Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp1844427rdb; Wed, 31 Jan 2024 10:44:03 -0800 (PST) X-Google-Smtp-Source: AGHT+IG9e6n1SrVTjOeKk+HJ1qTTAg2/SZ74BWZAA6MOrGDXU7kzS+o3+NB3h5MTHojd3uDPSw3Z X-Received: by 2002:a05:622a:64d:b0:42b:e2fa:5b34 with SMTP id a13-20020a05622a064d00b0042be2fa5b34mr2332971qtb.57.1706726643540; Wed, 31 Jan 2024 10:44:03 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706726643; cv=pass; d=google.com; s=arc-20160816; b=Kn9aij5HP7KsRn9tlVCNAf4vp9+ln68c5PEU1zDHqVb0NE+FqI4vE6skjDcafNe2Kh A95b/bpG9uVWqIcesNb718NLaBFvmGcJyYqh91R1Aa3XyoguCTCS52qFAcR/cv9QELDL fnlkkRE46qdYMrG1eph2/WcFQ+QgrtA7xyV+r6qIo5ruZ7qrvBnjHQ/ISNDgM3tF1DOa Xm+d/WQh//f+VqSvvLEp52pYD+4YJ2Lq5H9jy7uoLX86h2UmoHoVrxRXHIHmGjfJLyDk sKJrc+ScEQwAboujlGZjgOTX918GosHgeC930vUF1g3w6kHMfg+QyldCdA0X3MAVpBPX fb1w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :reply-to:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature:dkim-signature:dkim-signature; bh=sg1XafIwMbKF7i3pk6Jb1n12UMuHzyybZkq6XU2HGkw=; fh=ouBURMVk7Ut7DEvlJHHXox9fXYmF5cQbaKKXN5+k4+Q=; b=oext3ssufmfBnFufR/Gc+2KLfkpC3svO/tYchI41UdH2IyariG18f2g91lklTjiGP/ JFgxGY3t40ptuO4LGbjxihROTBNKAjVORQPQadCuc2zzRR7Jymqbe3F+/WB4qaNZht4C DKUJeuomU2btzKF6GgPacggIzC7yQk1yrCwCJQ1CkyEf/99AF0rrO/Cwa9yqCd1hUUkm cc4gCbkm28O3q8W6GMCYJ11vKfuOsDumZPMQ2t71A9ELhNM+wmoLQXVnFTRuB2WDmxW9 ghq3QNtjYkHhs9GYsOztLE0IJxqwxTVbig6w4a3kEl/oApMDN26movWF1jMDLtCAQeqG aBJw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=C+X18Ij4; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=blHeliCd; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; arc=pass (i=1 spf=pass spfdomain=suse.cz dkim=pass dkdomain=suse.cz dkim=pass dkdomain=suse.cz); spf=pass (google.com: domain of linux-kernel+bounces-46980-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-46980-linux.lists.archive=gmail.com@vger.kernel.org" X-Forwarded-Encrypted: i=1; AJvYcCVaIOz55adibDNDiV5+IsTdEGo+bdu1bZerA6OP2gTYQmYe1Q0I30YMurjO1ia76jjkxTFmbUL24QM1W0/lfp6A1dl9eQLV0de8r9Mq6g== Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id u12-20020ac858cc000000b0042be1813f05si2932348qta.459.2024.01.31.10.44.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Jan 2024 10:44:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-46980-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=C+X18Ij4; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=blHeliCd; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; arc=pass (i=1 spf=pass spfdomain=suse.cz dkim=pass dkdomain=suse.cz dkim=pass dkdomain=suse.cz); spf=pass (google.com: domain of linux-kernel+bounces-46980-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-46980-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 40E251C22801 for ; Wed, 31 Jan 2024 18:44:03 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A61C32E842; Wed, 31 Jan 2024 18:43:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="C+X18Ij4"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="hQOjuR8G"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="blHeliCd"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="Y1TNaRNA" Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1CCF18B00; Wed, 31 Jan 2024 18:43:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706726628; cv=none; b=CfH9NN616SKGA0oWgse2H2ODdWlzihYvUj6J6a4DZUzYX4/H1ylSij8T5NbQB0Q/amClht0kQOZD1hGq9r+YNRb523r5Gs/AgFkb3238qmOiZp92aYPKF+geFUMVT7YdR/t4Odzpuq9Iy2a5qcRA5fSbUA/r+twPfTKS6nbknOE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706726628; c=relaxed/simple; bh=nbd5D4P1LDjClXGE4BxCyxo7QxWJikjnSFwGLyX6+7Q=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=BAvEqJZfX6k+NL+pXwFBLNXuwyKTkDYaFwb/K2wAe3tfYHIEJj5aMC34czL/8w84El8Ofn1Cw08cRxd3ETwaIVnesvA/UMIsDNqSX7F9JWQ+2RnNgcSboNpgr+Blpx8b5DeDnJ3ihZ9GsXdJoMOj5l5ukN/D1zAhcGYRbhS4hhY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz; spf=pass smtp.mailfrom=suse.cz; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=C+X18Ij4; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=hQOjuR8G; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b=blHeliCd; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b=Y1TNaRNA; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Received: from imap2.dmz-prg2.suse.org (imap2.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id D4F6B22023; Wed, 31 Jan 2024 18:43:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1706726625; h=from:from:reply-to:reply-to:date:date:message-id:message-id:to:to: cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=sg1XafIwMbKF7i3pk6Jb1n12UMuHzyybZkq6XU2HGkw=; b=C+X18Ij4AL3GkZFyYdJ94kFPel6NEqVvPRCGZSBpSh6xPZd3VLk8svV0ikIdtmsLSp1oiA kTVC+lcPsVlQG+Ys6WlqpWpAWPBuzjYCBymk/0ERfPy48WDQpPcj8fKRrdtC72U2fR3YtB UkL0nGHlUPewKnQfi1k57aAr4cDNtd4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1706726625; h=from:from:reply-to:reply-to:date:date:message-id:message-id:to:to: cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=sg1XafIwMbKF7i3pk6Jb1n12UMuHzyybZkq6XU2HGkw=; b=hQOjuR8GDY8s7Fs1i4CHzj2xYegkxgkqo1fsxSEi1A7c5K0zx4ozwaXMvaNutitm2y4Hje qSY9hgmcw2xDM0Aw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1706726624; h=from:from:reply-to:reply-to:date:date:message-id:message-id:to:to: cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=sg1XafIwMbKF7i3pk6Jb1n12UMuHzyybZkq6XU2HGkw=; b=blHeliCd5FbxsaggUl3GOtxR3D+cr55EFNnNuGAU51pelKJPkx+KkJFdRofcAtZL14ZszY bAKo8YBui7TYC/e9oKy9a9YyQ4Gq59XrBypusLnHYrTt8MQbnMeE2MyDLM7vMiIHBvqnb7 zuL1+TGQPbTzd2oDG1sFbZkP8jpz2Ag= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1706726624; h=from:from:reply-to:reply-to:date:date:message-id:message-id:to:to: cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=sg1XafIwMbKF7i3pk6Jb1n12UMuHzyybZkq6XU2HGkw=; b=Y1TNaRNA5uoUb6g+bsY//cTZEnX5JIbQKTbjUU0yR9HcZDbhjoQW7jy80TcLYx8p4OBD5/ ka6MSedEm0n0peCw== Received: from imap2.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap2.dmz-prg2.suse.org (Postfix) with ESMTPS id BC65C139D9; Wed, 31 Jan 2024 18:43:44 +0000 (UTC) Received: from dovecot-director2.suse.de ([10.150.64.162]) by imap2.dmz-prg2.suse.org with ESMTPSA id EhbZLeCUumUbKgAAn2gu4w (envelope-from ); Wed, 31 Jan 2024 18:43:44 +0000 Date: Wed, 31 Jan 2024 19:43:18 +0100 From: David Sterba To: Edward Adam Davis Cc: dsterba@suse.cz, clm@fb.com, daniel@iogearbox.net, dsterba@suse.com, john.fastabend@gmail.com, josef@toxicpanda.com, linux-btrfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, liujian56@huawei.com, syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [btrfs?] KASAN: slab-out-of-bounds Read in getname_kernel (2) Message-ID: <20240131184318.GQ31555@twin.jikos.cz> Reply-To: dsterba@suse.cz References: <20240115190824.GV31555@twin.jikos.cz> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) Authentication-Results: smtp-out1.suse.de; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=blHeliCd; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=Y1TNaRNA X-Spamd-Result: default: False [-1.51 / 50.00]; HAS_REPLYTO(0.30)[dsterba@suse.cz]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[suse.cz:+]; MX_GOOD(-0.01)[]; FREEMAIL_TO(0.00)[qq.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; BAYES_HAM(-3.00)[100.00%]; SUBJECT_HAS_QUESTION(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FROM_HAS_DN(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com,qq.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TAGGED_RCPT(0.00)[33f23b49ac24f986c9e8]; MIME_GOOD(-0.10)[text/plain]; DNSWL_BLOCKED(0.00)[2a07:de40:b281:104:10:150:64:98:from]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; RCPT_COUNT_TWELVE(0.00)[13]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.cz:dkim,qq.com:email]; FUZZY_BLOCKED(0.00)[rspamd.com]; FREEMAIL_CC(0.00)[suse.cz,fb.com,iogearbox.net,suse.com,gmail.com,toxicpanda.com,vger.kernel.org,huawei.com,syzkaller.appspotmail.com,googlegroups.com]; RCVD_TLS_ALL(0.00)[]; SUSPICIOUS_RECIPS(1.50)[] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Rspamd-Queue-Id: D4F6B22023 X-Spam-Level: X-Spam-Score: -1.51 X-Spam-Flag: NO On Tue, Jan 16, 2024 at 09:09:47AM +0800, Edward Adam Davis wrote: > On Mon, 15 Jan 2024 20:08:25 +0100, David Sterba wrote: > > > > If ioctl does not pass in the correct tgtdev_name string, oob will occur because > > > > "\0" cannot be found. > > > > > > > > Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com > > > > Signed-off-by: Edward Adam Davis > > > > --- > > > > fs/btrfs/dev-replace.c | 6 ++++-- > > > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c > > > > index f9544fda38e9..e7e96e57f682 100644 > > > > --- a/fs/btrfs/dev-replace.c > > > > +++ b/fs/btrfs/dev-replace.c > > > > @@ -730,7 +730,7 @@ static int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, > > > > int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > > > struct btrfs_ioctl_dev_replace_args *args) > > > > { > > > > - int ret; > > > > + int ret, len; > > > > > > > > switch (args->start.cont_reading_from_srcdev_mode) { > > > > case BTRFS_IOCTL_DEV_REPLACE_CONT_READING_FROM_SRCDEV_MODE_ALWAYS: > > > > @@ -740,8 +740,10 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > > > return -EINVAL; > > > > } > > > > > > > > + len = strnlen(args->start.tgtdev_name, BTRFS_DEVICE_PATH_NAME_MAX + 1); > > > > if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || > > > > - args->start.tgtdev_name[0] == '\0') > > > > + args->start.tgtdev_name[0] == '\0' || > > > > + len == BTRFS_DEVICE_PATH_NAME_MAX + 1) > > > > > > I think srcdev_name would have to be checked the same way, but instead > > > of strnlen I'd do memchr(name, 0, BTRFS_DEVICE_PATH_NAME_MAX). The check > > > for 0 in [0] is probably pointless, it's just a shortcut for an empty > > > buffer. We expect a valid 0-terminated string, which could be an invalid > > > path but that will be found out later when opening the block device. > > > > Please let me know if you're going to send an updated fix. I'd like to > > get this fixed to close the syzbot report but also want to give you the > > credit for debugging and fix. > > > > The preferred fix is something like that: > > > > --- a/fs/btrfs/dev-replace.c > > +++ b/fs/btrfs/dev-replace.c > > @@ -741,6 +741,8 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || > > args->start.tgtdev_name[0] == '\0') > > return -EINVAL; > > + args->start.srcdev_name[BTRFS_PATH_NAME_MAX] = 0; > > + args->start.tgtdev_name[BTRFS_PATH_NAME_MAX] = 0; > This is not correct, > 1. The maximum length of tgtdev_name is BTRFS_DEVICE_PATH_NAME_MAX + 1 > 2. strnlen should be used to confirm the presence of \0 in tgtdev_name > 3. Input values should not be subjectively updated Regarding that point I agree it's not the best handling and could be confusing. There are multiple instances of that in the ioctl callbacks so the proper fix is to add a helper doing the validity check (either strnlen or memchr) and then use it. The pattern to look for is "vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';" in ioctl.c (at least). Let me know if you'd want to implement that.