Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp883313pxv; Thu, 22 Jul 2021 15:01:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwbSHAduRCJRUUlVLMCXcR/ozj2FZ2ThjUgl7H07P5BH/olI9RgiX73lW+SsrYlh6/pZw5e X-Received: by 2002:a05:6402:74c:: with SMTP id p12mr1942181edy.153.1626991301956; Thu, 22 Jul 2021 15:01:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626991301; cv=none; d=google.com; s=arc-20160816; b=se0U79wmU6o2dohWVRebowoBMclWrElIrX71Dxz6UisIqv7xMasdab5sJsv6qNuCNY lUnDq4ynbkoj284hg+x7sNb+Y8p/zvpXqtLGOU6gJxThgG6qSbp+RgqWVQDBEQwbWcP4 mxQovI6jzi3rHiJVvK26fXfZEuBwu8V5Lh0WoDx9F/lL+YDLRNws0s2lpGIxIMTG3mVj 6gF1Xg62QCtBUNczLWduU0uyqXrHShhFdx7nALHJtn4nIEJHnAv7cv0854P6TH2ZkJ5w mWWFF2WhrJkGFX2aIniqX9A6SOg8WHRKVVgU+if7dla9doro933Gfzl05S1IeK8GA/GG vTkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Q361/Di6Z45cmFj7qLg7BaGyFHbEEt/RgLFjMVQ7BrQ=; b=aTmnt7oVz5Dva2S6+K92YPyQOXXhgcMM3Wozt/T7GDAvEd7o7T8c+zN+eHyQjvgKLm nzAP0X95elaaD3sSEYOKnV0FenbuB1na/5zfSDZsBoZnZAQ4LItMLOtQsfSoEe3IWAXq VJCRAXJLl2Iv3mpmHvsvQ1d/e0f0ZZ8EpEFaEo+FA3yBXfNqj3DT9kT2gY6oDLdL/9Mj Qw7ALdX8V4pBfSlhsuYMtmpnW5U0vxyczTtG1VkKuxOW0He7XMybJV8mSqWt4RZpxFvQ RprwXqfLsWCVyOdMihT+92pw4o6W6dJi5G+uNiJfmNA46CC+eMygOfVMYtCgD/bv1q75 gscw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n2si29920403eju.548.2021.07.22.15.01.18; Thu, 22 Jul 2021 15:01:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232139AbhGVVSB (ORCPT + 99 others); Thu, 22 Jul 2021 17:18:01 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:37725 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S231336AbhGVVSA (ORCPT ); Thu, 22 Jul 2021 17:18:00 -0400 Received: from cwcc.thunk.org (pool-72-74-133-215.bstnma.fios.verizon.net [72.74.133.215]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 16MLwOFW015534 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Jul 2021 17:58:24 -0400 Received: by cwcc.thunk.org (Postfix, from userid 15806) id F2E6115C37C0; Thu, 22 Jul 2021 17:58:23 -0400 (EDT) Date: Thu, 22 Jul 2021 17:58:23 -0400 From: "Theodore Ts'o" To: Matthew Wilcox Cc: butt3rflyh4ck , LKML , linux-fsdevel@vger.kernel.org, syzkaller-bugs Subject: Re: A shift-out-of-bounds in minix_statfs in fs/minix/inode.c Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 21, 2021 at 06:37:23PM +0100, Matthew Wilcox wrote: > On Thu, Jul 22, 2021 at 01:14:06AM +0800, butt3rflyh4ck wrote: > > ms = (struct minix_super_block *) bh->b_data; /// --------------> set > > minix_super_block pointer > > sbi->s_ms = ms; > > sbi->s_sbh = bh; > > sbi->s_mount_state = ms->s_state; > > sbi->s_ninodes = ms->s_ninodes; > > sbi->s_nzones = ms->s_nzones; > > sbi->s_imap_blocks = ms->s_imap_blocks; > > sbi->s_zmap_blocks = ms->s_zmap_blocks; > > sbi->s_firstdatazone = ms->s_firstdatazone; > > sbi->s_log_zone_size = ms->s_log_zone_size; // ------------------> > > set sbi->s_log_zone_size > > So what you're saying is that if you construct a malicious minix image, > you can produce undefined behaviour? That's not something we're > traditionally interested in, unless the filesystem is one customarily > used for data interchange (like FAT or iso9660). It's going to depend on the file system maintainer. The traditional answer is that block device is part of the Trusted Computing Base, and malicious file system images are not considered part of the threat model. A system adminstration or developer which allows potentially malicious agents to mount file system agents are cray-cray. Unfortunately, those developers are also known as "Linux desktop devs" (who implement unprivileged mounts of USB cards) or "container evangelists" who think containers should be treated as being Just As Good as VM's From A Security Perspective. So I do care about this for ext4, although I don't guarantee immediate response, as it's something that I usually end up doing on my own time. I do get cranky that Syzkaller makes it painful to extract out the fuzzed file system image, and I much prefer those fuzzing systems which provide the file system image and the C program used to trigger the failre as two seprate files. Or failing that, if there was some trivial way to get the syzkaller reproducer program to disgorge the file system image to a specified output file. As a result, if I have a choice of spending time investigating fuzzing report from a more file-system friendly fuzzing program and syzkaller, I'll tend choose to spend my time dealing with other file system fuzzing reports first. The problem for Minix is that it does not have an active maintainer. So if you submit fuzzing reports for Minix, it's unlikely anyone will spend time working on it. But if you submit a patch, it can go in, probably via Andrew Morton. (Recent Minix fixes that have gone in this way: 0a12c4a8069 and 32ac86efff9) Cheers, - Ted