lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 24 Nov 2023 17:21:20 +0100
From:   Jann Horn <jannh@...gle.com>
To:     syzbot <syzbot+12e098239d20385264d3@...kaller.appspotmail.com>
Cc:     clm@...com, dsterba@...e.com, josef@...icpanda.com,
        linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] WARNING in __kernel_write_iter

On Mon, Oct 10, 2022 at 9:04 AM syzbot
<syzbot+12e098239d20385264d3@...kaller.appspotmail.com> wrote:
> HEAD commit:    a6afa4199d3d Merge tag 'mailbox-v6.1' of git://git.linaro...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=110f6f0a880000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
> dashboard link: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
> compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/12e24d042ff9/disk-a6afa419.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4862ae4e2edf/vmlinux-a6afa419.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+12e098239d20385264d3@...kaller.appspotmail.com
>
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 20347 at fs/read_write.c:504 __kernel_write_iter+0x639/0x740
[...]
>  __kernel_write fs/read_write.c:537 [inline]
>  kernel_write+0x1c5/0x340 fs/read_write.c:558
>  write_buf fs/btrfs/send.c:590 [inline]
>  send_header fs/btrfs/send.c:708 [inline]
>  send_subvol+0x1a7/0x4b60 fs/btrfs/send.c:7648
>  btrfs_ioctl_send+0x1e34/0x2340 fs/btrfs/send.c:8014
>  _btrfs_ioctl_send+0x2e8/0x420 fs/btrfs/ioctl.c:5233
>  btrfs_ioctl+0x5eb/0xc10
>  vfs_ioctl fs/ioctl.c:51 [inline]

The issue here is that BTRFS_IOC_SEND looks up an fd with fget() and
then writes into it with kernel_write(). Luckily the ioctl requires
CAP_SYS_ADMIN, and also Linux >=5.8 bails out on __kernel_write() on a
read-only file, so this has no security impact.

I'm about to send a fix, let's have syzkaller check it beforehand:

#syz test https://github.com/thejh/linux.git 573fd2562e0f

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ