline]
 do_open fs/namei.c:3626 [inline]
 path_openat+0x56c6/0x5f20 fs/namei.c:3779
 do_filp_open+0x21c/0x5a0 fs/namei.c:3809
 do_sys_openat2+0x1ba/0x2f0 fs/open.c:1440
 do_sys_open fs/open.c:1455 [inline]
 __do_sys_creat fs/open.c:1531 [inline]
 __se_sys_creat fs/open.c:1525 [inline]
 __x64_sys_creat+0xe3/0x140 fs/open.c:1525
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Local variable ts created at:
 __exfat_write_inode+0x102/0xdb0 fs/exfat/inode.c:29
 __exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163

CPU: 0 PID: 13839 Comm: syz-executor.7 Not tainted 6.6.0-14500-g1c41041124bd #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
=====================================================

Commit 4c72a36edd54 ("exfat: convert to new timestamp accessors") changed
__exfat_write_inode() to use new timestamp accessor functions.

As for mtime, inode_set_mtime_to_ts() is called after
exfat_set_entry_time(). This causes the above issue because `ts` is not
initialized when exfat_set_entry_time() is called. The same issue can occur
for atime.

This patch resolves this issue by calling inode_get_mtime() and
inode_get_atime() before exfat_set_entry_time() to initialize `ts`.

Fixes: 4c72a36edd54 ("exfat: convert to new timestamp accessors")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
---
 fs/exfat/inode.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/exfat/inode.c b/fs/exfat/inode.c
index 875234179d1f..e7ff58b8e68c 100644
--- a/fs/exfat/inode.c
+++ b/fs/exfat/inode.c
@@ -56,18 +56,18 @@ int __exfat_write_inode(struct inode *inode, int sync)
 			&ep->dentry.file.create_time,
 			&ep->dentry.file.create_date,
 			&ep->dentry.file.create_time_cs);
+	ts = inode_get_mtime(inode);
 	exfat_set_entry_time(sbi, &ts,
 			     &ep->dentry.file.modify_tz,
 			     &ep->dentry.file.modify_time,
 			     &ep->dentry.file.modify_date,
 			     &ep->dentry.file.modify_time_cs);
-	inode_set_mtime_to_ts(inode, ts);
+	ts = inode_get_atime(inode);
 	exfat_set_entry_time(sbi, &ts,
 			     &ep->dentry.file.access_tz,
 			     &ep->dentry.file.access_time,
 			     &ep->dentry.file.access_date,
 			     NULL);
-	inode_set_atime_to_ts(inode, ts);
 
 	/* File size should be zero if there is no cluster allocated */
 	on_disk_size = i_size_read(inode);
-- 
2.41.0
RE: [PATCH] exfat: Fix uninit-value access in __exfat_write_inode()
Posted by Sungjong Seo 2 years, 1 month ago 
Hello,

A similar fix has already been queued in the dev branch.
Please refer to below commit.

Commit fc12a722e6b7 ("exfat: fix setting uninitialized time to
ctime/atime"):
https://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat.git/commit/
?h=dev&id=fc12a722e6b799d1d3c1520dc9ba9aab4fda04bf

Thanks.

B.R.
Sungjong Seo

> KMSAN reported the following uninit-value access issue:
> 
> =====================================================
> BUG: KMSAN: uninit-value in exfat_set_entry_time+0x309/0x360
> fs/exfat/misc.c:99
>  exfat_set_entry_time+0x309/0x360 fs/exfat/misc.c:99
>  __exfat_write_inode+0x7ae/0xdb0 fs/exfat/inode.c:59
>  __exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
>  exfat_truncate+0x121/0x540 fs/exfat/file.c:211
>  exfat_setattr+0x116c/0x1a40 fs/exfat/file.c:312
>  notify_change+0x1934/0x1a30 fs/attr.c:499
>  do_truncate+0x224/0x2a0 fs/open.c:66
>  handle_truncate fs/namei.c:3280 [inline]  do_open fs/namei.c:3626
[inline]
>  path_openat+0x56c6/0x5f20 fs/namei.c:3779
>  do_filp_open+0x21c/0x5a0 fs/namei.c:3809
>  do_sys_openat2+0x1ba/0x2f0 fs/open.c:1440  do_sys_open fs/open.c:1455
> [inline]  __do_sys_creat fs/open.c:1531 [inline]  __se_sys_creat
> fs/open.c:1525 [inline]
>  __x64_sys_creat+0xe3/0x140 fs/open.c:1525
>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
> 
> Uninit was stored to memory at:
>  exfat_set_entry_time+0x302/0x360 fs/exfat/misc.c:99
>  __exfat_write_inode+0x7ae/0xdb0 fs/exfat/inode.c:59
>  __exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
>  exfat_truncate+0x121/0x540 fs/exfat/file.c:211
>  exfat_setattr+0x116c/0x1a40 fs/exfat/file.c:312
>  notify_change+0x1934/0x1a30 fs/attr.c:499
>  do_truncate+0x224/0x2a0 fs/open.c:66
>  handle_truncate fs/namei.c:3280 [inline]  do_open fs/namei.c:3626
[inline]
>  path_openat+0x56c6/0x5f20 fs/namei.c:3779
>  do_filp_open+0x21c/0x5a0 fs/namei.c:3809
>  do_sys_openat2+0x1ba/0x2f0 fs/open.c:1440  do_sys_open fs/open.c:1455
> [inline]  __do_sys_creat fs/open.c:1531 [inline]  __se_sys_creat
> fs/open.c:1525 [inline]
>  __x64_sys_creat+0xe3/0x140 fs/open.c:1525
>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
> 
> Local variable ts created at:
>  __exfat_write_inode+0x102/0xdb0 fs/exfat/inode.c:29
>  __exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
> 
> CPU: 0 PID: 13839 Comm: syz-executor.7 Not tainted 6.6.0-14500-
> g1c41041124bd #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.16.2-1.fc38 04/01/2014
> =====================================================
> 
> Commit 4c72a36edd54 ("exfat: convert to new timestamp accessors") changed
> __exfat_write_inode() to use new timestamp accessor functions.
> 
> As for mtime, inode_set_mtime_to_ts() is called after
> exfat_set_entry_time(). This causes the above issue because `ts` is not
> initialized when exfat_set_entry_time() is called. The same issue can
> occur for atime.
> 
> This patch resolves this issue by calling inode_get_mtime() and
> inode_get_atime() before exfat_set_entry_time() to initialize `ts`.
> 
> Fixes: 4c72a36edd54 ("exfat: convert to new timestamp accessors")
> Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
> ---
>  fs/exfat/inode.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/exfat/inode.c b/fs/exfat/inode.c index
> 875234179d1f..e7ff58b8e68c 100644
> --- a/fs/exfat/inode.c
> +++ b/fs/exfat/inode.c
> @@ -56,18 +56,18 @@ int __exfat_write_inode(struct inode *inode, int sync)
>  			&ep->dentry.file.create_time,
>  			&ep->dentry.file.create_date,
>  			&ep->dentry.file.create_time_cs);
> +	ts = inode_get_mtime(inode);
>  	exfat_set_entry_time(sbi, &ts,
>  			     &ep->dentry.file.modify_tz,
>  			     &ep->dentry.file.modify_time,
>  			     &ep->dentry.file.modify_date,
>  			     &ep->dentry.file.modify_time_cs);
> -	inode_set_mtime_to_ts(inode, ts);
> +	ts = inode_get_atime(inode);
>  	exfat_set_entry_time(sbi, &ts,
>  			     &ep->dentry.file.access_tz,
>  			     &ep->dentry.file.access_time,
>  			     &ep->dentry.file.access_date,
>  			     NULL);
> -	inode_set_atime_to_ts(inode, ts);
> 
>  	/* File size should be zero if there is no cluster allocated */
>  	on_disk_size = i_size_read(inode);
> --
> 2.41.0
Re: [PATCH] exfat: Fix uninit-value access in __exfat_write_inode()
Posted by Shigeru Yoshida 2 years, 1 month ago 
On Wed, 8 Nov 2023 13:35:17 +0900, Sungjong Seo wrote:
> Hello,
> 
> A similar fix has already been queued in the dev branch.
> Please refer to below commit.
> 
> Commit fc12a722e6b7 ("exfat: fix setting uninitialized time to
> ctime/atime"):
> https://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat.git/commit/
> ?h=dev&id=fc12a722e6b799d1d3c1520dc9ba9aab4fda04bf

Hi,

I've not noticed the commit you mentioned. Thank you so much for your
feedback!

Thanks,
Shigeru

> Thanks.
> 
> B.R.
> Sungjong Seo
> 
>> KMSAN reported the following uninit-value access issue:
>> 
>> =====================================================
>> BUG: KMSAN: uninit-value in exfat_set_entry_time+0x309/0x360
>> fs/exfat/misc.c:99
>>  exfat_set_entry_time+0x309/0x360 fs/exfat/misc.c:99
>>  __exfat_write_inode+0x7ae/0xdb0 fs/exfat/inode.c:59
>>  __exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
>>  exfat_truncate+0x121/0x540 fs/exfat/file.c:211
>>  exfat_setattr+0x116c/0x1a40 fs/exfat/file.c:312
>>  notify_change+0x1934/0x1a30 fs/attr.c:499
>>  do_truncate+0x224/0x2a0 fs/open.c:66
>>  handle_truncate fs/namei.c:3280 [inline]  do_open fs/namei.c:3626
> [inline]
>>  path_openat+0x56c6/0x5f20 fs/namei.c:3779
>>  do_filp_open+0x21c/0x5a0 fs/namei.c:3809
>>  do_sys_openat2+0x1ba/0x2f0 fs/open.c:1440  do_sys_open fs/open.c:1455
>> [inline]  __do_sys_creat fs/open.c:1531 [inline]  __se_sys_creat
>> fs/open.c:1525 [inline]
>>  __x64_sys_creat+0xe3/0x140 fs/open.c:1525
>>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>> 
>> Uninit was stored to memory at:
>>  exfat_set_entry_time+0x302/0x360 fs/exfat/misc.c:99
>>  __exfat_write_inode+0x7ae/0xdb0 fs/exfat/inode.c:59
>>  __exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
>>  exfat_truncate+0x121/0x540 fs/exfat/file.c:211
>>  exfat_setattr+0x116c/0x1a40 fs/exfat/file.c:312
>>  notify_change+0x1934/0x1a30 fs/attr.c:499
>>  do_truncate+0x224/0x2a0 fs/open.c:66
>>  handle_truncate fs/namei.c:3280 [inline]  do_open fs/namei.c:3626
> [inline]
>>  path_openat+0x56c6/0x5f20 fs/namei.c:3779
>>  do_filp_open+0x21c/0x5a0 fs/namei.c:3809
>>  do_sys_openat2+0x1ba/0x2f0 fs/open.c:1440  do_sys_open fs/open.c:1455
>> [inline]  __do_sys_creat fs/open.c:1531 [inline]  __se_sys_creat
>> fs/open.c:1525 [inline]
>>  __x64_sys_creat+0xe3/0x140 fs/open.c:1525
>>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>> 
>> Local variable ts created at:
>>  __exfat_write_inode+0x102/0xdb0 fs/exfat/inode.c:29
>>  __exfat_truncate+0x70e/0xb20 fs/exfat/file.c:163
>> 
>> CPU: 0 PID: 13839 Comm: syz-executor.7 Not tainted 6.6.0-14500-
>> g1c41041124bd #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
>> BIOS 1.16.2-1.fc38 04/01/2014
>> =====================================================
>> 
>> Commit 4c72a36edd54 ("exfat: convert to new timestamp accessors") changed
>> __exfat_write_inode() to use new timestamp accessor functions.
>> 
>> As for mtime, inode_set_mtime_to_ts() is called after
>> exfat_set_entry_time(). This causes the above issue because `ts` is not
>> initialized when exfat_set_entry_time() is called. The same issue can
>> occur for atime.
>> 
>> This patch resolves this issue by calling inode_get_mtime() and
>> inode_get_atime() before exfat_set_entry_time() to initialize `ts`.
>> 
>> Fixes: 4c72a36edd54 ("exfat: convert to new timestamp accessors")
>> Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
>> ---
>>  fs/exfat/inode.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>> 
>> diff --git a/fs/exfat/inode.c b/fs/exfat/inode.c index
>> 875234179d1f..e7ff58b8e68c 100644
>> --- a/fs/exfat/inode.c
>> +++ b/fs/exfat/inode.c
>> @@ -56,18 +56,18 @@ int __exfat_write_inode(struct inode *inode, int sync)
>>  			&ep->dentry.file.create_time,
>>  			&ep->dentry.file.create_date,
>>  			&ep->dentry.file.create_time_cs);
>> +	ts = inode_get_mtime(inode);
>>  	exfat_set_entry_time(sbi, &ts,
>>  			     &ep->dentry.file.modify_tz,
>>  			     &ep->dentry.file.modify_time,
>>  			     &ep->dentry.file.modify_date,
>>  			     &ep->dentry.file.modify_time_cs);
>> -	inode_set_mtime_to_ts(inode, ts);
>> +	ts = inode_get_atime(inode);
>>  	exfat_set_entry_time(sbi, &ts,
>>  			     &ep->dentry.file.access_tz,
>>  			     &ep->dentry.file.access_time,
>>  			     &ep->dentry.file.access_date,
>>  			     NULL);
>> -	inode_set_atime_to_ts(inode, ts);
>> 
>>  	/* File size should be zero if there is no cluster allocated */
>>  	on_disk_size = i_size_read(inode);
>> --
>> 2.41.0
> 
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.