Received: by 2002:ab2:7a09:0:b0:1f8:46dc:890e with SMTP id k9csp312977lqo;
        Wed, 15 May 2024 15:49:55 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVDR1LkcfZjnoxqUf+MB3yoE7JMDRiXA71ui8t+qSSXSGx35q/YffojKXRVL/1PdX8RGXSHoQ88OtFWKlsni+F5omYNHleMZxgjbxDhkA==
X-Google-Smtp-Source: AGHT+IHIBPC3juUm1N2LKz8VLJGQGMqLmkxMs/Vzj8jE78cDtSl6kMVX4cgjOtuQ990L7UJnHGQW
X-Received: by 2002:ac8:57cf:0:b0:43a:3505:53d8 with SMTP id d75a77b69052e-43dfda8c3f5mr209870821cf.1.1715813395195;
        Wed, 15 May 2024 15:49:55 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715813395; cv=pass;
        d=google.com; s=arc-20160816;
        b=WGzh9NSbNnGEibmil0r1ilzpxaQzGKSo7EIysUesVBHQcdn9C90KUXyag/+R16wdGw
         oAa2sC7IttxaHANNrD9fLP3O0rEhHWxwb0J2UsVyC0iFxlQ9wAuxaFwiuqIUowBw46he
         mAx20o4aszJWhgmGpzpUn8ceWeLDqOp7X9Dp81m0N190YzZU2Y98cHaPdVrKgtxC68td
         ecuUQxMtORuYOOBnS0ug65akcMUqzNMlg8a1M783UTubla3S2YSp/xAjiUOVQ16VthAm
         KYj3BkPPKpihxCEHMQdzEoLZi7+z4IZMA5WpM9MgYDQ9GwnGta1uZS/M3uQELhBAiQx9
         /3IQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=IDp9awHqMdDqb4AZiCirIR/+Tlisixd9MYsSbbqvk/o=;
        fh=RzJyBciQjgpwoEXljYBvzTnvqZFWcmU9uHxoC0fh8gE=;
        b=nH7ka8RRHTZKfR1yOhKnxNdreo0EKsmnRTyf9ABRYPHSiLrk5XJcZZAgPceQqyoand
         t63MiHOwQOM9fBoD496uVqBnex33nqSintdXzZrbBaU5IUVngZU8W+GLpV7zF38QC/vC
         xRo3j/aYVk2UqECHNKfa6MJzL/gpxr6jwE0CuHXX794izvWSlG+00UlFy5q/blhLDtq0
         lOJ9gWhyQQswKAkusFxKwgi8RrKc9OKqPP+sGbq4Yn7BYp24E0Bik407Ilo4DvcmN9ha
         LK4zWPEFPIxsVD4k6SReFJZQnJUJkhMg3BmLh/+FVfjOMiPC5XnrX9u6JfU7ZmvV/abe
         gPJA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@mit.edu header.s=outgoing header.b=DDMDkBCi;
       arc=pass (i=1 spf=pass spfdomain=mit.edu dkim=pass dkdomain=mit.edu dmarc=pass fromdomain=mit.edu);
       spf=pass (google.com: domain of linux-ext4+bounces-2529-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-ext4+bounces-2529-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Return-Path: <linux-ext4+bounces-2529-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id d75a77b69052e-43df56dd8e2si150955581cf.744.2024.05.15.15.49.55
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 15 May 2024 15:49:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-ext4+bounces-2529-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mit.edu header.s=outgoing header.b=DDMDkBCi;
       arc=pass (i=1 spf=pass spfdomain=mit.edu dkim=pass dkdomain=mit.edu dmarc=pass fromdomain=mit.edu);
       spf=pass (google.com: domain of linux-ext4+bounces-2529-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-ext4+bounces-2529-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id E60041C212BC
	for <linux.lists.archive@gmail.com>; Wed, 15 May 2024 22:49:54 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5E1913FB1B;
	Wed, 15 May 2024 22:49:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b="DDMDkBCi"
X-Original-To: linux-ext4@vger.kernel.org
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 83DC2101C8
	for <linux-ext4@vger.kernel.org>; Wed, 15 May 2024 22:49:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=18.9.28.11
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715813389; cv=none; b=hcSzPmOvAgO5HBeAg/AHyHsgEZvQnqFcAwlEDxPZHMA61D9AAH+9phe8HlHOD+Ec2Vk9jePNTOGuS9ijDRzAKa64Ikc+9dI564IKM4fVMxMU7XvFEVIba22CKhn6Tvv0D4WJtFsnE7tf8rT8mkwm/ehHgQpUTBAohmBuWHlv0Qo=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715813389; c=relaxed/simple;
	bh=nFx0SdOMLkM+nsMfxxNhWM1sBx8raudMXU3lIbaOfXE=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=kmaN5r2vOoFFzLULfKfBHRD5/AvOwoOIiT8NpqXXUOeOQdaEawThBYJlQu86d/7ePV7r+8rzc+2iWNfGmoBFq5AIC4R114UzkACACmdSE2Awje3+VG1cDBjDfSvrj3Ym478UhM4qHGX8L6IrPbUDnCxbEO2+R5D/KTPORKXrE0A=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu; spf=pass smtp.mailfrom=mit.edu; dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b=DDMDkBCi; arc=none smtp.client-ip=18.9.28.11
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mit.edu
Received: from macsyma.thunk.org ([50.204.89.32])
	(authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
	by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 44FMnWA5003065
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 15 May 2024 18:49:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
	t=1715813375; bh=IDp9awHqMdDqb4AZiCirIR/+Tlisixd9MYsSbbqvk/o=;
	h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
	b=DDMDkBCijJfJz6LNdQSsfnTLjA5NjATipndgHyE50ZDJzCoeobrHjRHZ1C99OZ1xI
	 Isx/QGbjba03MVFDpPUkk6JcLsHzWu5FC4hECd3hqXrnKSGrsIjiKxUp6SKZvrBTnQ
	 F/ESw0a52evMwugfec5Vncsv5M25TnTnvL1pDy2/IRpkcSEBsUqa519pm9xT7v7I/+
	 HHxfJuBW5k70yrUwSC3aIEVZkI/TFik+93O63ztEa5nRZam2mXGB4FkqaqrhHVtgC4
	 JH0Feir7vDHiEUnjeQA/i4921s9HlT90cFMf4N1Dnay/iem4kHbNLmP/XTfv+pr4HJ
	 NhdvUaSd+DRug==
Received: by macsyma.thunk.org (Postfix, from userid 15806)
	id 6A5043407D2; Wed, 15 May 2024 16:49:32 -0600 (MDT)
Date: Wed, 15 May 2024 16:49:32 -0600
From: "Theodore Ts'o" <tytso@mit.edu>
To: Shuangpeng Bai <shuangpengbai@gmail.com>
Cc: adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org,
        linux-kernel@vger.kernel.org, syzkaller@googlegroups.com
Subject: Re: KASAN: use-after-free in ext4_find_extent in v6.9
Message-ID: <20240515224932.GA202157@mit.edu>
References: <5B9F0C1F-C804-4A9C-8597-4E1A7D16B983@gmail.com>
Precedence: bulk
X-Mailing-List: linux-ext4@vger.kernel.org
List-Id: <linux-ext4.vger.kernel.org>
List-Subscribe: <mailto:linux-ext4+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-ext4+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5B9F0C1F-C804-4A9C-8597-4E1A7D16B983@gmail.com>

On Tue, May 14, 2024 at 08:40:36PM -0400, Shuangpeng Bai wrote:
> Hi Kernel Maintainers,
> 
> Our tool found a kernel bug KASAN: use-after-free in ext4_find_extent. Please see the details below.
> 
> Kernel commit: v6.9 (Commits on May 12, 2024)
> Kernel config: attachment
> C/Syz reproducer: attachment
> 
> We find this bug was reported and marked as fixed. (https://syzkaller.appspot.com/bug?extid=7ec4ebe875a7076ebb31)
> 
> Our reproducer can trigger this bug in v6.9, so the bug may have not been fixed correctly.

The reason why it was marked as fixed is because the reproducer no
longer reproduces with CONFIG_BLK_DEV_WRITE_MOUNTED disabled.
Upstream syzkaller unconditionally disables this config, and we don't
consider reproducers that have CONFIG_BLK_DEV_WRITE_MOUNTED enabled to
be a bug.

If the reproducer is actively modifying the block device (or the
underlying file for a loop device) while it is mounted, we don't
consider this a bug.  This is requires root, and it's no more a
"security bug" than someone complaining that root can execute a
reboot(2) system call and calling it a "security bug".

I've looked at your "reproducer" and it does appear to be modifying
the block device while it is mounted, and the config does have
CONFIG_BLK_DEV_WRITE_MOUNTED enabled.  So I don't care (tm).  If you
want to put an engineer to work on addressing the bug, and the patch
is a clean and maintable code fix, I'll certainly consider the change.
But it's not something that upstream will work on a volunteer basis;
no company I am aware of is willing to pay for engineers to work on
this sort of issue.

Cheers,

						- Ted