Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp12546pxv;
        Wed, 21 Jul 2021 14:05:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwtU1chL/4JOwRcVnOWyTNnOGfCu1DoNhlhM3hnuhf+veGK7UUMo7RYTVFiQjWbuCPWhsMz
X-Received: by 2002:a92:8e04:: with SMTP id c4mr25323565ild.219.1626901537870;
        Wed, 21 Jul 2021 14:05:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1626901537; cv=none;
        d=google.com; s=arc-20160816;
        b=vOJxuaesvDQrvikXvCH7pRpb7AiSMf2hL9nHAsra5iBe99WFB1Yr3PdJttCtu+Au2C
         fy8b+jLHpJKz90c76aWS/wyy2cjvxmlo5n12yQBqWJFTVv/9fJhvBRHSyhrM7U2pTGql
         YPrQmmGgIrSv/uMT2Otdl/rkTBZY3p2oqR95B9XWWoonUir2lhw2inEyyZdRkeuRS4+m
         Zh0MSQZE5b7QKyEdaFWUWOLCOzcuAJYQn3MYgOBgkvoVJGYBwaSDqjwa85Fe/ijI0gzq
         tI2j2LZ0sYfsWaDq1wctaam3htLOelyFHWxV0+FJKaToeQdQ8KofBu+vzE+E/0SRJNQA
         GdzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=ec5v3Ti7zz1gD8XsnLQn4yM68mC6T3woKvdTt46PX2Q=;
        b=tsytBHWP2yrMfxNvIOc5lAV3ijqnDFWd8Vji6RCOi08FYUfUrt3KSmqfow5F55Ug1h
         jyq73hmum/NRm495+0ZvgZs5i6lBEsnhSfnyWnhm5yQEJ1249X8eiUDJ9l1r4u8XfFTO
         miEHrxuF4s0vfzLCM+pCeIsWCwoopfMe1gpt5z4A//ITv/pmEdjpV5ZWciUe4wLQkvX+
         +01q8YCK6VTpxyj6Z/wRwTGsvtibDW4igc5fFz4W0y9uPtkkmhbMEHD0Hf3gRuw9IsZ1
         iNR901QphatSOCwdjePxITmi9BRphMYRAdLiYD5kwyE7orRra04WuNuBkq0pDL8TBTRY
         xhWQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=oMgqpW82;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y8si9397411iov.46.2021.07.21.14.05.25;
        Wed, 21 Jul 2021 14:05:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=oMgqpW82;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232976AbhGUSdl (ORCPT
        <rfc822;linuxmailingsubscription@gmail.com> + 99 others);
        Wed, 21 Jul 2021 14:33:41 -0400
Received: from mail.kernel.org ([198.145.29.99]:42856 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S231143AbhGUSdk (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Jul 2021 14:33:40 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id E645461029;
        Wed, 21 Jul 2021 19:14:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1626894857;
        bh=npzfqeWI+4wHmooiuXhmsobgpIf7M3e1QSXcBc2VOFU=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=oMgqpW82XepnaU3tx1qyH8jfdiE+LcTzt2JiQDOd9Wa+uQ3cXKajKygd1jg7cwFBY
         CbVfBnItw8ml9JHwBkhNFw3TGA5YEFMiFnqgk5EUcgUGgTm57F15GF8oevGbPYhZba
         dLRdpMXPXQSxnF3cy+siAa8kpr2cvERDzcLA3wC0grsmlkOpUIwsRVUEm3m2WSOZzq
         LVog9jP4i6iy3oFN66jnzPbzmQixeJ9J9LgPXhjOjQKW/FeXUC9O+QmA6ZBKKe5f+0
         +J1BziRWX6s/BtYX1kXry5omvAd+elLKXX+sAburafwxrWAM+VKOodXseQ1SIMEyrm
         DJOyG7H5HFRDA==
Date:   Wed, 21 Jul 2021 12:14:16 -0700
From:   "Darrick J. Wong" <djwong@kernel.org>
To:     Matthew Wilcox <willy@infradead.org>
Cc:     butt3rflyh4ck <butterflyhuangxx@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        linux-fsdevel@vger.kernel.org,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: A shift-out-of-bounds in minix_statfs in fs/minix/inode.c
Message-ID: <20210721191416.GC8572@magnolia>
References: <CAFcO6XOdMe-RgN8MCUT59cYEVBp+3VYTW-exzxhKdBk57q0GYw@mail.gmail.com>
 <YPhbU/umyUZLdxIw@casper.infradead.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <YPhbU/umyUZLdxIw@casper.infradead.org>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jul 21, 2021 at 06:37:23PM +0100, Matthew Wilcox wrote:
> On Thu, Jul 22, 2021 at 01:14:06AM +0800, butt3rflyh4ck wrote:
> > ms = (struct minix_super_block *) bh->b_data; /// --------------> set
> > minix_super_block pointer
> > sbi->s_ms = ms;
> > sbi->s_sbh = bh;
> > sbi->s_mount_state = ms->s_state;
> > sbi->s_ninodes = ms->s_ninodes;
> > sbi->s_nzones = ms->s_nzones;
> > sbi->s_imap_blocks = ms->s_imap_blocks;
> > sbi->s_zmap_blocks = ms->s_zmap_blocks;
> > sbi->s_firstdatazone = ms->s_firstdatazone;
> > sbi->s_log_zone_size = ms->s_log_zone_size;  // ------------------>
> > set sbi->s_log_zone_size
> 
> So what you're saying is that if you construct a malicious minix image,
> you can produce undefined behaviour?  That's not something we're
> traditionally interested in, unless the filesystem is one customarily
> used for data interchange (like FAT or iso9660).

Sounds to me like butt3rflyh4ck is volunteering to rebuild fs/minix with
proper ondisk metadata buffer verifiers.

--D