Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp5655425rwd; Mon, 12 Jun 2023 08:01:58 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7MlN8qm1KD8MANi6BzHfCdzNb5vxJ5SpipWLv0livh/6mUdUVdSCzItpqRqg81AjIshy6y X-Received: by 2002:a05:6a20:9689:b0:105:12ab:878f with SMTP id hp9-20020a056a20968900b0010512ab878fmr9883853pzc.56.1686582118459; Mon, 12 Jun 2023 08:01:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686582118; cv=none; d=google.com; s=arc-20160816; b=UVqWg5aI7ShupL2o1gI6375khjq/Odjuz4wfEpOwpkCwTt86oxhYBuqFrTHgjQIqY+ h+f38YKgnoQ1/u37yi8Utp+Gc36wpofKKTGTKV7BwlgaUpZiZHfpvvBMf9qjDdyydFeC zWBSa0m36lgPRkwHcYn3F2hAN1W8jP6ZnqHCjZ82kxKN8d7Z+rmiUYel7CsdwPvKPTNh PBD7Ug8EMaDzdOP3rU4kqMfN6Jd8LTKgFgEitsDX9QBwQ5krEIfkKOjDrhQZ54G4XWhY MWyaMOHTmlGdEkLwWKwrZaXgSQcMwG1C2xjT2JtnRFlxm60y3+/owTKSxWmI/ZId5uku UEtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=hYLoOeOIQ8H4THh4mtox6bn85ZlcWEe8+m8shFZxDC4=; b=b1IgFfa7f4oG2nSIqtCCGJg/86/KSpk5s451bznKGG4DMsHxlwfJkYIEs4rqGRtaVz H5kgYQcg5fE3ZxbT+aJtX7J20SwYngzATujlxQyoJM6/WX5PaSw4NjWD4l43Myltdp7I t781MAiTd3DxVNKJ/dh2vsJYxyd13vFwJQ/9qTnWN3e8xn4Y+nr52th4HoZkpPy3iGEN qdOYN/8+E0lTmsIRfglX0SuStqmxGtRuterR27FMGv1nqYNQEBO3Syq+MWW7nAwtGm2E TLjIgc6J+RRcq/PzR6SsTGtdH7YvFxaDtOy6mmaY+jpDYH4On6g8L4vlLaU3c/uauruZ bxSw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=Ux4WD9Ql; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=TmmcWXj9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u5-20020a634705000000b00542d2508ac7si3966022pga.200.2023.06.12.08.01.44; Mon, 12 Jun 2023 08:01:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=Ux4WD9Ql; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=TmmcWXj9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236848AbjFLOkf (ORCPT + 99 others); Mon, 12 Jun 2023 10:40:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52118 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239158AbjFLOkN (ORCPT ); Mon, 12 Jun 2023 10:40:13 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 68687B2 for ; Mon, 12 Jun 2023 07:40:11 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 14F5922786; Mon, 12 Jun 2023 14:40:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1686580810; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hYLoOeOIQ8H4THh4mtox6bn85ZlcWEe8+m8shFZxDC4=; b=Ux4WD9Ql/nMB2yEjL3CdjFVODC6dY6wvZTHEZpANfrJo+dh6s8ZhBc/lK85Pw/mbd+x+Yc BfLsURVb6jO8yvMB8kaIJM63gSnn8Rg4LwM/Nk5LicmdbSYLUqtdtic1RbAeaPNCb+sYQw O3yrzEzU+lMrhhd6B0pWu5WQdrd9Q3E= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1686580810; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hYLoOeOIQ8H4THh4mtox6bn85ZlcWEe8+m8shFZxDC4=; b=TmmcWXj90bSkYWykbMvKZpE1uLvxGxAQK3ZSUWl4TsAFJebnfwC9St3rr0KhjAhcVu68QK SyEmf6rz1+i2GzBA== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 06F151357F; Mon, 12 Jun 2023 14:40:10 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id lL6vAUouh2TWJQAAMHmgww (envelope-from ); Mon, 12 Jun 2023 14:40:10 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 7E987A0717; Mon, 12 Jun 2023 16:40:09 +0200 (CEST) Date: Mon, 12 Jun 2023 16:40:09 +0200 From: Jan Kara To: Wenchao Hao Cc: Jan Kara , linux-kernel@vger.kernel.org, linfeilong@huawei.com Subject: Re: [PATCH 0/2] Fix out-of-bound access if pagecache of udf device is corrupted Message-ID: <20230612144009.s436o52pctxgctr2@quack3> References: <20230613032254.1235752-1-haowenchao2@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230613032254.1235752-1-haowenchao2@huawei.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue 13-06-23 11:22:52, Wenchao Hao wrote: > Following steps would cause out-of-bound access and even cause kernel > panic when using udf: > > dd if=/dev/zero of=udf.img bs=1M count=512 > mkfs.udf udf.img > mount -o loop -t udf udf.img /mnt > dd if=/dev/random of=/dev/loop0 bs=512 count=1 seek=128 > umount /mnt > > [if /mnt is mounted on /dev/loop0] > > It is because we did not check if udf_sb_info->s_lvid_bh is valid in > udf_sb_lvidiu(). > > Although it's illegal to write backend device since filesystem has been > mounted, but we should avoid kernel panic if it happened. No, it is perfectly valid to crash the kernel if someone writes the buffer cache of the device while the device is mounted (which your example above does). There is no practical protection against this because someone could overwrite the buffer just after the moment you verify its validity. The only protection would be to lock the buffer for each access and fully verify validity of the data after each locking but the performance and maintenance overhead of this is too high to justify. So I'm sorry but I will not take any patches that try to "fix" situations when someone writes buffer cache while the filesystem is mounted. I guess your work is motivated by some syzbot reproducer which was doing this. Let me work on a kernel option which syzbot can use to not report these issues. Honza -- Jan Kara SUSE Labs, CR