[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250407-handgefertigt-duzen-d92bfc181937@brauner>
Date: Mon, 7 Apr 2025 15:21:59 +0200
From: Christian Brauner <brauner@...nel.org>
To: Xiangsheng Hou <xiangsheng.hou@...iatek.com>
Cc: Vivek Goyal <vgoyal@...hat.com>, Stefan Hajnoczi <stefanha@...hat.com>,
Miklos Szeredi <miklos@...redi.hu>, eperezma@...hat.com, Matthias Brugger <matthias.bgg@...il.com>,
AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>, virtualization@...ts.linux.dev, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
linux-mediatek@...ts.infradead.org, benliang.zhao@...iatek.com, bin.zhang@...iatek.com
Subject: Re: [RESEND] virtiofs: add filesystem context source name check
On Mon, Apr 07, 2025 at 07:50:49PM +0800, Xiangsheng Hou wrote:
> In certain scenarios, for example, during fuzz testing, the source
> name may be NULL, which could lead to a kernel panic. Therefore, an
> extra check for the source name should be added.
Oha, that's not great and easily reproducible:
[13344.588906] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN
[13344.602350] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[13344.610367] CPU: 8 UID: 0 PID: 1427 Comm: anon_inode_test Not tainted 6.15.0-rc1-gb96146cd957f #21 PREEMPT(undef)
[13344.617410] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/Incus, BIOS unknown 2/2/2022
[13344.621368] RIP: 0010:strcmp+0x5b/0xb0
[13344.624462] Code: fa 48 c1 e8 03 83 e2 07 42 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 6b ff 4c 8d 66 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 24 41 3a 6c 24 ff 74 ae 19 c0
[13344.635506] RSP: 0018:ffffc900050dfd28 EFLAGS: 00010246
[13344.638112] RAX: 0000000000000000 RBX: ffff8881918158a9 RCX: fffff52000a1bf86
[13344.640726] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881918158a8
[13344.643279] RBP: 0000000000000069 R08: 0000000000000000 R09: fffffbfff2aa7c82
[13344.646722] R10: ffffc900050dfd58 R11: 0000000000000000 R12: 0000000000000001
[13344.648844] R13: dffffc0000000000 R14: ffff8881e2110ce0 R15: dffffc0000000000
[13344.651382] FS: 00007f891cf53740(0000) GS:ffff88843fd42000(0000) knlGS:0000000000000000
[13344.654257] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[13344.656296] CR2: 000055dfec6997d8 CR3: 00000001cbf21006 CR4: 0000000000770ef0
[13344.658863] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[13344.661325] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[13344.662722] PKRU: 55555554
[13344.663266] Call Trace:
[13344.663776] <TASK>
[13344.664303] virtio_fs_get_tree+0xc4/0x1060
[13344.665237] ? rcu_is_watching+0x12/0xb0
[13344.666047] ? cap_capable+0x170/0x320
[13344.666802] vfs_get_tree+0x87/0x2f0
[13344.667540] vfs_cmd_create+0xb2/0x240
[13344.668317] __x64_sys_fsconfig+0x629/0x9f0
[13344.669143] ? vfs_cmd_create+0x240/0x240
[13344.669956] ? rcu_is_watching+0x12/0xb0
[13344.670738] ? syscall_trace_enter+0x129/0x230
[13344.671617] do_syscall_64+0x74/0x190
[13344.672354] entry_SYSCALL_64_after_hwframe+0x4b/0x53
This needs to be backported to all LTS kernels.
> Signed-off-by: Xiangsheng Hou <xiangsheng.hou@...iatek.com>
> ---
> fs/fuse/virtio_fs.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
> index 2c7b24cb67ad..53c2626e90e7 100644
> --- a/fs/fuse/virtio_fs.c
> +++ b/fs/fuse/virtio_fs.c
> @@ -1669,6 +1669,9 @@ static int virtio_fs_get_tree(struct fs_context *fsc)
> unsigned int virtqueue_size;
> int err = -EIO;
>
> + if (!fsc->source)
> + return invalf(fsc, "No source specified");
> +
> /* This gets a reference on virtio_fs object. This ptr gets installed
> * in fc->iq->priv. Once fuse_conn is going away, it calls ->put()
> * to drop the reference to this object.
> --
> 2.46.0
>
Powered by blists - more mailing lists