Received: by 10.213.65.68 with SMTP id h4csp1372999imn; Wed, 4 Apr 2018 18:28:01 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+NmHSmmckEcDbbtaS0SXX0r+xVMd9BLIrqn/lj6Q2CF7fpeoucG0wFj42M2IKJk7gKN2Ig X-Received: by 10.101.98.90 with SMTP id q26mr13743253pgv.113.1522891680979; Wed, 04 Apr 2018 18:28:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522891680; cv=none; d=google.com; s=arc-20160816; b=gfA+27lqDDvxKMawEymvEd4wXlje0nEac9nTpXo7SZzr9YU53MhIZ7ADe3+nzdL2tV KKBstdiRHZrfKPj/BSktvjRiI1Ka9CJgin/K/ulJ3pK1+Hrxl9OCMSEHSqV+2U1sXlgZ STDAKUviylczQDfvGl5e0qJc/PI9rGA3GhJP4aGoDeuLbdGo3hlWNBDdbIHJM4cpZzSD hlaI6IrVBPrkInbWAlsuGf0kArzElHl7YGiKCC961v0k/pllFFPWNKREjzGnaUwkl+GI TjltUJCtPiDqCywUtT1bXfTyNAvtIcKeUvxTyiz4oThh1Kiyp3x/lkHhYr5D+IDTwMAi lJSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:mime-version:user-agent:date:message-id:cc:subject :from:to:dkim-signature:arc-authentication-results; bh=BOatZjLQUOVLk7Pofer6nDcLn+IRRL4enqQtTjAfYH8=; b=TDLWTITAw9DAurByAIhj4nQPwZVAQp095OVOUq2/X0y4x5MJSfaMw7Bposw00dosDZ JhfHtWgdarFuI8JcRbU1X7M8f1epJ8Knb9kix02ii5lAhOutlissz5oSZ7GKAYRhKiPC co0bc0HKPHNoP2BatBMdYlJxIggFp8+vbzNhkERgVauRomwxdn58f/aaZ9nvhcr+lwCN Ae+jn5YkHaYZFS7njUv5ZHOQLJupIAm+qcA1UonPp3H9VqSoCSE35hDFQtkLDg0AK1dF GDGeCowHO+5oJymtWu+OUZrO3bIKmrIUbU6us8HIjr+zhqjszE3oJxqOzyYRpGtHIfCn GFcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=eNPJvgNV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u7-v6si4525534plz.562.2018.04.04.18.27.47; Wed, 04 Apr 2018 18:28:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=eNPJvgNV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752751AbeDEBZz (ORCPT + 99 others); Wed, 4 Apr 2018 21:25:55 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:48790 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752583AbeDEBZx (ORCPT ); Wed, 4 Apr 2018 21:25:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: Content-Type:MIME-Version:Date:Message-ID:Cc:Subject:From:To:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=BOatZjLQUOVLk7Pofer6nDcLn+IRRL4enqQtTjAfYH8=; b=eNPJvgNVg5GVDCcDFsrxBGbWP 2j2IQY0ELZorRN6fropazPvNLnH0YDDH644Rm6ZT/Jf9+OamE0St9vQvFFu+XanMZyVN0IPadGwSM rH9CsBVsdkPlt2prVlGXeJxbgYDB86Zb6ATy+Ixa9MRDlgaQ1hCGaH4RDBtBW5ch1/00WEhV4nmLY sOyoL8Kn90y5a6aFyOsfTIEMAKIyIYvGdAr5P4jFUYRNmLmQQnpP4o3sNElBMCjv2J7B/a76sJNEy zR6SPApqDqscSsj2wKfLh05zwmJjQZuzGHKScNsu5VHwzwBGpSPBioV2ufHVuPQEtPb6xIMY9+rr7 uGIewLdtg==; Received: from static-50-53-52-16.bvtn.or.frontiernet.net ([50.53.52.16] helo=midway.dunlab) by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1f3teQ-00020u-QE; Thu, 05 Apr 2018 01:25:18 +0000 To: LKML , reiserfs-devel@vger.kernel.org From: Randy Dunlap Subject: [PATCH?] reiserfs: prevent panic: don't allow %-char in journal dev. name Cc: Alexander Viro , Jeff Mahoney , Jan Kara , Frederic Weisbecker , Artem Bityutskiy , Andrew Morton , syzkaller-bugs@googlegroups.com, syzbot+6bd77b88c1977c03f584@syzkaller.appspotmail.com Message-ID: Date: Wed, 4 Apr 2018 18:25:16 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Randy Dunlap If the reiserfs mount option's journal name contains a '%' character, it can lead to a WARN_ONCE() in lib/vsprintf.c::format_decode(), saying: "Please remove unsupported %/ in format string." That's OK until panic_on_warn is set, at which point it's dead, Jim. To placate this situation, check the journal name string for a '%' character and return an error if one is found. Also print a warning (one that won't panic the kernel) about the invalid journal name (e.g.): reiserfs: journal device name is invalid: %/file0 (In this example, the caller app specified the journal device name as "%/file0".) Fixes: https://syzkaller.appspot.com/bug?id=0627d4551fdc39bf1ef5d82cd9eef587047f7718 Reported-by: syzbot+6bd77b88c1977c03f584@syzkaller.appspotmail.com Signed-off-by: Randy Dunlap Cc: stable@vger.kernel.org # many kernel versions Cc: reiserfs-devel@vger.kernel.org Cc: Alexander Viro Cc: Jeff Mahoney Cc: Jan Kara Cc: Frederic Weisbecker Cc: Artem Bityutskiy Cc: Andrew Morton --- fs/reiserfs/super.c | 11 +++++++++++ 1 file changed, 11 insertions(+) --- lnx-416.orig/fs/reiserfs/super.c +++ lnx-416/fs/reiserfs/super.c @@ -1239,6 +1239,8 @@ static int reiserfs_parse_options(struct } if (c == 'j') { + char *badfmt; // jdev_name (arg) cannot contain '%' + if (arg && *arg && jdev_name) { /* Hm, already assigned? */ if (*jdev_name) { @@ -1248,6 +1250,15 @@ static int reiserfs_parse_options(struct "be %s", *jdev_name); return 0; } + + badfmt = strchr(arg, '%'); + if (badfmt) { + printk(KERN_WARNING "reiserfs: " + "journal device name " + "is invalid: %s", + arg); + return 0; + } *jdev_name = arg; } }