From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D43D5C02192 for ; Wed, 5 Feb 2025 12:18:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6CF41280004; Wed, 5 Feb 2025 07:18:21 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 67DAA280003; Wed, 5 Feb 2025 07:18:21 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4F797280004; Wed, 5 Feb 2025 07:18:21 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 2E3C1280003 for ; Wed, 5 Feb 2025 07:18:21 -0500 (EST) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id CFE611406AF for ; Wed, 5 Feb 2025 12:18:20 +0000 (UTC) X-FDA: 83085793560.14.3612075 Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47]) by imf14.hostedemail.com (Postfix) with ESMTP id CE57C10000E for ; Wed, 5 Feb 2025 12:18:18 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=CKuVZYdx; spf=pass (imf14.hostedemail.com: domain of mjguzik@gmail.com designates 209.85.208.47 as permitted sender) smtp.mailfrom=mjguzik@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738757898; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=p06UyUghuYW91CsxE3GRq30kKC6rXBlgYtHonuFNOdI=; b=GGCrmvMBf/v5TjWQ2nAjEq41/AUW1gDunCei2qZi5guKhcwIUbIWrtN5PUUrJQ9kF3nmLg w64MYWLrZZZsGK7KnsyueXtHD4j9lyafe4+hM7zpHJKfcoO34ggBSDhKHUdxkSczV8mPDn XpJ7H51ikWFk4+lzzr3X94RHjCqG3HE= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=CKuVZYdx; spf=pass (imf14.hostedemail.com: domain of mjguzik@gmail.com designates 209.85.208.47 as permitted sender) smtp.mailfrom=mjguzik@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738757898; a=rsa-sha256; cv=none; b=bf+9QYy0OYSfTuenxtLW+qLjroqKy3WR/niepk6zHZyfGhu3sj75d2Q3VfcEI4RTsxalwl iNPjAbFd2mP4ifB2v8uAPaFzsd/SOHmTSKmcHurEjITQqq4fMBjW2LszAwgsGaJmHOaC+6 6ydCaRNF7W+5RPCD9MSIm8l/Cqaftv0= Received: by mail-ed1-f47.google.com with SMTP id 4fb4d7f45d1cf-5d96944401dso11037466a12.0 for ; Wed, 05 Feb 2025 04:18:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738757897; x=1739362697; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=p06UyUghuYW91CsxE3GRq30kKC6rXBlgYtHonuFNOdI=; b=CKuVZYdxIdBdXrYB5ljUFAA/RkIjIXVjVeDXMjnJ4Alk+rlYaYWJXtBxLevrIZ22Ij S2xAuB1VFIHHR8ldf3MnWuCeK5LyW7j7rfryI8wkSQhPB1xppdyfVT+UEOe7YfKBHeoR FBNEPmPCD67++qaikqWuyiGmZPMPAYfijpLvth+CWmaLFIMEOXTHA3Elk7oy0MFeWXiq 50dBdM1E8JRj0gG8KDDK5GqFNjH13/Ova4TWzhbOm4ZPg4+SvBI96G6bJK+jhZenGoMk bOiKQoNhzPhND8d4SIUvXMRH3vaTdbDgk4+OWYMTFfHnXlqTHYvtBpkgPhG91xh9GdVz c4Og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738757897; x=1739362697; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p06UyUghuYW91CsxE3GRq30kKC6rXBlgYtHonuFNOdI=; b=HwVzBMH2wH2omGodOkryKuh2C6n0Rif4rMetS1W8vvQhTU4iEO/WokRJ5+sbyWk3ko RrYJUsqgR8GoCCrZNSXg6e4iVWu5TKDColBiNJpmBPV6SmhTmviBiSPBI1VztPlmJvXG CBT83W+ahbH5ohlBbSP72NvZdgyw6+Bjf8QcQQ3DOxKhYOptZhLr4a7QYQIIvlTsS6dV MSpm7FZZh4lPjov/x114Q9ZPLebAbtbKUjFTr/wPW77wngxrWjhRry3YBtii874uprCQ 0riNSm1v8OKjLTX42/g6ir8XhbHwpVFPdZ01e5ruFIlyJzUifR0Fkk9B7+ENddX7wQLa IAqw== X-Forwarded-Encrypted: i=1; AJvYcCVthg1Lm46ayxCd1CMZX/zQF6JWrdmWj5DwJS9+d/b+ieC/9FvoLiuqit7KzTzJUy6/eiezdfxy8g==@kvack.org X-Gm-Message-State: AOJu0YwnrFEPgQdwA0mrRO3TWSXlIsFaX51MmP75wug+y1oHtxtibElZ b2glMwZCO/1oQxoicRDl5OwgeBrA6EvYluTbNtFn0wHN/Z6AsLT1ubJB8jIxk9+KaApLMOr06N/ igx7mgAxEo8EY3MY0PRh6RxsaM/c= X-Gm-Gg: ASbGncsBs/2bZrSRueC4wNRxJ5uxcbCYjcwnjbNVc3Qghix+iSlA26uiGq2YUdqoyU/ RTI+w0nQRh0zdfMZq1l0H+l54V/cewTrW7pIqoXj2D2JVDfAofgtjvwR/Zlie4cJ3LgZjCps= X-Google-Smtp-Source: AGHT+IFeX+/obu7ox8PSNyj4uND9bjMg4Y3XV6IaQYWfLu9eUVM1KsKrD3Fv1nq/hLAssLVakajUofJswFM1RoTahQo= X-Received: by 2002:a05:6402:5d0:b0:5d3:cf08:d64d with SMTP id 4fb4d7f45d1cf-5dcdb779fb9mr3123510a12.32.1738757896835; Wed, 05 Feb 2025 04:18:16 -0800 (PST) MIME-Version: 1.0 References: <67a1e1f4.050a0220.163cdc.0063.GAE@google.com> <202502040717.FCEFDB7E0@keescook> <20250204203059.GA909029@mit.edu> <20250205052651.GD909029@mit.edu> In-Reply-To: <20250205052651.GD909029@mit.edu> From: Mateusz Guzik Date: Wed, 5 Feb 2025 13:18:04 +0100 X-Gm-Features: AWEUYZkBF2cxzU94WR2mFC2eLUAkx0XtWDm1ZPapWQsMexh_fxOzU14uHyYbuR8 Message-ID: Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in vfs_readlink To: "Theodore Ts'o" Cc: Kees Cook , syzbot , akpm@linux-foundation.org, brauner@kernel.org, gustavoars@kernel.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: CE57C10000E X-Stat-Signature: fdzb6hwp6mrpitppqfdkrg1zef6971wz X-Rspam-User: X-HE-Tag: 1738757898-32324 X-HE-Meta: U2FsdGVkX18IXD+ijgBR6zkMA7hLR+J/eeD6GeCKuLYoaFkk320QTmfkt8DjoM65vGyddUio4yMJiAOfRZv282RvBG2b+QKFimfMpS3vpRO6o+cOsfEs+QeXrlgbN9xUL+kmYGCDQOOySAnDmEBO/6ST9kpZ+010laoQe7ZAm+265McMZCjpGiNBzXl2wnA7wjVktT/xQIpcp1tmB9p6sfkCqR2tn1lnmkAmF8lNiYeee60PCObD3rswACdEQbwjBfsiLAcATq/O7B+bLtz+OzXDy11QrlipR06b3zO8QJRBPhG9H2a7nMxz00YaBi+0zN05RKmIHrb/vZv6w/4ASW8ku5IWUptW0cXVRffaGSU8pQDPTrKBzwrdHYSG4Pj1PEUKDBdWtUx72LCCxA/fvX1XPUcljFd8fnNGJw5HaDlhd9dyX4iBRiZq1jdWLjfPcBvt0D9jN+pZ9xF/685DiVQ6+M+0Zc5jAzebVxUOc7AZ+FfMOzT/T4g9DyC9QHzuiSudza4foIaF+3pgd58KHbEdrCpCAmNYByPfZ5j93FCerteSLUi0nhdoQoUMaU/vgDplLwB0rcq1hDPeG/PBZ4HYWbEzI7TA2zkP+01GOI4c4U6h8ZPJhLwe6EZ3xBy8q7piOvKBgv8jijoqSd8zg51WolGcQ3Qne7+8PTvMGHO0mgVmvNX5mZ4o3Vp/js7I6Xg8UmXHXRB+1feaDRBOXtOu3XaaPrlWoYs43wjzLS+g7UOq9TqWd4xouVaMfPHN16AVmLMKgd83z+aOpdapGX1JhnT/n1gwvsW6TR2Vupk3QEF445LpyFlWX+o17JArSSmA600piKZFVFf8oU9RdNGB7K6bWyQkFnWvYI3DnM6NroFDYdJGWRdwpob88XvPf2rSKp8nxV19GxNYpj5BXoL5koBo7wgC4yBoZx4+80vuc02GTDw41JkwxLAR2suYct1+08DhlLLkOMWxT7E E2lk3qqz kIHFEW9wYbEfvgptoDNgbJE2BS+mKnNg+Yg73l6IQx/A+vW7FJs1G58TeNBmPc7iHO7YTWgavK+k98fQF2xgeUfzAoObC8Y478HPP15mo72mcCsBhTNm8tBot7uBQFykK47a8+5QdY3ngubNNtFKcbH2Bdux7HD9VxPBOsz+FcXWLtTZPVyr/lmfntp57Xe17JKlblEorT9zWZovdZW1RhlZoA6EG+UjceKf6GLwu8ZeELjPyRZBLfvwGSYWsNHnD2GO6nEdCcM6D1jFTtl09aCPo4TgwLd8ytoI4H3i1CxQnWIUo31Ddr6OBVXfiAxBoWCAIVPhAxbw0KScb60OvC0HYtMPKudNfoVFkYO/EQCBfWCF9A7RVSNtNrNBTFHqvUFkghyIzs4xvc6iR+4/oebbugIJgr1eo41ZjkA3RCB//a6TygUZ9vQdoxiWnyNykZSe0C6ffkCLN3vje0532zdomZMtHVwQU0V4PCrkWPIbhaykxlbYx6tDqPZoiBs/TKUyTK5RR7GFR55k5EF1nXHA5NlOciEhG7V6P7b5RDXKB57BygpZK99ilfwyJlLrwHM/JIbQFzzLtKyLWjXT1J0Cl0gMt07JoTWhj/elwrDmOcopHAgeQ5gXP68xA0VJbZfiTDUcqQTVokwJ+EhLlr5kVKO58T2COOtSS52LCpjKZJcGrKu3DkftKi8FjgJ4KU2LboqBnfEe91b2Mlw374HbTPexed3h/LwCgDMQGvLDW0xJ+aJ29++piJ9LO673bu1dwzy22LZwoXAyZjpkiIyS9bAN9vSIhzKe3+HZfcqV9PMo= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000080, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Feb 5, 2025 at 6:26=E2=80=AFAM Theodore Ts'o wrote: > > On Tue, Feb 04, 2025 at 10:25:29PM +0100, Mateusz Guzik wrote: > > > > > > My question is if that's legitimate, I'm guessing not. If not, then > > > ext4 should complain about it. > > > > > > On stock kernel this happens to work because strlen finds the "right"= size. > > > > > > > So it occurred to me to check what fsck thinks about it. > > > > I ran it twice in a row, it *removed* the problematic symlink. > > Can you show me what's in the problematic symlink? And does the > syzbot reproducer trigger a problem before adding your symlink > caching? > > What would be really great if you couldcreate small focused test case > that shows what's going on --- ideally something like a 100k file > system, ala the file systems in the tests directory of the e2fsprogs > sources.... > Everything is in the first e-mail I sent you, albeit a little spread out. Corrupted image: https://storage.googleapis.com/syzbot-assets/7c2919610764/mount_0.gz The bogus link is under file0/file1 and readlinks to /tmp/syz-imagegen43743633/file0/file0. ext4 sets i_size to 131109, while strlen on the thing is 37 The problem happens to not reproduce with this testcase because of the nul terminator in the corrupted symlink. Because of it the kernel prior to my change only attempts to copy the 37 bytes. Suppose the corrupted image got massaged to *NOT* have a nul terminator in that symlink. Then the kernel-side ext4 code without my change would still only nul terminate So this: nd_terminate_link(ei->i_data, inode->i_size, sizeof(ei->i_data) - 1); Clamps it to whichever is lower -- inode->i_size or sizeof(ei->i_data) - 1. The call added by my patch uses inode->i_size unconditionally and trips over, so one could argue this is a bug on my end: inode_set_cached_link(inode, (char *)ei->i_data, inode->i_size); It definitely fixes itself if one strlen()s and that would respect the termination, I'm going to send a patch to that extent later. However, that aside, there is definitely something going wrong with the symlink to begin with (size vs actual size disparity) and the fs should most likely reject it in the first place. So for this particular case I argue my bug only manifested itself because of the prior bug of ext4 accepting this link. --=20 Mateusz Guzik