Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp11971pxv; Wed, 21 Jul 2021 14:05:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzk2Un4VQLNRZWy4Syg7IR1EI8eYR3WMyeFJ281nQZnOhCdkl3k1lpXICN17MZ3ZZ7NTBbd X-Received: by 2002:a5e:9513:: with SMTP id r19mr8713013ioj.156.1626901415036; Wed, 21 Jul 2021 14:03:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626901415; cv=none; d=google.com; s=arc-20160816; b=F1Vto0roPttN9qC86hFjDXbywVNMNzKnjVTopNfIwiAP+oKlsZ4/uyi7j0425lXrg1 e9R7ZQ6wiwKAeXuCK2BJFXvnsAQTkey8YqPgr6OgY+ebtptwxrKQ6iozHjhXb2/cZcOg k5rUZTDHCbanx7kIK/FdKziqAzr2l3aIKDly4duJPz9HLoLLM3lFx7cNZ0J4sWjYWyEG LFZcyGhBvxn1iXUzrmpfS2IJasNEcB0xCoCXvgvzez7bRSTpijMk7Rz3m3NwJQP8S4cU zkwIB28V1VOwPepIsHihuJxm0IZSZtK5SlWPyvjaDNtpzvNcSFthjVlYsYzoFpV1lRys U7Ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=NIOeAssJiAIvzmBOsIJ5kA5U16lQSx2xMldjNfs0508=; b=ElB6B09UP+q5JarggRwU/9Hkz7nvw0JrnjZS1oWADztRCW8ph+Y02NvbD+SQRKC71s VYqP2DhBOewvn2i7L7duNqLVjynCm99EDjlxArbxHZd9aPGGP4rq6tgMXQuSQwS1mPZn Ocb8on/iWwg8ja6yrrFV9fL8AGR8JueeqehJEuOHv6BI9NYuZjJ80Rv4oE1t0jFhjodA BchR+LdMH0I9a8lRjt/RP2YMfuMaJUbY8GyYyHq8xKDby4iyriY0rq3tS2TfvuWUoLQd zCFgBCW7EwIxyH7CS6a9h2qE4Z9ywqkRRE5Gs8in5qgZeiNhyxjQY3ZtdgAOXbsL/AQ5 O8OQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=EZCzRd5P; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i19si30729950jab.103.2021.07.21.14.03.23; Wed, 21 Jul 2021 14:03:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=EZCzRd5P; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229955AbhGUQ47 (ORCPT + 99 others); Wed, 21 Jul 2021 12:56:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43428 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229962AbhGUQ46 (ORCPT ); Wed, 21 Jul 2021 12:56:58 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 843F1C061575; Wed, 21 Jul 2021 10:37:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=NIOeAssJiAIvzmBOsIJ5kA5U16lQSx2xMldjNfs0508=; b=EZCzRd5PKRp+8KRIDqdcuggQcW hUc43nT6G3bxoSHFgyJOeYIHPiCWlmbxu3P1DcYGicKBhjq5+BT31M97v79DC6h7kN0BPQlahcD9J XdITNhAkFIYYSG99uMvwH5FeFZZRXuEmRwRWPyNAi65t0JxR/WQkYmf6W+vSi3h7sCzZi5BQIGe7y 14kZ0yA+lnmiqZDS6C8FfDUss4R8Wfv0WZaYhimu6QliZw1t6422dFdkSZTsL3HGRRbFXC0+tPKrP iYBR1I6NtnOIAWQcY/uyH1B7cwwEs7yLglvd7/BxsITaWgzko4ID74Gkae7sl3nMrG2wsowDRL4Ys jp1LhFJw==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1m6G9r-009Rb6-KG; Wed, 21 Jul 2021 17:37:26 +0000 Date: Wed, 21 Jul 2021 18:37:23 +0100 From: Matthew Wilcox To: butt3rflyh4ck Cc: LKML , linux-fsdevel@vger.kernel.org, syzkaller-bugs Subject: Re: A shift-out-of-bounds in minix_statfs in fs/minix/inode.c Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 22, 2021 at 01:14:06AM +0800, butt3rflyh4ck wrote: > ms = (struct minix_super_block *) bh->b_data; /// --------------> set > minix_super_block pointer > sbi->s_ms = ms; > sbi->s_sbh = bh; > sbi->s_mount_state = ms->s_state; > sbi->s_ninodes = ms->s_ninodes; > sbi->s_nzones = ms->s_nzones; > sbi->s_imap_blocks = ms->s_imap_blocks; > sbi->s_zmap_blocks = ms->s_zmap_blocks; > sbi->s_firstdatazone = ms->s_firstdatazone; > sbi->s_log_zone_size = ms->s_log_zone_size; // ------------------> > set sbi->s_log_zone_size So what you're saying is that if you construct a malicious minix image, you can produce undefined behaviour? That's not something we're traditionally interested in, unless the filesystem is one customarily used for data interchange (like FAT or iso9660).