| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250710-getrunken-fazit-74e068b05c16@brauner>
Date: Thu, 10 Jul 2025 09:42:13 +0200
From: Christian Brauner <brauner@...nel.org>
To: Jan Kara <jack@...e.cz>
Cc: syzbot <syzbot+895c23f6917da440ed0d@...kaller.appspotmail.com>,
konishi.ryusuke@...il.com, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-nilfs@...r.kernel.org, mjguzik@...il.com, syzkaller-bugs@...glegroups.com,
viro@...iv.linux.org.uk, Konstantin Komarov <almaz.alexandrovich@...agon-software.com>,
ntfs3@...ts.linux.dev, Dave Kleikamp <shaggy@...nel.org>,
jfs-discussion@...ts.sourceforge.net
Subject: Re: [syzbot] [nilfs?] kernel BUG in may_open (2)
On Wed, Jul 09, 2025 at 10:30:12AM +0200, Jan Kara wrote:
> Hi!
>
> On Tue 08-07-25 10:51:27, syzbot wrote:
> > syzbot found the following issue on:
> >
> > HEAD commit: d7b8f8e20813 Linux 6.16-rc5
> > git tree: upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=107e728c580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=72aa0474e3c3b9ac
> > dashboard link: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
> > compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11305582580000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10952bd4580000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/605b3edeb031/disk-d7b8f8e2.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/a3cb6f3ea4a9/vmlinux-d7b8f8e2.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/cd9e0c6a9926/bzImage-d7b8f8e2.xz
> > mounted in repro: https://storage.googleapis.com/syzbot-assets/2a7ab270a8da/mount_0.gz
> >
> > The issue was bisected to:
> >
> > commit af153bb63a336a7ca0d9c8ef4ca98119c5020030
> > Author: Mateusz Guzik <mjguzik@...il.com>
> > Date: Sun Feb 9 18:55:21 2025 +0000
> >
> > vfs: catch invalid modes in may_open()
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17f94a8c580000
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=14054a8c580000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10054a8c580000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+895c23f6917da440ed0d@...kaller.appspotmail.com
> > Fixes: af153bb63a33 ("vfs: catch invalid modes in may_open()")
> >
> > VFS_BUG_ON_INODE(!IS_ANON_FILE(inode)) encountered for inode ffff8880724735b8
>
> FWIW the reproducer just mounts a filesystem image and opens a file there
> which crashes because the inode type is invalid. Which suggests there's
> insufficient validation of inode metadata (in particular the inode mode)
> being loaded from the disk... There are reproducers in the syzbot dashboard
> for nilfs2, ntfs3, isofs, jfs. I'll take care of isofs, added other
> filesystem maintainers to CC.
I'm certainly happy to have added that assert.
Powered by blists - more mailing lists