| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250423193209.5811-1-arapovl839@gmail.com>
Date: Wed, 23 Apr 2025 19:32:05 +0000
From: Leonid Arapov <arapovl839@...il.com>
To: David Woodhouse <dwmw2@...radead.org>
Cc: Leonid Arapov <arapovl839@...il.com>,
Richard Weinberger <richard@....at>,
Ferenc Havasi <havasi@....u-szeged.hu>,
Thomas Gleixner <tglx@...utronix.de>,
linux-mtd@...ts.infradead.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] jffs2: Decrease xattr length limit to avoid summary write error
When fuzzing, the following error is observed:
jffs2: warning: (1096) jffs2_sum_write_sumnode: Empty summary info!!!
------------[ cut here ]------------
kernel BUG at fs/jffs2/summary.c:865!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 1096 Comm: syz-executor340 Not tainted
6.1.108-syzkaller-00007-g86fb5a1a71c9 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1
04/01/2014
RIP: 0010:jffs2_sum_write_sumnode.cold+0x195/0x43b fs/jffs2/summary.c:865
Call Trace:
jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388
jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197
do_jffs2_setxattr+0x212/0x1570 fs/jffs2/xattr.c:1117
__vfs_setxattr+0x118/0x180 fs/xattr.c:182
__vfs_setxattr_noperm+0x125/0x600 fs/xattr.c:216
__vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277
vfs_setxattr+0x13f/0x340 fs/xattr.c:309
setxattr+0x14a/0x160 fs/xattr.c:617
path_setxattr+0x19b/0x1d0 fs/xattr.c:636
__do_sys_setxattr fs/xattr.c:652 [inline]
__se_sys_setxattr fs/xattr.c:648 [inline]
__x64_sys_setxattr+0xc0/0x160 fs/xattr.c:648
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
The error occurs when trying to create a new attribute of a file by xattr
syscall. Size and name of the attribure are set by user. Current limit of
total size of an attribute is equal to free size in a clean block and it
doesn't include space needed for summary data structures. So it is
possible to create an attribute whose size doesn't exceed the limit but
the total size of attribute and its summary data does. If requested size
of an attribute satisfies this condition, it leads to the following
behavior:
jffs2_do_reserve_space tries to reserve requested size for an attribute
and its summary. It fails to do so because even a clean block doesn't have
enough free space. Then it writes existing summary to the current block
and proceeds to the next block. Summary data is linked to a specific erase
block so it needs to be written to the current block before selecting
a new one.
Then this function is called again to reserve space in a new block.
It fails again and tries to write summary as the first time but at this
point collected summary for the block is empty and it leads to BUG() in
jffs2_summary_write_sumnode.
Decrease maximum allowed size of xattr buffer.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Signed-off-by: Leonid Arapov <arapovl839@...il.com>
---
fs/jffs2/xattr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/jffs2/xattr.c b/fs/jffs2/xattr.c
index defb4162c3d5..7380f32e6d0f 100644
--- a/fs/jffs2/xattr.c
+++ b/fs/jffs2/xattr.c
@@ -1110,7 +1110,8 @@ int do_jffs2_setxattr(struct inode *inode, int xprefix, const char *xname,
return rc;
request = PAD(sizeof(struct jffs2_raw_xattr) + strlen(xname) + 1 + size);
- if (request > c->sector_size - c->cleanmarker_size)
+ if (request > c->sector_size - c->cleanmarker_size -
+ JFFS2_SUMMARY_XATTR_SIZE - JFFS2_SUMMARY_FRAME_SIZE)
return -ERANGE;
rc = jffs2_reserve_space(c, request, &length,
--
2.45.2
Powered by blists - more mailing lists