[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20240806065836.GN5334@ZenIV>
Date: Tue, 6 Aug 2024 07:58:36 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Lizhi Xu <lizhi.xu@...driver.com>
Cc: brauner@...nel.org, jack@...e.cz, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, phillip@...ashfs.org.uk,
squashfs-devel@...ts.sourceforge.net,
syzbot+24ac24ff58dc5b0d26b9@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH V7] squashfs: Add symlink size check in squash_read_inode
On Tue, Aug 06, 2024 at 02:19:12PM +0800, Lizhi Xu wrote:
> > However, you seem to find some problem in the latter form, and
> > your explanations of the reasons have been hard to understand.
> Here are the uninit-value related calltrace reports from syzbot:
>
> page_get_link()->
> read_mapping_page()->
> read_cache_page()->
> do_read_cache_page()->
> do_read_cache_folio()->
> filemap_read_folio()->
> squashfs_symlink_read_folio()
>
> fs/squashfs/symlink.c
> 8 static int squashfs_symlink_read_folio(struct file *file, struct folio *folio)
> 7 {
> 6 struct inode *inode = folio->mapping->host;
> 5 struct super_block *sb = inode->i_sb;
> 4 struct squashfs_sb_info *msblk = sb->s_fs_info;
> 3 int index = folio_pos(folio);
> 2 u64 block = squashfs_i(inode)->start;
> 1 int offset = squashfs_i(inode)->offset;
> 41 int length = min_t(int, i_size_read(inode) - index, PAGE_SIZE);
>
> Please see line 41, because the value of i_size is too large, causing integer overflow
> in the variable length. Which can result in folio not being initialized (as reported by
> Syzbot: "KMSAN: uninit-value in pick_link").
What does that have to do with anything? In the code you've quoted, ->i_size - index
is explicitly cast to signed 32bit. _That_ will wrap around. On typecast. Nothing
of that sort would be present in
if (inode->i_size > PAGE_SIZE)
as you could have verified easily.
At that point the only thing I can recommend is googling for "first law of holes".
Powered by blists - more mailing lists