Syzbot hit WARNING in internal_create_group(). The problem was in
too big disk->first_minor.
disk->first_minor is initialized by value, which comes from userspace
and there wasn't any sanity checks about value correctness. It can cause
duplicate creation of sysfs files/links, because disk->first_minor will
be passed to MKDEV() which causes truncation to byte. Since maximum
minor value is 0xff, let's check if first_minor is correct minor number.
NOTE: the root case of the reported warning was in wrong error handling
in register_disk(), but we can avoid passing knowingly wrong values to
sysfs API, because sysfs error messages can confuse users. For example:
user passed 1048576 as index, but sysfs complains about duplicate
creation of /dev/block/43:0. It's not obvious how 1048576 becomes 0.
Log and reproducer for above example can be found on syzkaller bug
report page.
Link: https://syzkaller.appspot.com/bug?id=03c2ae9146416edf811958d5fd7acfab75b143d1
Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
Reported-by: [email protected]
Signed-off-by: Pavel Skripkin <[email protected]>
---
drivers/block/nbd.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index c38317979f74..600e9bab5d43 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1725,7 +1725,17 @@ static int nbd_dev_add(int index)
refcount_set(&nbd->refs, 1);
INIT_LIST_HEAD(&nbd->list);
disk->major = NBD_MAJOR;
+
+ /* Too big first_minor can cause duplicate creation of
+ * sysfs files/links, since first_minor will be truncated to
+ * byte in __device_add_disk().
+ */
disk->first_minor = index << part_shift;
+ if (disk->first_minor > 0xff) {
+ err = -EINVAL;
+ goto out_free_idr;
+ }
+
disk->minors = 1 << part_shift;
disk->fops = &nbd_fops;
disk->private_data = nbd;
--
2.32.0
Looks good,
Reviewed-by: Christoph Hellwig <[email protected]>
On 8/12/21 12:15 PM, Pavel Skripkin wrote:
> Syzbot hit WARNING in internal_create_group(). The problem was in
> too big disk->first_minor.
>
> disk->first_minor is initialized by value, which comes from userspace
> and there wasn't any sanity checks about value correctness. It can cause
> duplicate creation of sysfs files/links, because disk->first_minor will
> be passed to MKDEV() which causes truncation to byte. Since maximum
> minor value is 0xff, let's check if first_minor is correct minor number.
>
> NOTE: the root case of the reported warning was in wrong error handling
> in register_disk(), but we can avoid passing knowingly wrong values to
> sysfs API, because sysfs error messages can confuse users. For example:
> user passed 1048576 as index, but sysfs complains about duplicate
> creation of /dev/block/43:0. It's not obvious how 1048576 becomes 0.
> Log and reproducer for above example can be found on syzkaller bug
> report page.
>
> Link: https://syzkaller.appspot.com/bug?id=03c2ae9146416edf811958d5fd7acfab75b143d1
> Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
> Reported-by: [email protected]
> Signed-off-by: Pavel Skripkin <[email protected]>
> ---
> drivers/block/nbd.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
> index c38317979f74..600e9bab5d43 100644
> --- a/drivers/block/nbd.c
> +++ b/drivers/block/nbd.c
> @@ -1725,7 +1725,17 @@ static int nbd_dev_add(int index)
> refcount_set(&nbd->refs, 1);
> INIT_LIST_HEAD(&nbd->list);
> disk->major = NBD_MAJOR;
> +
> + /* Too big first_minor can cause duplicate creation of
> + * sysfs files/links, since first_minor will be truncated to
> + * byte in __device_add_disk().
> + */
> disk->first_minor = index << part_shift;
> + if (disk->first_minor > 0xff) {
> + err = -EINVAL;
> + goto out_free_idr;
> + }
> +
> disk->minors = 1 << part_shift;
> disk->fops = &nbd_fops;
> disk->private_data = nbd;
>
Fun thing: I got a reply to this email from
[email protected], which is Hong Kong Police office email. Does
anyone know what is going on? :) It's a bit scary...
With regards,
Pavel Skripkin
On Thu, Aug 12, 2021 at 12:42:38PM +0300, Pavel Skripkin wrote:
>
> Fun thing: I got a reply to this email from
> [email protected], which is Hong Kong Police office email. Does
> anyone know what is going on? :) It's a bit scary...
You are not alone. Apparently, someone subscribed that address to the
[email protected] list and it is auto-responding to every message
it receives; hopefully, a list administrator (I am not one) will be
willing to forcefully unsubscribe that address.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
On Thu, Aug 12, 2021 at 10:35:25AM -0500, Eric Blake wrote:
> On Thu, Aug 12, 2021 at 12:42:38PM +0300, Pavel Skripkin wrote:
> >
> > Fun thing: I got a reply to this email from
> > [email protected], which is Hong Kong Police office email. Does
> > anyone know what is going on? :) It's a bit scary...
>
> You are not alone. Apparently, someone subscribed that address to the
> [email protected] list and it is auto-responding to every message
> it receives; hopefully, a list administrator (I am not one) will be
> willing to forcefully unsubscribe that address.
FWIW, this has now happened, so you should no longer see such autoreplies.
--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
On Mon, Aug 16, 2021 at 05:26:23PM +0200, Wouter Verhelst wrote:
> On Thu, Aug 12, 2021 at 10:35:25AM -0500, Eric Blake wrote:
> > On Thu, Aug 12, 2021 at 12:42:38PM +0300, Pavel Skripkin wrote:
> > >
> > > Fun thing: I got a reply to this email from
> > > [email protected], which is Hong Kong Police office email. Does
> > > anyone know what is going on? :) It's a bit scary...
> >
> > You are not alone. Apparently, someone subscribed that address to the
> > [email protected] list and it is auto-responding to every message
> > it receives; hopefully, a list administrator (I am not one) will be
> > willing to forcefully unsubscribe that address.
>
> FWIW, this has now happened, so you should no longer see such autoreplies.
... except I just received another one myself. I've taken it up with the
list admins again.
I won't update the whole Cc list of this anymore, but rest assured I'll
stay on this until it's been taken care of.
--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
On 8/12/21 3:15 AM, Pavel Skripkin wrote:
> Syzbot hit WARNING in internal_create_group(). The problem was in
> too big disk->first_minor.
>
> disk->first_minor is initialized by value, which comes from userspace
> and there wasn't any sanity checks about value correctness. It can cause
> duplicate creation of sysfs files/links, because disk->first_minor will
> be passed to MKDEV() which causes truncation to byte. Since maximum
> minor value is 0xff, let's check if first_minor is correct minor number.
>
> NOTE: the root case of the reported warning was in wrong error handling
> in register_disk(), but we can avoid passing knowingly wrong values to
> sysfs API, because sysfs error messages can confuse users. For example:
> user passed 1048576 as index, but sysfs complains about duplicate
> creation of /dev/block/43:0. It's not obvious how 1048576 becomes 0.
> Log and reproducer for above example can be found on syzkaller bug
> report page.
Applied, thanks.
--
Jens Axboe