lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241124201009.GZ3387508@ZenIV>
Date: Sun, 24 Nov 2024 20:10:09 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: syzbot <syzbot+320c57a47bdabc1f294b@...kaller.appspotmail.com>
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	surajsonawane0215@...il.com, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [fs?] WARNING in minix_unlink

On Sun, Nov 24, 2024 at 07:47:01PM +0000, Al Viro wrote:
> On Sun, Nov 24, 2024 at 11:41:01AM -0800, syzbot wrote:
> > Hello,
> > 
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > WARNING in minix_unlink
> 
> Predictably, since the warning has nothing to do with marking an unchanged
> buffer dirty...
> 
> What happens there is that on a badly corrupt image we have an on-disk
> inode with link count below the actual number of links.  And after
> unlinks remove enough of those to drive the link count to 0, inode
> is freed.  After that point, all remaining links are pointing to a freed
> on-disk inode, which is discovered when they need to decrement of link
> count that is already 0.  Which does deserve a warning, probably without
> a stack trace.
> 
> There's nothing the kernel can do about that, short of scanning the entire
> filesystem at mount time and verifying that link counts are accurate...

Theoretically we could check if there's an associated dentry at the time of
decrement-to-0 and refuse to do that decrement in such case, marking the
in-core inode so that no extra dentries would be associated with it
from that point on.  Not sure if that'd make for a good mitigation strategy,
though - and it wouldn't help in case of extra links we hadn't seen by
that point; they would become dangling pointers and reuse of on-disk inode
would still be possible...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ