lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20240806065836.GN5334@ZenIV>
Date: Tue, 6 Aug 2024 07:58:36 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Lizhi Xu <lizhi.xu@...driver.com>
Cc: brauner@...nel.org, jack@...e.cz, linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org, phillip@...ashfs.org.uk,
	squashfs-devel@...ts.sourceforge.net,
	syzbot+24ac24ff58dc5b0d26b9@...kaller.appspotmail.com,
	syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH V7] squashfs: Add symlink size check in squash_read_inode

On Tue, Aug 06, 2024 at 02:19:12PM +0800, Lizhi Xu wrote:

> > However, you seem to find some problem in the latter form, and
> > your explanations of the reasons have been hard to understand.
> Here are the uninit-value related calltrace reports from syzbot:
> 
> page_get_link()->
>   read_mapping_page()->
>     read_cache_page()->
>       do_read_cache_page()->
>         do_read_cache_folio()->
>           filemap_read_folio()->
>             squashfs_symlink_read_folio()
> 
> fs/squashfs/symlink.c
>  8 static int squashfs_symlink_read_folio(struct file *file, struct folio *folio)
>  7 {
>  6         struct inode *inode = folio->mapping->host;
>  5         struct super_block *sb = inode->i_sb;
>  4         struct squashfs_sb_info *msblk = sb->s_fs_info;
>  3         int index = folio_pos(folio);
>  2         u64 block = squashfs_i(inode)->start;
>  1         int offset = squashfs_i(inode)->offset;
> 41         int length = min_t(int, i_size_read(inode) - index, PAGE_SIZE);
> 
> Please see line 41, because the value of i_size is too large, causing integer overflow
> in the variable length. Which can result in folio not being initialized (as reported by 
> Syzbot: "KMSAN: uninit-value in pick_link").

What does that have to do with anything?  In the code you've quoted, ->i_size - index
is explicitly cast to signed 32bit.  _That_ will wrap around.  On typecast.  Nothing
of that sort would be present in
	if (inode->i_size > PAGE_SIZE)
as you could have verified easily.

At that point the only thing I can recommend is googling for "first law of holes".

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ