| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250407-handgefertigt-duzen-d92bfc181937@brauner> Date: Mon, 7 Apr 2025 15:21:59 +0200 From: Christian Brauner <brauner@...nel.org> To: Xiangsheng Hou <xiangsheng.hou@...iatek.com> Cc: Vivek Goyal <vgoyal@...hat.com>, Stefan Hajnoczi <stefanha@...hat.com>, Miklos Szeredi <miklos@...redi.hu>, eperezma@...hat.com, Matthias Brugger <matthias.bgg@...il.com>, AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>, virtualization@...ts.linux.dev, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, linux-mediatek@...ts.infradead.org, benliang.zhao@...iatek.com, bin.zhang@...iatek.com Subject: Re: [RESEND] virtiofs: add filesystem context source name check On Mon, Apr 07, 2025 at 07:50:49PM +0800, Xiangsheng Hou wrote: > In certain scenarios, for example, during fuzz testing, the source > name may be NULL, which could lead to a kernel panic. Therefore, an > extra check for the source name should be added. Oha, that's not great and easily reproducible: [13344.588906] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN [13344.602350] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [13344.610367] CPU: 8 UID: 0 PID: 1427 Comm: anon_inode_test Not tainted 6.15.0-rc1-gb96146cd957f #21 PREEMPT(undef) [13344.617410] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/Incus, BIOS unknown 2/2/2022 [13344.621368] RIP: 0010:strcmp+0x5b/0xb0 [13344.624462] Code: fa 48 c1 e8 03 83 e2 07 42 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 6b ff 4c 8d 66 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 24 41 3a 6c 24 ff 74 ae 19 c0 [13344.635506] RSP: 0018:ffffc900050dfd28 EFLAGS: 00010246 [13344.638112] RAX: 0000000000000000 RBX: ffff8881918158a9 RCX: fffff52000a1bf86 [13344.640726] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881918158a8 [13344.643279] RBP: 0000000000000069 R08: 0000000000000000 R09: fffffbfff2aa7c82 [13344.646722] R10: ffffc900050dfd58 R11: 0000000000000000 R12: 0000000000000001 [13344.648844] R13: dffffc0000000000 R14: ffff8881e2110ce0 R15: dffffc0000000000 [13344.651382] FS: 00007f891cf53740(0000) GS:ffff88843fd42000(0000) knlGS:0000000000000000 [13344.654257] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [13344.656296] CR2: 000055dfec6997d8 CR3: 00000001cbf21006 CR4: 0000000000770ef0 [13344.658863] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [13344.661325] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [13344.662722] PKRU: 55555554 [13344.663266] Call Trace: [13344.663776] <TASK> [13344.664303] virtio_fs_get_tree+0xc4/0x1060 [13344.665237] ? rcu_is_watching+0x12/0xb0 [13344.666047] ? cap_capable+0x170/0x320 [13344.666802] vfs_get_tree+0x87/0x2f0 [13344.667540] vfs_cmd_create+0xb2/0x240 [13344.668317] __x64_sys_fsconfig+0x629/0x9f0 [13344.669143] ? vfs_cmd_create+0x240/0x240 [13344.669956] ? rcu_is_watching+0x12/0xb0 [13344.670738] ? syscall_trace_enter+0x129/0x230 [13344.671617] do_syscall_64+0x74/0x190 [13344.672354] entry_SYSCALL_64_after_hwframe+0x4b/0x53 This needs to be backported to all LTS kernels. > Signed-off-by: Xiangsheng Hou <xiangsheng.hou@...iatek.com> > --- > fs/fuse/virtio_fs.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c > index 2c7b24cb67ad..53c2626e90e7 100644 > --- a/fs/fuse/virtio_fs.c > +++ b/fs/fuse/virtio_fs.c > @@ -1669,6 +1669,9 @@ static int virtio_fs_get_tree(struct fs_context *fsc) > unsigned int virtqueue_size; > int err = -EIO; > > + if (!fsc->source) > + return invalf(fsc, "No source specified"); > + > /* This gets a reference on virtio_fs object. This ptr gets installed > * in fc->iq->priv. Once fuse_conn is going away, it calls ->put() > * to drop the reference to this object. > -- > 2.46.0 >
Powered by blists - more mailing lists