Re: [syzbot] [ntfs?] WARNING in do_open_execat

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Christian Brauner <brauner@kernel.org>
To: Mateusz Guzik <mjguzik@gmail.com>
Cc: Kees Cook <keescook@chromium.org>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	syzbot <syzbot+6ec38f7a8db3b3fb1002@syzkaller.appspotmail.com>,
	anton@tuxera.com, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	linux-ntfs-dev@lists.sourceforge.net,
	syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: [syzbot] [ntfs?] WARNING in do_open_execat
Date: Sat, 19 Aug 2023 13:34:38 +0200	[thread overview]
Message-ID: <20230819-geblendet-energetisch-a90a2886216c@brauner> (raw)
In-Reply-To: <20230818191239.3cprv2wncyyy5yxj@f>

On Fri, Aug 18, 2023 at 09:12:39PM +0200, Mateusz Guzik wrote:
> On Fri, Aug 18, 2023 at 10:33:26AM -0700, Kees Cook wrote:
> > This is a double-check I left in place, since it shouldn't have been reachable:
> > 
> >         /*
> >          * may_open() has already checked for this, so it should be
> >          * impossible to trip now. But we need to be extra cautious
> >          * and check again at the very end too.
> >          */
> >         err = -EACCES;
> >         if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) ||
> >                          path_noexec(&file->f_path)))
> >                 goto exit;
> > 
> 
> As I mentioned in my other e-mail, the check is racy -- an unlucky
> enough remounting with noexec should trip over it, and probably a chmod
> too.
> 
> However, that's not what triggers the warn in this case.
> 
> The ntfs image used here is intentionally corrupted and the inode at
> hand has a mode of 777 (as in type not specified).
> 
> Then the type check in may_open():
>         switch (inode->i_mode & S_IFMT) {
> 
> fails to match anything.
> 
> This debug printk:
> diff --git a/fs/namei.c b/fs/namei.c
> index e56ff39a79bc..05652e8a1069 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -3259,6 +3259,10 @@ static int may_open(struct mnt_idmap *idmap, const struct path *path,
>                 if ((acc_mode & MAY_EXEC) && path_noexec(path))
>                         return -EACCES;
>                 break;
> +       default:
> +               /* bogus mode! */
> +               printk(KERN_EMERG "got bogus mode inode!\n");
> +               return -EACCES;
>         }
> 
>         error = inode_permission(idmap, inode, MAY_OPEN | acc_mode);
> 
> catches it.
> 
> All that said, I think adding a WARN_ONCE here is prudent, but I
> don't know if denying literally all opts is the way to go.
> 
> Do other filesystems have provisions to prevent inodes like this from
> getting here?

Bugs reported against the VFS from ntfs/ntfs3 are to be treated with
extreme caution. Frankly, if it isn't reproducible without a corrupted
ntfs/ntfs3 image it is to be dismissed until further notice.

In this case it simply seems that ntfs is failing at ensuring that its
own inodes it reads from disk have a well-defined type.

If ntfs fails to validate that its own inodes it puts into the icache
are correctly initialized then the vfs doesn't need to try and taper
over this.

If ntfs fails at that, there's no guarantee that it doesn't also fail at
setting the correct i_ops for that inode. At which point we can check
the type in may_open() but we already used bogus i_ops the whole time on
some other inodes.

We're not here to make up for silly bugs like this. That WARN belongs
into ntfs not the vfs.

next prev parent reply	other threads:[~2023-08-19 11:34 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <000000000000c74d44060334d476@google.com>
     [not found] ` <87o7j471v8.fsf@email.froward.int.ebiederm.org>
2023-08-18 17:33   ` Kees Cook
2023-08-18 17:43     ` Matthew Wilcox
2023-08-18 17:56       ` Kees Cook
2023-08-18 19:12     ` Mateusz Guzik
2023-08-19 11:34       ` Christian Brauner [this message]
2023-08-19 20:03         ` Mateusz Guzik
2023-08-19 19:16       ` Theodore Ts'o
     [not found]   ` <20230818173625.by6bud4u7uz2k4be@f>
2023-08-18 20:59     ` Eric W. Biederman
     [not found] ` <000000000000f67b790613665d7a@google.com>
2024-03-11 18:48   ` [syzbot] [ntfs3?] " Jan Kara
2024-03-11 19:01     ` Mateusz Guzik
2024-03-12 12:06       ` Jan Kara
2024-03-12 12:44         ` Mateusz Guzik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230819-geblendet-energetisch-a90a2886216c@brauner \
    --to=brauner@kernel.org \
    --cc=anton@tuxera.com \
    --cc=ebiederm@xmission.com \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-ntfs-dev@lists.sourceforge.net \
    --cc=mjguzik@gmail.com \
    --cc=syzbot+6ec38f7a8db3b3fb1002@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox