| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKFNMomH8Ur3gOvps_vdbs3BU4C6UZBL7tDYxjPUG_29_Bo-8w@mail.gmail.com>
Date: Thu, 10 Jul 2025 07:31:46 +0900
From: Ryusuke Konishi <konishi.ryusuke@...il.com>
To: Jan Kara <jack@...e.cz>
Cc: syzbot <syzbot+895c23f6917da440ed0d@...kaller.appspotmail.com>,
brauner@...nel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-nilfs@...r.kernel.org, mjguzik@...il.com,
syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk,
Konstantin Komarov <almaz.alexandrovich@...agon-software.com>, ntfs3@...ts.linux.dev,
Dave Kleikamp <shaggy@...nel.org>, jfs-discussion@...ts.sourceforge.net
Subject: Re: [syzbot] [nilfs?] kernel BUG in may_open (2)
On Wed, Jul 9, 2025 at 5:30 PM Jan Kara wrote:
>
> Hi!
>
> On Tue 08-07-25 10:51:27, syzbot wrote:
> > syzbot found the following issue on:
> >
> > HEAD commit: d7b8f8e20813 Linux 6.16-rc5
> > git tree: upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=107e728c580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=72aa0474e3c3b9ac
> > dashboard link: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
> > compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11305582580000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10952bd4580000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/605b3edeb031/disk-d7b8f8e2.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/a3cb6f3ea4a9/vmlinux-d7b8f8e2.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/cd9e0c6a9926/bzImage-d7b8f8e2.xz
> > mounted in repro: https://storage.googleapis.com/syzbot-assets/2a7ab270a8da/mount_0.gz
> >
> > The issue was bisected to:
> >
> > commit af153bb63a336a7ca0d9c8ef4ca98119c5020030
> > Author: Mateusz Guzik <mjguzik@...il.com>
> > Date: Sun Feb 9 18:55:21 2025 +0000
> >
> > vfs: catch invalid modes in may_open()
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17f94a8c580000
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=14054a8c580000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10054a8c580000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+895c23f6917da440ed0d@...kaller.appspotmail.com
> > Fixes: af153bb63a33 ("vfs: catch invalid modes in may_open()")
> >
> > VFS_BUG_ON_INODE(!IS_ANON_FILE(inode)) encountered for inode ffff8880724735b8
>
> FWIW the reproducer just mounts a filesystem image and opens a file there
> which crashes because the inode type is invalid. Which suggests there's
> insufficient validation of inode metadata (in particular the inode mode)
> being loaded from the disk... There are reproducers in the syzbot dashboard
> for nilfs2, ntfs3, isofs, jfs. I'll take care of isofs, added other
> filesystem maintainers to CC.
>
> Honza
Thank you for taking the initiative!
I'll deal with the nilfs2 issue.
For convenience, the correspondence between the reproducers and file
systems listed in the syzbot dashboard at the moment is as follows:
Detection time Filesystem
2025/07/08 13:03 iso9660
2025/07/08 12:34 ntfs3
2025/07/08 12:04 nilfs2
2025/07/08 04:06 nilfs2
2025/07/08 02:39 ntfs3
2025/07/08 01:41 jfs
2025/07/08 01:56 nilfs2
2025/07/08 01:21 nilfs2
2025/07/08 01:57 iso9660
2025/07/08 02:15 jfs
2025/07/08 01:34 ntfs3
Thanks,
Ryusuke Konishi
Powered by blists - more mailing lists