lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOQ4uxj+enOZJiAJaCRnfb1soFS7aonJjHmLXiP3heQAFQoBqg@mail.gmail.com>
Date:   Sat, 25 Nov 2023 11:21:27 +0200
From:   Amir Goldstein <amir73il@...il.com>
To:     Jann Horn <jannh@...gle.com>
Cc:     syzbot <syzbot+477d8d8901756d1cbba1@...kaller.appspotmail.com>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-unionfs@...r.kernel.org, miklos@...redi.hu,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [overlayfs?] KASAN: invalid-free in ovl_copy_up_one

On Fri, Nov 24, 2023 at 5:26 PM Jann Horn <jannh@...gle.com> wrote:
>
> On Fri, Nov 24, 2023 at 4:11 PM Jann Horn <jannh@...gle.com> wrote:
> >
> > On Wed, Sep 27, 2023 at 5:10 PM syzbot
> > <syzbot+477d8d8901756d1cbba1@...kaller.appspotmail.com> wrote:
> > > syzbot has tested the proposed patch and the reproducer did not trigger any issue:
> > >
> > > Reported-and-tested-by: syzbot+477d8d8901756d1cbba1@...kaller.appspotmail.com
> > >
> > > Tested on:
> > >
> > > commit:         8e9b46c4 ovl: do not encode lower fh with upper sb_wri..
> > > git tree:       https://github.com/amir73il/linux.git ovl_want_write
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=10d10ffa680000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=bb54ecdfa197f132
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=477d8d8901756d1cbba1
> > > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> >
> > It looks like the fix was submitted without the Reported-by tag, so
> > syzkaller doesn't recognize that the fix has landed... I'll tell
> > syzkaller now which commit the fix is supposed to be in, please
> > correct me if this is wrong:
> >
> > #syz fix: ovl: do not encode lower fh with upper sb_writers held
>
> (Ah, and just for the record: I hadn't realized when writing this that
> the fix was actually in a newer version of the same patch... "git

That is correct.
I am very thankful for syzbot with helping me catch bugs during development
and I would gladly attribute the bot and its owners, but I don't that
Reported-and-tested-by is an adequate tag for a bug that never existed as
far as git history.

Even Tested-by: syzbot could be misleading to stable kernel bots
that may conclude that the patch is a fix that needs to apply to stable.

I am open to suggestions.

Also maybe

#syz correction:

To tell syzbot we are not fixing a bug in upstream, but in a previous
version of a patch that it had tested.

> range-diff 44ef23e481b02df2f17599a24f81cf0045dc5256~1..44ef23e481b02df2f17599a24f81cf0045dc5256
> 5b02bfc1e7e3811c5bf7f0fa626a0694d0dbbd77~1..5b02bfc1e7e3811c5bf7f0fa626a0694d0dbbd77"
> shows an added "ovl_get_index_name", I guess that's the fix?)

No, that added ovl_get_index_name() seems like a fluke of the range-diff tool.
All the revisions of this patch always had this same minor change in this line:

-               err = ovl_get_index_name(ofs, c->lowerpath.dentry,
&c->destname);
+               err = ovl_get_index_name(ofs, origin, &c->destname);

The fix is obviously in the other part of the range-diff.

Thanks,
Amir.

                if (err)
     -                  return err;
    -+                  goto out;
    ++                  goto out_free_fh;
        } else if (WARN_ON(!c->parent)) {
                /* Disconnected dentry must be copied up to index dir */
     -          return -EIO;
     +          err = -EIO;
    -+          goto out;
    ++          goto out_free_fh;
        } else {
                /*
                 * Mark parent "impure" because it may now contain non-pure
    @@ fs/overlayfs/copy_up.c: static int ovl_do_copy_up(struct
ovl_copy_up_ctx *c)
                ovl_end_write(c->dentry);
                if (err)
     -                  return err;
    -+                  goto out;
    ++                  goto out_free_fh;
        }

        /* Should we copyup with O_TMPFILE or with workdir? */
    @@ fs/overlayfs/copy_up.c: static int ovl_do_copy_up(struct
ovl_copy_up_ctx *c)
      out:
        if (to_index)
                kfree(c->destname.name);
    ++out_free_fh:
     +  kfree(fh);
        return err;
      }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ