Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp4307080rwr; Mon, 8 May 2023 06:05:56 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4RoAKygt0qD0WddszHPLG2JPcz7yYbvtd+FsMi6asit+9mn5VYu+SUhacSxP0sL1W6BQt+ X-Received: by 2002:a17:902:ec8c:b0:1a9:80a0:47ef with SMTP id x12-20020a170902ec8c00b001a980a047efmr19877997plg.20.1683551156346; Mon, 08 May 2023 06:05:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683551156; cv=none; d=google.com; s=arc-20160816; b=xBIM9zbS/rrVe44eWKkx763vITUgY/xlPDG5m0xFSsvR8EqA6a27hZAgL68T2J4EEM 6LZDipKSQfOAjNsaWYtrCPWNBGrxNjsLeCcP32C9DcOVZzPrxQ1yNkRFxXGcuIf+o4lw X238sSn0KgJx0WKO5KZMP/ZlDkyQVt5f/cICPtPLUE7OKcxmXIxnAL2Tpsnb5IlaGAVc f3uaCFF6k7907mK6INKmFkRpUV8V2luAXRZOyaExmm+5X39J/2l6d7wervszX8sk4eqw R7Tf273kMGb556CfwulJ/Oqgg1yxKFSyEdaPe42zQfHW/Ga9LARq2xY6XEBXRvFkkI84 oSAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=UHMAqZuaFd3LimKgcftvbLRB2BK6HNxJUf8juJpgGnw=; b=Nt1TJzdSoMCMWqnnJdFDaH6kMh9empTuwOhdaWpI29eCbr/zaxeJk/nrfgAoPuFVfS wMwI/6xCdCdUW0NhhnGjlRE2+uCp1+SqfB7dif3V8OZsflbSGlAdxMJenQgYdkyN7QYY 3VQX/e982wnI4h0c4ADM+soCdISfr4GlUEiDYR2F6e9BPDwHsSSX/85rLf6oD/d4Fuh+ CexY6Che2RLuup67Imk/evboaWGw6/KPuOLgx8GEaXZO/nfi3UrGNWMXuTTm6C+z46p1 CsiGrczPd/27s2ayFdmAjCaRGg0JbH/+aaHtZ/qtnlVLWzpUFFTIxsQukjV+9sM106Jr eDhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=PMUr0nve; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=4WutXT59; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j16-20020a637a50000000b0050fa04005e6si8885287pgn.412.2023.05.08.06.05.42; Mon, 08 May 2023 06:05:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=PMUr0nve; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=4WutXT59; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234680AbjEHNBp (ORCPT + 99 others); Mon, 8 May 2023 09:01:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234310AbjEHNBg (ORCPT ); Mon, 8 May 2023 09:01:36 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D9533A5CF for ; Mon, 8 May 2023 06:01:34 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id C003221FBF; Mon, 8 May 2023 13:01:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1683550892; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=UHMAqZuaFd3LimKgcftvbLRB2BK6HNxJUf8juJpgGnw=; b=PMUr0nve5b1BEB5dOVg5LZ5fJYnl6R3b1+1fkUQ98NW7ljTT1v0OW/KS7kUGS8LHHOxVQD RKwIqlGqrQHDAYWpW9NRfH42Gt9xGh/mQgUXUeLZoyG0r699CTlkV2N2rGM7L1rvsHf24h 1ehb+K18Vv4VkXLKcLn9sGNJzzdcoiI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1683550892; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=UHMAqZuaFd3LimKgcftvbLRB2BK6HNxJUf8juJpgGnw=; b=4WutXT59g8orC157mO+sF5m4XsOro8woWqBX3SDcTiNrEgih4CJV/uqiNHVUAGSCwCeVoj 6Nn+HBd+5LNrkGDg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 94BE4139F8; Mon, 8 May 2023 13:01:32 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id ArpHJKzyWGS9XQAAMHmgww (envelope-from ); Mon, 08 May 2023 13:01:32 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 65CBDA06C5; Sun, 7 May 2023 20:18:16 +0200 (CEST) Date: Sun, 7 May 2023 20:18:16 +0200 From: Jan Kara To: Theodore Ts'o Cc: Ext4 Developers List , syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com Subject: Re: [PATCH 1/2] ext4: allow ext4_get_group_info() to fail Message-ID: <20230507181816.tsnqhzgajftcbsz5@quack3> References: <20230430154311.579720-1-tytso@mit.edu> <20230430154311.579720-2-tytso@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230430154311.579720-2-tytso@mit.edu> X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DATE_IN_PAST_12_24, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Sun 30-04-23 11:43:10, Theodore Ts'o wrote: > Previously, ext4_get_group_info() would treat an invalid group number > as BUG(), since in theory it should never happen. However, if a > malicious attaker (or fuzzer) modifies the superblock via the block > device while it is the file system is mounted, it is possible for > s_first_data_block to get set to a very large number. In that case, > when calculating the block group of some block number (such as the > starting block of a preallocation region), could result in an > underflow and very large block group number. Then the BUG_ON check in > ext4_get_group_info() would fire, resutling in a denial of service > attack that can be triggered by root or someone with write access to > the block device. > > For a quality of implementation perspective, it's best that even if > the system administrator does something that they shouldn't, that it > will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info() > will call ext4_error and return NULL. We also add fallback code in > all of the callers of ext4_get_group_info() that it might NULL. > > Also, since ext4_get_group_info() was already borderline to be an > inline function, un-inline it. The results in a next reduction of the > compiled text size of ext4 by roughly 2k. > > Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 > Signed-off-by: Theodore Ts'o The patch looks good except for one small problem already found by Julia: > @@ -2578,7 +2595,7 @@ void ext4_mb_prefetch_fini(struct super_block *sb, ext4_group_t group, > gdp = ext4_get_group_desc(sb, group, NULL); > grp = ext4_get_group_info(sb, group); > > - if (EXT4_MB_GRP_NEED_INIT(grp) && > + if (grp && grp && EXT4_MB_GRP_NEED_INIT(grp) && ^^^ one of these should be gdp. With this fixed feel free to add: Reviewed-by: Jan Kara Honza -- Jan Kara SUSE Labs, CR