| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68cf8bca.a00a0220.37dadf.0038.GAE@google.com> Date: Sat, 20 Sep 2025 22:23:22 -0700 From: syzbot <syzbot+9eefe09bedd093f156c2@...kaller.appspotmail.com> To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Forwarded: [PATCH] nsfs: reject file handles with invalid inode number For archival purposes, forwarding an incoming command email to linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com. *** Subject: [PATCH] nsfs: reject file handles with invalid inode number Author: kartikey406@...il.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master Reject nsfs file handles that claim to have inode number 0, as no legitimate namespace can have inode 0. This prevents a warning in nsfs_fh_to_dentry() when open_by_handle_at() is called with malformed file handles. The issue occurs when userspace provides a file handle with valid namespace type and ID but claims the namespace has inode number 0. The namespace lookup succeeds but triggers VFS_WARN_ON_ONCE() when comparing the real inode number against the impossible claim of 0. Since inode 0 is reserved in all filesystems and no namespace can legitimately have inode 0, we can safely reject such handles early to prevent reaching the consistency check that triggers the warning. Testing confirmed that other invalid inode numbers (1, 255) do not trigger the same issue, indicating this is specific to inode 0 rather than a general problem with incorrect inode numbers. Reported-by: syzbot+9eefe09bedd093f156c2@...kaller.appspotmail.com Tested-by: syzbot+9eefe09bedd093f156c2@...kaller.appspotmail.com Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com> --- fs/nsfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/nsfs.c b/fs/nsfs.c index 32cb8c835a2b..42672cec293c 100644 --- a/fs/nsfs.c +++ b/fs/nsfs.c @@ -469,7 +469,8 @@ static struct dentry *nsfs_fh_to_dentry(struct super_block *sb, struct fid *fh, if (fh_len < NSFS_FID_SIZE_U32_VER0) return NULL; - + if (fid->ns_inum == 0) + return NULL; /* Check that any trailing bytes are zero. */ if ((fh_len > NSFS_FID_SIZE_U32_LATEST) && memchr_inv((void *)fid + NSFS_FID_SIZE_U32_LATEST, 0, -- 2.43.0
Powered by blists - more mailing lists