lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 24 Oct 2022 08:06:51 +0800
From:   Ian Kent <raven@...maw.net>
To:     Hugh Dickins <hughd@...gle.com>,
        Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc:     syzbot <syzbot+db1d2ea936378be0e4ea@...kaller.appspotmail.com>,
        syzkaller-bugs@...glegroups.com,
        Andrew Morton <akpm@...ux-foundation.org>,
        linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>,
        Carlos Maiolino <cmaiolino@...hat.com>,
        David Howells <dhowells@...hat.com>,
        kernel test robot <oliver.sang@...el.com>,
        Miklos Szeredi <miklos@...redi.hu>,
        Siddhesh Poyarekar <siddhesh@...plt.org>,
        Theodore Ts'o <tytso@....edu>,
        Hawkins Jiawei <yin31149@...il.com>
Subject: Re: [syzbot] general protection fault in _parse_integer_fixup_radix

On 24/10/22 02:50, Hugh Dickins wrote:
> On Sun, 23 Oct 2022, Tetsuo Handa wrote:
>
>> syzbot is reporting that "vfs: parse: deal with zero length string value"
>> in linux-next.git broke tmpfs's mount option parsing, for tmpfs is expecting that
>> vfs_parse_fs_string() returning 0 implies that param.string != NULL.
>>
>> The "nr_inodes" parameter for tmpfs is interpreted as "nr_inodes=$integer", but
>> the addition of
>>
>> 	if (!v_size) {
>> 		param.string = NULL;
>> 		param.type = fs_value_is_empty;
>> 	} else {
>>
>> to vfs_parse_fs_string() and
>>
>> 	if (param->type == fs_value_is_empty)
>> 		return 0;
>>
>> to fs_param_is_string() broke expectation by tmpfs.
>>
>>    Parsing an fs string that has zero length should result in the parameter
>>    being set to NULL so that downstream processing handles it correctly.
>>
>> is wrong and
>>
>>    Parsing an fs string that has zero length should result in invalid argument
>>    error so that downstream processing does not dereference NULL param.string
>>    field.

It's not quite as simple at that.


Not allowing a zero length string will break cases where mount "source"

can be empty.


Maybe parsing of "source" would be better handled separately, rather than

with options handling code, it is slightly different ... mmm ... I'll check

the reported cases ...


Ian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ