From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00FACC02192 for ; Wed, 5 Feb 2025 18:21:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8994A280013; Wed, 5 Feb 2025 13:21:19 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 822C8280004; Wed, 5 Feb 2025 13:21:19 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 69DD2280013; Wed, 5 Feb 2025 13:21:19 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 42EDD280004 for ; Wed, 5 Feb 2025 13:21:19 -0500 (EST) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id DEB6CB103B for ; Wed, 5 Feb 2025 18:21:18 +0000 (UTC) X-FDA: 83086708236.04.C9F0A5C Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) by imf28.hostedemail.com (Postfix) with ESMTP id 824D1C0005 for ; Wed, 5 Feb 2025 18:21:16 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=kD3EEmwQ; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=Z03S6KP+; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=nA0RWJMm; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=6VZ2snRf; dmarc=none; spf=pass (imf28.hostedemail.com: domain of jack@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=jack@suse.cz ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738779676; a=rsa-sha256; cv=none; b=zZHiCpPZ+6YTn9NimY7XrGVCO/ExWEeWLzd8bzQLfrJy4dRzxs9RxhGfPZIcQabzrLEXJZ dmUkcPD/CNJzL7m3LSEJa4JKjXOLT7RevXuYn8kNnmGq5+KCtOGaZnCf1U8R9RpnOj9ED+ QZscCtVLkIUDXw7/Sel++HUXY42Giec= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=kD3EEmwQ; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=Z03S6KP+; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=nA0RWJMm; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=6VZ2snRf; dmarc=none; spf=pass (imf28.hostedemail.com: domain of jack@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=jack@suse.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738779676; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=tIrv/Wrb80+l6c/3vehs+Bk6XWMbyIWde03DtyPmJqw=; b=HDgAA4HdaJ1eenrGgL/4fht4jOBZrSRVge76oLXy8eRU6iV1/oRG9Hl6vHXiIExhF7aJZW mSVoZ68yy9lf0BIeaOAE/CbeDPl2/3mC7mINSwLLKrz67v6/0j1u/X3sg+v6nCOlt86HCN i5aRKWRPPhdgtX3mTdKOrCZ7amuRX3U= Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 6C4B21F387; Wed, 5 Feb 2025 18:21:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1738779674; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=tIrv/Wrb80+l6c/3vehs+Bk6XWMbyIWde03DtyPmJqw=; b=kD3EEmwQwxPuGzQjygMxrJaAajc87zFKNPuVtRkU7fa0ounHZU4SoI8XxlgekJAJPYC8Qd hyP+ShXPSmYRJSQTHe9j6aiMBQ+Se/gN8sOqCpGwesgVT0KEfwXTB/2AP0gyO5dY5yn3t4 ecZn8yUnLn1YKsVhYk3L+TjpGVcsVuw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1738779674; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=tIrv/Wrb80+l6c/3vehs+Bk6XWMbyIWde03DtyPmJqw=; b=Z03S6KP++17a2vK3p6y+9tIp0MrNmyKPeCHzsjHGqckoRWZB/rOIpMm8fo3W0oaw5DN07d k66LSUxFpYPWn4BA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1738779673; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=tIrv/Wrb80+l6c/3vehs+Bk6XWMbyIWde03DtyPmJqw=; b=nA0RWJMmRaY0oBVNBAFvzndEB3wmsbwawT2KKEBPs94dabIDyffrN5D4py9e6Q6yhuT2rD uRRHCXjgFgCqtoh0BeP2bCqb5B42iPOKdKDw+T6EnwsUcaOYK101c+hC4GxZvNCwjowCmK s6d0a2VG8X4YwQYt7JmEY+4Clu7Fi6Y= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1738779673; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=tIrv/Wrb80+l6c/3vehs+Bk6XWMbyIWde03DtyPmJqw=; b=6VZ2snRfcvxuq6bWkNzrzkBTTBs+cAxRJ1s39lmGVRp5KDrbBfHMLDJMF7ydOWoqEgM6J/ DlBmjbRr03EdEZCg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 4F0BE13694; Wed, 5 Feb 2025 18:21:13 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id jZT/Ehmso2eLVwAAD6G6ig (envelope-from ); Wed, 05 Feb 2025 18:21:13 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 9C983A28E9; Wed, 5 Feb 2025 19:21:04 +0100 (CET) Date: Wed, 5 Feb 2025 19:21:04 +0100 From: Jan Kara To: syzbot Cc: akpm@linux-foundation.org, brauner@kernel.org, gustavoars@kernel.org, kees@kernel.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mjguzik@gmail.com, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in vfs_readlink Message-ID: References: <67a1e1f4.050a0220.163cdc.0063.GAE@google.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="rbk7j4upftqdugse" Content-Disposition: inline In-Reply-To: <67a1e1f4.050a0220.163cdc.0063.GAE@google.com> X-Rspamd-Action: no action X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 824D1C0005 X-Stat-Signature: amf3gfn31hnjquts6h8etwqimfa7myz1 X-HE-Tag: 1738779676-980527 X-HE-Meta: U2FsdGVkX1+ntiWBcCDDjEC/lhTzIqmNerBw4/6acAumgamlZ+u8n8q2MYepfOD1jQPzpAGmH8MS2JmiDFNu67ixYieoEbi/10gE1Ysc76bc4Ebi/Ndyg5rhzvZO/4EQ7odKC5pKRG5W/6PRzQaX9HNOi8bKcUqR9mud/pUbFXdpwrGmMp4L1siTKNln5YNbzRd4P+Mf3+0oGkIcAeo8x6i5zU8cjMom5r6YDgGrKeVJAxoyMFBszJh1RUIkSJ1oYmLHmoTaxZyHo1zWslwm0fkpMxMOfrEg5tEwkS5PHwtRtLa4kXTi9QmXne3C/Lpz7yn4vzdaHJZoy5BD29t/utRCRPhFByWUsjM4mXs95BvCwzF4xanpxKqFJdxSzLcENeg+48GiTN3UmXto9D6ol142IxXH5orHR+DVS8P63VzfvDwqarOtJW9HilXJC9453N2exuTHlQ73UNnHLskd8qpnIARxARsPEw32mn21H8FB0NuG1bzYjNzIWGQytFT7bwTJpHWNjmwne2InE8RWb/+QEyrduTnBqnqxJGXR7Ey8swOV8+KmOpHkbwec3w4nknRGUpVQa2LTHZVRt/StxamvouUG/lgaxSofMeSTNqcBxdJBKHFV3E3jo4pQyOK/N26VrJ2PHJu1ZUaeOvs6wG3vUUUjB1p9ugprriGiq8PICC65+e7H/lWLtaXCzE4/sWYt9E5omZF83L0oCaaMJQjg+U7wuGbjT6m+/S0tNERGKDw4bhEc6B2AktPZRWx+5vk8bxIn2Bd9/A5u0K51wzmtdKF7Q4JNOmgtL7vmENKxv1dTYjVW8BY0brqR72AxWsoZ38ndFi5REEkVTAPYb+2BJxoV2qZ1Es+ka4lHI/oIW0zz4nLwJdZGV5PIClhISujh5loyUdDdNZCJflev2T3Ga3AaHjrDtt9J02fczYHi8DChhe2dmNkG6X1WK4XHQbrh0V/+jKUSTDBbETk OpB+aR2H ZF/0IV/QARwBS9249hg6sULAhi4FNe4tys/dyiBaRa1BjVHMXnqOrT+2RLTkWy5tOWxD4Vd5PuOv+/0n7d8a+XPwf7Bcv6XRACdvSt9h/CSjeknrzHESN0WWQ/klilin2OF/Og9PDw3hEuMwKkdxpLP5eQOaq1Gt4hDTVUqHE7CGZ79J/jJ4fRIW42VxYXRkMZ8cg/K5dA29hLUThx5djY9RlNmQMwsJwjGuaTmstffacpKh6Y1DHK2SEivz14zZka6vTa2zjMeazzIuFtwPsX7AhFk3vTQWugnYwLHbsDUp9qJQC8J//O4/5fb1nvtpx/gsHCVMd2hLgxPTj1fYM2dkHaL0jqohS9kAplW2QKskCXgHuyOyij9WCskBSqtAkXLHqfai3PF+/13Ndxk28ip2wwdL/Ao8fRciZoxRip29j+XBHT4yhn2u9hp9oAR+mgyMCXyn5VKoN/Ll41d5Fo7fTsXM/hpK4ar8jUFfC3kJwEL2EcNzVtvsa02hbZvn9pvNZ5OM7V7tv5OkVY5r53Jvx0AIasWa2+p095hiVIMa8ZQhoZ+4xblrurBXSNhqq3+D+AgXK7Tx3/V0LBbhAyt8fobOgYE8VAAdb4EwBntCVMirKJHsE9jWF0X7UoSmxGjPMi8eelXksCspWRsZ1eZPzeegXSNaKpL11XhSXJaJaiIHAYlaGM9390KK2JJHjg4XaNvK2IJgvJ08KIEENwAWDuB7NlEb3qUWJ6RIwKm7DYfDei+MJyUmovLkfZdNtmQnt1dKoyyM4SkmhKTfpGB4hpE3RmNvPceqiPzoXquKbUTM3Y98NZ9dgxkk1sCgNRKjxeZJp7aRI1d2wruoC8OxjkWrOJC9sBLGhf3qWWIuhpDTevsmYyll4L5rwusWb5aEliq5GfC2Njp3F/z2QdfATAGcrrn/BGODGsIBco+Yj1POcjCdam5bKSR23hBAYAf0JIHu2auRWZ2SX+lgYKsBTPUtP bKCU1Gh1 shsZmwiKNmHiOaP9E7mtqi9NAoYbFxGEvI6eAj+VD88umt62V9dueP4azkAPuoBuJQBeHrfwxIfJ0nTI0XEB68+lRbxpCpxJqOOUIgI6XDUb6Vq0N6ObCfaEV4MmKwwiTYdDiOewPvqkZA9XUHITNZs3ltCXCcCD X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --rbk7j4upftqdugse Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue 04-02-25 01:46:28, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 69b8923f5003 Merge tag 'for-linus-6.14-ofs4' of git://git... > git tree: upstream > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1258aeb0580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=57ab43c279fa614d > dashboard link: https://syzkaller.appspot.com/bug?extid=48a99e426f29859818c0 > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15825724580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1658aeb0580000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/ea84ac864e92/disk-69b8923f.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/6a465997b4e0/vmlinux-69b8923f.xz > kernel image: https://storage.googleapis.com/syzbot-assets/d72b67b2bd15/bzImage-69b8923f.xz > mounted in repro: https://storage.googleapis.com/syzbot-assets/7c2919610764/mount_0.gz > > The issue was bisected to: > > commit bae80473f7b0b25772619e7692019b1549d4a82c > Author: Mateusz Guzik > Date: Wed Nov 20 11:20:35 2024 +0000 > > ext4: use inode_set_cached_link() > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1248c3df980000 > final oops: https://syzkaller.appspot.com/x/report.txt?x=1148c3df980000 > console output: https://syzkaller.appspot.com/x/log.txt?x=1648c3df980000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+48a99e426f29859818c0@syzkaller.appspotmail.com > Fixes: bae80473f7b0 ("ext4: use inode_set_cached_link()") Please check attached patch: #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Honza -- Jan Kara SUSE Labs, CR --rbk7j4upftqdugse Content-Type: text/x-patch; charset=us-ascii Content-Disposition: attachment; filename="0001-ext4-Verify-fast-symlink-length.patch" >From df00b84402fb67d94a9eb6b86633092983cb388c Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Wed, 5 Feb 2025 19:02:35 +0100 Subject: [PATCH] ext4: Verify fast symlink length Verify fast symlink length stored in inode->i_size matches the string stored in the inode to avoid surprises from corrupted filesystems. Reported-by: syzbot+48a99e426f29859818c0@syzkaller.appspotmail.com Fixes: bae80473f7b0 ("ext4: use inode_set_cached_link()") Suggested-by: "Darrick J. Wong" Signed-off-by: Jan Kara --- fs/ext4/inode.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 7c54ae5fcbd4..fbda5a67f7f9 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5007,8 +5007,16 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, inode->i_op = &ext4_encrypted_symlink_inode_operations; } else if (ext4_inode_is_fast_symlink(inode)) { inode->i_op = &ext4_fast_symlink_inode_operations; - nd_terminate_link(ei->i_data, inode->i_size, - sizeof(ei->i_data) - 1); + if (inode->i_size == 0 || + inode->i_size >= EXT4_N_BLOCKS * 4 || + strnlen((char *)ei->i_data, inode->i_size + 1) != + inode->i_size) { + ext4_error_inode(inode, function, line, 0, + "invalid fast symlink length %llu", + (unsigned long long)inode->i_size); + ret = -EFSCORRUPTED; + goto bad_inode; + } inode_set_cached_link(inode, (char *)ei->i_data, inode->i_size); } else { -- 2.43.0 --rbk7j4upftqdugse--