Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp191796imn; Wed, 27 Jul 2022 19:55:41 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uVRKmNKBtGSZZfBgMSztoQu2QFw65WeRJv1h0v1yANmsEChqqnlxbDPOr/9QERyuv4DHKt X-Received: by 2002:a17:907:7ba6:b0:72b:44ff:7282 with SMTP id ne38-20020a1709077ba600b0072b44ff7282mr19969090ejc.652.1658976941149; Wed, 27 Jul 2022 19:55:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658976941; cv=none; d=google.com; s=arc-20160816; b=EppNLVRA10wLNn5kCl2zcewGxKxXjKPQ1doYxdprrzVIZFvZ8kDV2T+i6x2Io64kdx Pm2RZLVv/bwAEUihLJ25E5h7WayzGMexHYtHyze9tAELrC+OypkP34aDeWvu9N9lsFtT 5U3I9fib6e2twVqS+W/r8XIOSpXPJbwys1tmFmYyb/S2LDHchq7d6SgaY79KLI1w1oVf Sbv3vlJXiRAXE2Q4Lu4DP1T71bo7yfmsqRNT1g1A2I2tlEq62CRT7UOeq37F43HvTGwa 7RBbKS8YYQGP2POJx8E/kLMrnXomUfxIsbedyPxbE2HHcd343Qe6mOnyhl0zMY7euWaq kYOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=ejSHHiLjBcMpnwLBkyTMf+ExkkZ3cdcIkm+gshBhsYs=; b=YCZ9k2r27O92gtMvhfnQHie2+DSVfT1R5d8BsLPgshJDdFpzGUdcdKt3oWvd8pcqxT 030A8WC2r2MssilfoKuX7iGByAodtwYVprMmjqNE7rc48lP/gVRLCrp2RysccFx+7PvT DLgM45EgHGLpDJe/+rdNrUdVC3KZ1KgWhuZTk9/kiNkDmUouuLkrL/wHj+wSiawyl89S 7Rmi24WlIQWZM5okWl9UFJAQik4NKLX6omZEnGGEtq6VoFBHUvEVneuv0L3/hdRbXzcn 0XO8NmsCmmtyfdKXSdvC6fMLntTY1Sv/xJEEaOwmxUza+b5k9WpDoR6BS4pLzNxy/Y8g mLzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=aj4DEkjf; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gs10-20020a1709072d0a00b0072b9c430633si21895859ejc.500.2022.07.27.19.55.09; Wed, 27 Jul 2022 19:55:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=aj4DEkjf; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229446AbiG1CrQ (ORCPT + 99 others); Wed, 27 Jul 2022 22:47:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232484AbiG1CrP (ORCPT ); Wed, 27 Jul 2022 22:47:15 -0400 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D5F594AD61 for ; Wed, 27 Jul 2022 19:47:10 -0700 (PDT) Received: from cwcc.thunk.org (pool-173-48-118-63.bstnma.fios.verizon.net [173.48.118.63]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 26S2kscZ022654 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 Jul 2022 22:46:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1658976415; bh=ejSHHiLjBcMpnwLBkyTMf+ExkkZ3cdcIkm+gshBhsYs=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=aj4DEkjfY9KpmSLMl8WIosfRSIbnNgqojWHC+qJhn6W9QeP1+cksDpLg0YsgUlOvH YuJIZTAWjHbAeb43e5p608BSFhIpgDvK1fd2PUsXFK6v/3volvnd5/9c872FpH5Csi EN0kw9eOVz0F41P+VFiw0ZGqMM1Fk7X2c4b8vtlU3N3vXLhXrbfYL1xHTDVXPeBzu/ DIrHE0vIkf7i+lDCMkLkctwOkse9EgKJorJIdCR3SJuE04I6gJG4EpRlonpDwLX5RU cBKWJexcuRkWa4xaoDb2JrhCVWsldy61a+G4SyzuD/aqXt6+jTfBJIFdgTeer91yf4 i35lrLf0szkCg== Received: by cwcc.thunk.org (Postfix, from userid 15806) id D289C15C3487; Wed, 27 Jul 2022 22:46:53 -0400 (EDT) Date: Wed, 27 Jul 2022 22:46:53 -0400 From: "Theodore Ts'o" To: Dave Chinner Cc: Lukas Czerner , "Darrick J. Wong" , bugzilla-daemon@kernel.org, linux-ext4@vger.kernel.org Subject: Re: [Bug 216283] New: FUZZ: BUG() triggered in fs/ext4/extent.c:ext4_ext_insert_extent() when mount and operate on crafted image Message-ID: References: <20220727115307.qco6dn2tqqw52pl7@fedora> <20220727232224.GW3600936@dread.disaster.area> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220727232224.GW3600936@dread.disaster.area> X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Thu, Jul 28, 2022 at 09:22:24AM +1000, Dave Chinner wrote: > On Wed, Jul 27, 2022 at 01:53:07PM +0200, Lukas Czerner wrote: > > While I understand the frustration with the fuzzer bug reports like this > > I very much disagree with your statement about ethical and moral > > responsibility. > > > > The bug is in the code, it would have been there even if Wenqing Liu > > didn't run the tool. > > i.e. your argument implies they have no responsibility and hence are > entitled to say "We aren't responsible for helping anyone understand > the problem or mitigating the impact of the flaw - we've got our > publicity and secured tenure with discovery and publication!" > > That's not _responsible disclosure_. So I'm going to disagree here. I understand that this is the XFS position, and so a few years back, the Georgia Tech folks who were responsible for Janus and Hydra decided not to engage with the XFS community and stopped reporting XFS bugs. They continued to engage with the ext4 community, and I found their reports to be helpful. We found and fixed quite a few bugs as a result of their work, and I sponsored them to get some research funding from Google so they could do more file system fuzzing work, because I thought their work was a useful contribution. I don't particularly worry about "responsible disclosure" because I don't consider fuzzed file system crashes to be a particularly serious security concern. There are some crazy container folks who think containers are just as secure(tm) as VM's, and who advocate allowing untrusted containers to mount arbitrary file system images and expect that this not cause the "host" OS to crash or get compromised. Those people are insane(tm), and I don't particularly worry about their use cases. If you have a Linux laptop with an automounter enabled it's possible that when you plug in a USB stick containing a corrupted file system, it could cause the system to crash. But that requires physical access to the machine, and if you have physical access, there is no shortage of problems you could cause in any case. > Public reports like this require immediate work to determine the > scope, impact and risk of the problem to decide what needs to be > done next. All public disclosure does is start a race and force > developers to have to address it immediately. Nope. I'll address these when I have time, and I don't consider them to be particularly urgent, for the reasons described above. I actually consider this fuzzer bug report to be particularly well-formed. Unlike Syzkaller, the file system image was in a separate file, and wasn't embedded in the reproducer.c file in a way that made it super-inconvenient to extract. Furthermore, like the Georgia Tech fuzzing reports, I appreciate that it was filed in Bugzilla, since it won't easily get lost, with all of the information that we need. In any case, I've taken a closer look at this report, and it's actually quite the interesting problem. The issue is that we have an non-leaf node in the extent tree where eh_entries header field is zero. This should never happen: debugfs: extents <16> Level Entries Logical Physical Length Flags 0/ 2 1/ 1 0 - 98030 9284 98031 1/ 2 1/ 0 0 - 98030 9282 98031 <====== ^^^ 2/ 2 1/ 84 0 - 0 9730 - 9730 1 2/ 2 2/ 84 5 - 7 9739 - 9741 3 2/ 2 3/ 84 16 - 17 9750 - 9751 2 2/ 2 4/ 84 26 - 26 9768 - 9768 1 2/ 2 5/ 84 36 - 36 9787 - 9787 1 This causes len to go negative in ext4_extent_insert_extent: [ 26.419401] ino 16 len -1 logical 98040 eh_entries 0 eh_max 84 depth 1 ... which is what triggers the BUG_ON(len < 0). What makes this particularly interesting is that neither the kernel *nor* e2fsck is flagging this extent tree as corrupt. So this is an opportunity to improve both the kernel as well as fsck.ext4. Again, it's not an *urgent* issue, but it is something that is worth trying to improve in ext4 from the perspective of improving the quality of our implementation. And since it's not an urgent issue, concerns of "responsble disclosure" don't arise, at least not in my opinion. - Ted