From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E54CC02196 for ; Thu, 6 Feb 2025 09:43:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id ED3D96B0095; Thu, 6 Feb 2025 04:43:32 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E84546B0096; Thu, 6 Feb 2025 04:43:32 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CFD246B0098; Thu, 6 Feb 2025 04:43:32 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id AF1AE6B0095 for ; Thu, 6 Feb 2025 04:43:32 -0500 (EST) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 27505140FFC for ; Thu, 6 Feb 2025 09:43:32 +0000 (UTC) X-FDA: 83089032264.30.957FBFB Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) by imf15.hostedemail.com (Postfix) with ESMTP id C7D11A0053 for ; Thu, 6 Feb 2025 09:43:29 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=MbbuIhLm; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=XCE50CTl; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=MbbuIhLm; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=XCE50CTl; spf=pass (imf15.hostedemail.com: domain of jack@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738835010; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=f1SuLVgARcM8qAh8txDvor/72mo2wlLPZKKAQ1xZVPE=; b=ByozDu8EPJQ56nfRXn3+2ef9ShSRumoeU30sr4plNgRjjJHJ2aB8u9owzk5i3GiOIcioGe lfl0Ru81Pgex+eSKeLV5W+B0N+JowLwgO+hqDFiJENccfLCOf0KSf6lKlbSOQwcneby2WZ Xfse78BNwNdOuPjEcuRJ9tX2E6AUI2o= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=MbbuIhLm; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=XCE50CTl; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=MbbuIhLm; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=XCE50CTl; spf=pass (imf15.hostedemail.com: domain of jack@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738835010; a=rsa-sha256; cv=none; b=346aUblEa/OeF/t5KzBhbCqug9hLcBwb0bWkR0ObjP9nunfxsoEJAn36W19M85pcTQCJ4m pcZXn60DRtYz/mlHu8tj+mryrmeQn/zT0qR8n9Vn/6+eI9X471J7pvzwM4FkK3cD0AZEDX 0GL8ti+djQKSpKLG/0EsIep4RNVFv4I= Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 076D91F381; Thu, 6 Feb 2025 09:43:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1738835008; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=f1SuLVgARcM8qAh8txDvor/72mo2wlLPZKKAQ1xZVPE=; b=MbbuIhLmLiiRG6ZOB8H+LYZaDNhs7EtLOb3nra3waVSoye2S3s7nqbYn1e2hn0SnJReNnZ Mhj7+KbUn1ADBYQpv6GvTkBhk2F7Z+/8A7JaIhHEXHk3lXGrciAXC8x9ali/HbtooqoihY uwBDU0FkNRoTYH0agZI3bR1m5v9Y/EY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1738835008; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=f1SuLVgARcM8qAh8txDvor/72mo2wlLPZKKAQ1xZVPE=; b=XCE50CTl4r7Si0qs8/75D62T8CK5kYib5Dd4BJTPTlK0Cy0Lj4HkE+XRlh03sAJzyE0hPP lbRLzW1rEgrJUrBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1738835008; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=f1SuLVgARcM8qAh8txDvor/72mo2wlLPZKKAQ1xZVPE=; b=MbbuIhLmLiiRG6ZOB8H+LYZaDNhs7EtLOb3nra3waVSoye2S3s7nqbYn1e2hn0SnJReNnZ Mhj7+KbUn1ADBYQpv6GvTkBhk2F7Z+/8A7JaIhHEXHk3lXGrciAXC8x9ali/HbtooqoihY uwBDU0FkNRoTYH0agZI3bR1m5v9Y/EY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1738835008; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=f1SuLVgARcM8qAh8txDvor/72mo2wlLPZKKAQ1xZVPE=; b=XCE50CTl4r7Si0qs8/75D62T8CK5kYib5Dd4BJTPTlK0Cy0Lj4HkE+XRlh03sAJzyE0hPP lbRLzW1rEgrJUrBA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id EC66413697; Thu, 6 Feb 2025 09:43:27 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id Rl60OT+EpGcFSwAAD6G6ig (envelope-from ); Thu, 06 Feb 2025 09:43:27 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 9E902A0889; Thu, 6 Feb 2025 10:43:23 +0100 (CET) Date: Thu, 6 Feb 2025 10:43:23 +0100 From: Jan Kara To: Kees Cook Cc: Jan Kara , syzbot , akpm@linux-foundation.org, brauner@kernel.org, gustavoars@kernel.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mjguzik@gmail.com, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in vfs_readlink Message-ID: References: <67a1e1f4.050a0220.163cdc.0063.GAE@google.com> <202502051031.2CF8D96392@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202502051031.2CF8D96392@keescook> X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: C7D11A0053 X-Stat-Signature: 819xuxjf8m9m3i8w1tbrfajwu91n4xsf X-Rspam-User: X-HE-Tag: 1738835009-356481 X-HE-Meta: U2FsdGVkX1/dC2qC2qlMJI4wO1aYgIWf2cu9yCeDp8xIjr5mCbIZwRtrblc30j7VD+ZCTg0sSxKllD5YgVwDzlJgtn6UnYtlqUNWqCA5MGjZMXpftc5NBbcjL9QlOF9Ggt4gQO+L5XlwosC8s/ACKt65b5PrbgLUrONuFXPhNwxuC14kdrM2JNR0XYgQkVjJQwG6hvNIwer3SECjjFl864KZ7WHq28d9UBr+U+PtedggL6CV9dee9gIDbV0gP84igwvbGWx4Mr0m5JWtSjzVAzhoFllyoHNFqm+w9BqTHFxcGwpBynZMJayeIj3IgrSM5i4gkl1GJNdVBtjhinKKwGSuLpoI9PnFvsOp0SbagfJjbGETGqtrM+TgLPk+UzJRb29GxJwLfjGmOQMryQriz78UW2w7c4+WfXrZfpU8cwYc+3UVJ8cHv0vce6rJ4AeZZkTKoAxN3KXQlam97jST1ISFFieUF4foQQKV3dpL1PZgunizOewCc4YMSsbmMU+cW4m/rjoOgkMMa/SBWVruoGnPXz5PLV9w0lixCPq+RVrBCMEAwh0dZ7JoWnTD6zPmIdoKz4MP1S5BoXugfgV7bciJaTdefZi+tZXjC7OtZHUdBbhZIiw1trECkFQIOxNjlHPMd13daPwKYhCLguUIMavfm9ulQkt6M5WUe+uAjBKqHFpqdclcOQb0/2IWsXp0pYmdaxcEuArw5QhTGAM48toE22trWA3aGZ6ofUZcO1t2Ypf0K3ui2IAhZekn/EsEajQplTNsD6dGSNHdaTf4x8GAxXSlr3ieFjIMeBuyKl4G9DIcIU1/5C4xwajQN2eyIJvDwUWxD6HEcCC0qd/Kk3mMzVDlvpU4qR7f4AGESjxvkxTEz5jz0f9FrL6+RejRWauNUXHh8/bcj4DsQxy3oEXVanH4YOyOE2Io1WXpYI6gj2LnYhs9O03YyWDRt5J+B/cT3hSKHU6XM9lrxgo /K4YW8O9 5Ek+mEJo8URdWKkDL3L87STRD+Y2PrvU6T2EgMx4QkHe/L9aa1sY5nuriRpmbYAGjNd7C/WP1PKGkAZ69+4THu+fajS0XtJ3bkgQTzjib00HeEX5dO+qcfynvxcrWiMxc6sPaQCrJabF1zzZvA3GGeCPSEHZ+x8Nv4LLuIXp+wDKdj+dXE/tQ0ibTXpsvO+yxOvF350XHIxYwHzP8LRFaw4bNCv8h9XqGW35Z9Owbw4t8IYtuHUTHIn0yO+8Fm0STg0ntcVReFgidV3QtFrauwIPNNloDP7/HkZgKO3MpDTD2o3C1ah/vmEenVLAmMis6Hga6jAYLbHUlyp4xuQKH0tcWc3TiX8xTJX4nL830OjxBlrUSMTvFEoaWshvsPahBgIZOBW6LGlzcAOpIVb+NKGUmorZJwZN0mFMca2hCVji/rAp+IT3zvZD2d0W4skyA1aba8Q88KiP+mRdOHUS+EwXySwiq0cBCB4IbDCZxkZjcuPHkGFkjvMFJW8L+N61T9mIPdR2H1S6y6vhSLOaw49Uq9ioPgs57U0aZ8F696kYYtK32pYXxpF8yLQkYuoLgOFGW0rDubykok+0hjlF9OtOaMZwW1lHu7OFJKPlOAT4NwFzIg7KtWLB4jbtTxWa9sJ+ktGgXu+Uuc9xEOAKvUWTEB+bx5A3YaI62p7PG7wsPWEK755TyK4NNk8wLV8/aldkcMVBTtSxTj18gmFhSST4SKFadt+8xcvR06QUG4LZ3I8sNQWAJ/BOmhPaIqdR6aVaD2V3h8Gt6bMh9geQRUP8NNULMWf4XvYBqNpXSYNRyJ5E4rzcPGCs+g5MprR+F+AJhohm4d8TKTcNpd6DiG8GYQwJHF2k51lRmj9gSOTYU9IAWAHWrBJMa2lrYnAlsWEXjcvQzV3gxnJXUkrYOGG2jiqj19LcBrDwcKLHL6nOzDkVlWlbR/5HFkvSV+woF3mxv6AyDoKvTracn15RO3fG2Eoph r/bpmrNy A5YOWwlaughGmNMBBeiSBiitl6MkuJ8SHjKXdDSE8WHXJ0mDHx5M/qryogkP/88b X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed 05-02-25 10:39:37, Kees Cook wrote: > On Wed, Feb 05, 2025 at 07:21:04PM +0100, Jan Kara wrote: > > On Tue 04-02-25 01:46:28, syzbot wrote: > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: 69b8923f5003 Merge tag 'for-linus-6.14-ofs4' of git://git... > > > git tree: upstream > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1258aeb0580000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=57ab43c279fa614d > > > dashboard link: https://syzkaller.appspot.com/bug?extid=48a99e426f29859818c0 > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15825724580000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1658aeb0580000 > > > > > > Downloadable assets: > > > disk image: https://storage.googleapis.com/syzbot-assets/ea84ac864e92/disk-69b8923f.raw.xz > > > vmlinux: https://storage.googleapis.com/syzbot-assets/6a465997b4e0/vmlinux-69b8923f.xz > > > kernel image: https://storage.googleapis.com/syzbot-assets/d72b67b2bd15/bzImage-69b8923f.xz > > > mounted in repro: https://storage.googleapis.com/syzbot-assets/7c2919610764/mount_0.gz > > > > > > The issue was bisected to: > > > > > > commit bae80473f7b0b25772619e7692019b1549d4a82c > > > Author: Mateusz Guzik > > > Date: Wed Nov 20 11:20:35 2024 +0000 > > > > > > ext4: use inode_set_cached_link() > > > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1248c3df980000 > > > final oops: https://syzkaller.appspot.com/x/report.txt?x=1148c3df980000 > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1648c3df980000 > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+48a99e426f29859818c0@syzkaller.appspotmail.com > > > Fixes: bae80473f7b0 ("ext4: use inode_set_cached_link()") > > > > Please check attached patch: > > > > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master > > > > Honza > > -- > > Jan Kara > > SUSE Labs, CR > > > From df00b84402fb67d94a9eb6b86633092983cb388c Mon Sep 17 00:00:00 2001 > > From: Jan Kara > > Date: Wed, 5 Feb 2025 19:02:35 +0100 > > Subject: [PATCH] ext4: Verify fast symlink length > > > > Verify fast symlink length stored in inode->i_size matches the string > > stored in the inode to avoid surprises from corrupted filesystems. > > > > Reported-by: syzbot+48a99e426f29859818c0@syzkaller.appspotmail.com > > Fixes: bae80473f7b0 ("ext4: use inode_set_cached_link()") > > Suggested-by: "Darrick J. Wong" > > Signed-off-by: Jan Kara > > --- > > fs/ext4/inode.c | 12 ++++++++++-- > > 1 file changed, 10 insertions(+), 2 deletions(-) > > > > diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c > > index 7c54ae5fcbd4..fbda5a67f7f9 100644 > > --- a/fs/ext4/inode.c > > +++ b/fs/ext4/inode.c > > @@ -5007,8 +5007,16 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, > > inode->i_op = &ext4_encrypted_symlink_inode_operations; > > } else if (ext4_inode_is_fast_symlink(inode)) { > > inode->i_op = &ext4_fast_symlink_inode_operations; > > - nd_terminate_link(ei->i_data, inode->i_size, > > - sizeof(ei->i_data) - 1); > > + if (inode->i_size == 0 || > > + inode->i_size >= EXT4_N_BLOCKS * 4 || > > This took me a while to understand. ei->i_data is u32[15]. It looks like > EXT4_N_BLOCKS is also 15. I feel like it would be much more readable to > have the above check be: > > inode->i_size >= sizeof(ei->i_data) || > > instead of using a literal "4" for sizeof(u32) as "4", and having a > EXT4_N_BLOCKS standing in for the literal "15" in i_data. > sizeof(ei->i_data) is precisely what is being checked, so why not use > it? Yeah, I've used the tradidional way ext4 uses for this (e.g. in ext4_inode_is_fast_symlink()) but I agree it is rather cryptic for those not intimately familiar with ext4 on-disk format. Switched to the sizeof() as you suggested. Thanks for review! Honza > > And while at it, the definition of i_data could be adjusted to to use > EXT4_N_BLOCKS, e.g.: > > struct ext4_inode_info { > __le32 i_data[EXT4_N_BLOCKS]; /* unconverted */ > > ? > > > + strnlen((char *)ei->i_data, inode->i_size + 1) != > > + inode->i_size) { > > + ext4_error_inode(inode, function, line, 0, > > + "invalid fast symlink length %llu", > > + (unsigned long long)inode->i_size); > > + ret = -EFSCORRUPTED; > > + goto bad_inode; > > + } > > But regardless, yes, the math checks out, and looks correct to me. > > > inode_set_cached_link(inode, (char *)ei->i_data, > > inode->i_size); > > } else { > > -- > > 2.43.0 > > > > > -Kees > > -- > Kees Cook -- Jan Kara SUSE Labs, CR