Hello,
syzbot found the following issue on:
HEAD commit: a6afa4199d3d Merge tag 'mailbox-v6.1' of git://git.linaro...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=110f6f0a880000
kernel config: https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
dashboard link: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/12e24d042ff9/disk-a6afa419.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4862ae4e2edf/vmlinux-a6afa419.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
WARNING: CPU: 1 PID: 20347 at fs/read_write.c:504 __kernel_write_iter+0x639/0x740
Modules linked in:
CPU: 1 PID: 20347 Comm: syz-executor.1 Not tainted 6.0.0-syzkaller-09039-ga6afa4199d3d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
RIP: 0010:__kernel_write_iter+0x639/0x740 fs/read_write.c:504
Code: 25 28 00 00 00 48 3b 84 24 e0 00 00 00 0f 85 17 01 00 00 4c 89 f0 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 07 b0 9e ff <0f> 0b 49 c7 c6 f7 ff ff ff eb a5 e8 f7 af 9e ff 4c 8b 74 24 18 eb
RSP: 0018:ffffc90015997740 EFLAGS: 00010287
RAX: ffffffff81e81fe9 RBX: 00000000000a801d RCX: 0000000000040000
RDX: ffffc90004875000 RSI: 0000000000000c05 RDI: 0000000000000c06
RBP: ffffc90015997870 R08: ffffffff81e81a5d R09: fffffbfff1c19fd6
R10: fffffbfff1c19fd6 R11: 1ffffffff1c19fd5 R12: 1ffff92002b32ef4
R13: 1ffff1100f3c659f R14: ffff888079e32c80 R15: dffffc0000000000
FS: 00007f320c219700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c023d85000 CR3: 000000007765a000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__kernel_write fs/read_write.c:537 [inline]
kernel_write+0x1c5/0x340 fs/read_write.c:558
write_buf fs/btrfs/send.c:590 [inline]
send_header fs/btrfs/send.c:708 [inline]
send_subvol+0x1a7/0x4b60 fs/btrfs/send.c:7648
btrfs_ioctl_send+0x1e34/0x2340 fs/btrfs/send.c:8014
_btrfs_ioctl_send+0x2e8/0x420 fs/btrfs/ioctl.c:5233
btrfs_ioctl+0x5eb/0xc10
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f320b08a5a9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f320c219168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f320b1abf80 RCX: 00007f320b08a5a9
RDX: 0000000020000040 RSI: 0000000040489426 RDI: 0000000000000003
RBP: 00007f320b0e5580 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffca50575cf R14: 00007f320c219300 R15: 0000000000022000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot has found a reproducer for the following issue on:
HEAD commit: 6d464646530f Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=11f871bb880000
kernel config: https://syzkaller.appspot.com/x/.config?x=23eec5c79c22aaf8
dashboard link: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=114ef275880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a92353880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f22d29413625/disk-6d464646.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/389f0a5f1a4a/vmlinux-6d464646.xz
kernel image: https://storage.googleapis.com/syzbot-assets/48ddb02d82da/Image-6d464646.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/609bce089bbe/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
BTRFS info (device loop0): using free space tree
BTRFS info (device loop0): enabling ssd optimizations
BTRFS info (device loop0): checking UUID tree
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3072 at fs/read_write.c:504 __kernel_write_iter+0x250/0x284 fs/read_write.c:504
Modules linked in:
CPU: 0 PID: 3072 Comm: syz-executor372 Not tainted 6.1.0-rc6-syzkaller-32662-g6d464646530f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __kernel_write_iter+0x250/0x284 fs/read_write.c:504
lr : __kernel_write_iter+0x250/0x284 fs/read_write.c:504
sp : ffff800012d9ba90
x29: ffff800012d9bad0 x28: ffff0000c9367000 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000011 x24: ffff0000ca81f580
x23: 0000000000000000 x22: ffff0000c993f808 x21: ffff0000c0292c00
x20: ffff800012d9bb20 x19: 00000000000a801d x18: 00000000000000c0
x17: ffff80000dda8198 x16: ffff80000dbe6158 x15: ffff0000c7d38000
x14: 0000000000000000 x13: 00000007ffffffff x12: ffff0000c7d38000
x11: ff808000085ba5e8 x10: 0000000000000000 x9 : ffff8000085ba5e8
x8 : ffff0000c7d38000 x7 : 6b636f6c5f746e65 x6 : ffff80000801154c
x5 : ffff80000e0caee8 x4 : 0000000000000011 x3 : 0000000000000001
x2 : ffff0000c993f808 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
__kernel_write_iter+0x250/0x284 fs/read_write.c:504
__kernel_write fs/read_write.c:537 [inline]
kernel_write+0x10c/0x1d0 fs/read_write.c:558
write_buf fs/btrfs/send.c:591 [inline]
send_header fs/btrfs/send.c:709 [inline]
send_subvol+0x94/0x17ec fs/btrfs/send.c:7653
btrfs_ioctl_send+0xd74/0xed0 fs/btrfs/send.c:8019
_btrfs_ioctl_send+0x188/0x218 fs/btrfs/ioctl.c:5233
btrfs_ioctl+0x5c0/0xa64
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__arm64_sys_ioctl+0xd0/0x140 fs/ioctl.c:856
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584
irq event stamp: 82496
hardirqs last enabled at (82495): [<ffff80000844b028>] mod_lruvec_page_state include/linux/vmstat.h:563 [inline]
hardirqs last enabled at (82495): [<ffff80000844b028>] __kmalloc_large_node+0x108/0x188 mm/slab_common.c:1099
hardirqs last disabled at (82496): [<ffff80000c0808b4>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last enabled at (81982): [<ffff80000801c38c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (81980): [<ffff80000801c358>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
On Mon, Oct 10, 2022 at 9:04 AM syzbot
<[email protected]> wrote:
> HEAD commit: a6afa4199d3d Merge tag 'mailbox-v6.1' of git://git.linaro...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=110f6f0a880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
> dashboard link: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/12e24d042ff9/disk-a6afa419.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4862ae4e2edf/vmlinux-a6afa419.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 20347 at fs/read_write.c:504 __kernel_write_iter+0x639/0x740
[...]
> __kernel_write fs/read_write.c:537 [inline]
> kernel_write+0x1c5/0x340 fs/read_write.c:558
> write_buf fs/btrfs/send.c:590 [inline]
> send_header fs/btrfs/send.c:708 [inline]
> send_subvol+0x1a7/0x4b60 fs/btrfs/send.c:7648
> btrfs_ioctl_send+0x1e34/0x2340 fs/btrfs/send.c:8014
> _btrfs_ioctl_send+0x2e8/0x420 fs/btrfs/ioctl.c:5233
> btrfs_ioctl+0x5eb/0xc10
> vfs_ioctl fs/ioctl.c:51 [inline]
The issue here is that BTRFS_IOC_SEND looks up an fd with fget() and
then writes into it with kernel_write(). Luckily the ioctl requires
CAP_SYS_ADMIN, and also Linux >=5.8 bails out on __kernel_write() on a
read-only file, so this has no security impact.
I'm about to send a fix, let's have syzkaller check it beforehand:
#syz test https://github.com/thejh/linux.git 573fd2562e0f
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 573fd256 btrfs: send: Ensure send_fd is writable
git tree: https://github.com/thejh/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1461aad0e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=c7d33e2c9b952629
dashboard link: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
On Fri, Nov 24, 2023 at 05:21:20PM +0100, Jann Horn wrote:
> On Mon, Oct 10, 2022 at 9:04 AM syzbot
> <[email protected]> wrote:
> > HEAD commit: a6afa4199d3d Merge tag 'mailbox-v6.1' of git://git.linaro...
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=110f6f0a880000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
> > dashboard link: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
> > compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/12e24d042ff9/disk-a6afa419.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/4862ae4e2edf/vmlinux-a6afa419.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
> > ------------[ cut here ]------------
> > WARNING: CPU: 1 PID: 20347 at fs/read_write.c:504 __kernel_write_iter+0x639/0x740
> [...]
> > __kernel_write fs/read_write.c:537 [inline]
> > kernel_write+0x1c5/0x340 fs/read_write.c:558
> > write_buf fs/btrfs/send.c:590 [inline]
> > send_header fs/btrfs/send.c:708 [inline]
> > send_subvol+0x1a7/0x4b60 fs/btrfs/send.c:7648
> > btrfs_ioctl_send+0x1e34/0x2340 fs/btrfs/send.c:8014
> > _btrfs_ioctl_send+0x2e8/0x420 fs/btrfs/ioctl.c:5233
> > btrfs_ioctl+0x5eb/0xc10
> > vfs_ioctl fs/ioctl.c:51 [inline]
>
> The issue here is that BTRFS_IOC_SEND looks up an fd with fget() and
> then writes into it with kernel_write(). Luckily the ioctl requires
> CAP_SYS_ADMIN, and also Linux >=5.8 bails out on __kernel_write() on a
> read-only file, so this has no security impact.
I'm not sure if we could make the send ioctl safe for a non-root user,
the code there has been doing tricks that have security implications.
> I'm about to send a fix, let's have syzkaller check it beforehand:
>
> #syz test https://github.com/thejh/linux.git 573fd2562e0f
The fix looks correct to me, thanks.
On Fri, Nov 24, 2023 at 6:24 PM David Sterba <[email protected]> wrote:
> On Fri, Nov 24, 2023 at 05:21:20PM +0100, Jann Horn wrote:
> > On Mon, Oct 10, 2022 at 9:04 AM syzbot
> > <[email protected]> wrote:
> > > HEAD commit: a6afa4199d3d Merge tag 'mailbox-v6.1' of git://git.linaro...
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=110f6f0a880000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
> > > compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/12e24d042ff9/disk-a6afa419.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/4862ae4e2edf/vmlinux-a6afa419.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: [email protected]
> > >
> > > ------------[ cut here ]------------
> > > WARNING: CPU: 1 PID: 20347 at fs/read_write.c:504 __kernel_write_iter+0x639/0x740
> > [...]
> > > __kernel_write fs/read_write.c:537 [inline]
> > > kernel_write+0x1c5/0x340 fs/read_write.c:558
> > > write_buf fs/btrfs/send.c:590 [inline]
> > > send_header fs/btrfs/send.c:708 [inline]
> > > send_subvol+0x1a7/0x4b60 fs/btrfs/send.c:7648
> > > btrfs_ioctl_send+0x1e34/0x2340 fs/btrfs/send.c:8014
> > > _btrfs_ioctl_send+0x2e8/0x420 fs/btrfs/ioctl.c:5233
> > > btrfs_ioctl+0x5eb/0xc10
> > > vfs_ioctl fs/ioctl.c:51 [inline]
> >
> > The issue here is that BTRFS_IOC_SEND looks up an fd with fget() and
> > then writes into it with kernel_write(). Luckily the ioctl requires
> > CAP_SYS_ADMIN, and also Linux >=5.8 bails out on __kernel_write() on a
> > read-only file, so this has no security impact.
>
> I'm not sure if we could make the send ioctl safe for a non-root user,
> the code there has been doing tricks that have security implications.
>
> > I'm about to send a fix, let's have syzkaller check it beforehand:
> >
> > #syz test https://github.com/thejh/linux.git 573fd2562e0f
>
> The fix looks correct to me, thanks.
(I sent the fix to you and the other btrfs maintainers separately with
subject "[PATCH] btrfs: send: Ensure send_fd is writable", see
<https://lore.kernel.org/lkml/[email protected]/T/>.)