Linux-Fsdevel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes
@ 2020-06-28  6:08 Eric Biggers
  2020-06-28  6:08 ` [PATCH 1/6] fs/minix: check return value of sb_getblk() Eric Biggers
                   ` (6 more replies)
  0 siblings, 7 replies; 10+ messages in thread
From: Eric Biggers @ 2020-06-28  6:08 UTC (permalink / raw)
  To: linux-fsdevel, Alexander Viro, Andrew Morton; +Cc: linux-kernel, Qiujun Huang

This series fixes all syzbot bugs in the minix filesystem:

	KASAN: null-ptr-deref Write in get_block
	KASAN: use-after-free Write in get_block
	KASAN: use-after-free Read in get_block
	WARNING in inc_nlink
	KMSAN: uninit-value in get_block
	WARNING in drop_nlink

It also fixes the minix filesystem to set s_maxbytes correctly, so that
userspace sees the correct behavior when exceeding the max file size.

Al or Andrew: one of you will need to take these patches, since no one
is maintaining this filesystem.


Eric Biggers (6):
  fs/minix: check return value of sb_getblk()
  fs/minix: don't allow getting deleted inodes
  fs/minix: reject too-large maximum file size
  fs/minix: set s_maxbytes correctly
  fs/minix: fix block limit check for V1 filesystems
  fs/minix: remove expected error message in block_to_path()

 fs/minix/inode.c        | 42 +++++++++++++++++++++++++++++++++++++----
 fs/minix/itree_common.c |  8 +++++++-
 fs/minix/itree_v1.c     | 12 ++++++------
 fs/minix/itree_v2.c     | 13 ++++++-------
 fs/minix/minix.h        |  1 -
 5 files changed, 57 insertions(+), 19 deletions(-)

-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 1/6] fs/minix: check return value of sb_getblk()
  2020-06-28  6:08 [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
@ 2020-06-28  6:08 ` Eric Biggers
  2020-07-07 19:26   ` Andrew Morton
  2020-06-28  6:08 ` [PATCH 2/6] fs/minix: don't allow getting deleted inodes Eric Biggers
                   ` (5 subsequent siblings)
  6 siblings, 1 reply; 10+ messages in thread
From: Eric Biggers @ 2020-06-28  6:08 UTC (permalink / raw)
  To: linux-fsdevel, Alexander Viro, Andrew Morton
  Cc: linux-kernel, Qiujun Huang, stable, syzbot+4a88b2b9dc280f47baf4

From: Eric Biggers <ebiggers@google.com>

sb_getblk() can fail, so check its return value.

This fixes a NULL pointer dereference.

Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Originally-from: Qiujun Huang <anenbupt@gmail.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/minix/itree_common.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/minix/itree_common.c b/fs/minix/itree_common.c
index 043c3fdbc8e7..446148792f41 100644
--- a/fs/minix/itree_common.c
+++ b/fs/minix/itree_common.c
@@ -75,6 +75,7 @@ static int alloc_branch(struct inode *inode,
 	int n = 0;
 	int i;
 	int parent = minix_new_block(inode);
+	int err = -ENOSPC;
 
 	branch[0].key = cpu_to_block(parent);
 	if (parent) for (n = 1; n < num; n++) {
@@ -85,6 +86,11 @@ static int alloc_branch(struct inode *inode,
 			break;
 		branch[n].key = cpu_to_block(nr);
 		bh = sb_getblk(inode->i_sb, parent);
+		if (!bh) {
+			minix_free_block(inode, nr);
+			err = -ENOMEM;
+			break;
+		}
 		lock_buffer(bh);
 		memset(bh->b_data, 0, bh->b_size);
 		branch[n].bh = bh;
@@ -103,7 +109,7 @@ static int alloc_branch(struct inode *inode,
 		bforget(branch[i].bh);
 	for (i = 0; i < n; i++)
 		minix_free_block(inode, block_to_cpu(branch[i].key));
-	return -ENOSPC;
+	return err;
 }
 
 static inline int splice_branch(struct inode *inode,
-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 2/6] fs/minix: don't allow getting deleted inodes
  2020-06-28  6:08 [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
  2020-06-28  6:08 ` [PATCH 1/6] fs/minix: check return value of sb_getblk() Eric Biggers
@ 2020-06-28  6:08 ` Eric Biggers
  2020-06-28  6:08 ` [PATCH 3/6] fs/minix: reject too-large maximum file size Eric Biggers
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 10+ messages in thread
From: Eric Biggers @ 2020-06-28  6:08 UTC (permalink / raw)
  To: linux-fsdevel, Alexander Viro, Andrew Morton
  Cc: linux-kernel, Qiujun Huang, stable, syzbot+a9ac3de1b5de5fb10efc,
	syzbot+df958cf5688a96ad3287

From: Eric Biggers <ebiggers@google.com>

If an inode has no links, we need to mark it bad rather than allowing it
to be accessed.  This avoids WARNINGs in inc_nlink() and drop_nlink()
when doing directory operations on a fuzzed filesystem.

Reported-by: syzbot+a9ac3de1b5de5fb10efc@syzkaller.appspotmail.com
Reported-by: syzbot+df958cf5688a96ad3287@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/minix/inode.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index 7cb5fd38eb14..2bca95abe8f4 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -468,6 +468,13 @@ static struct inode *V1_minix_iget(struct inode *inode)
 		iget_failed(inode);
 		return ERR_PTR(-EIO);
 	}
+	if (raw_inode->i_nlinks == 0) {
+		printk("MINIX-fs: deleted inode referenced: %lu\n",
+		       inode->i_ino);
+		brelse(bh);
+		iget_failed(inode);
+		return ERR_PTR(-ESTALE);
+	}
 	inode->i_mode = raw_inode->i_mode;
 	i_uid_write(inode, raw_inode->i_uid);
 	i_gid_write(inode, raw_inode->i_gid);
@@ -501,6 +508,13 @@ static struct inode *V2_minix_iget(struct inode *inode)
 		iget_failed(inode);
 		return ERR_PTR(-EIO);
 	}
+	if (raw_inode->i_nlinks == 0) {
+		printk("MINIX-fs: deleted inode referenced: %lu\n",
+		       inode->i_ino);
+		brelse(bh);
+		iget_failed(inode);
+		return ERR_PTR(-ESTALE);
+	}
 	inode->i_mode = raw_inode->i_mode;
 	i_uid_write(inode, raw_inode->i_uid);
 	i_gid_write(inode, raw_inode->i_gid);
-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 3/6] fs/minix: reject too-large maximum file size
  2020-06-28  6:08 [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
  2020-06-28  6:08 ` [PATCH 1/6] fs/minix: check return value of sb_getblk() Eric Biggers
  2020-06-28  6:08 ` [PATCH 2/6] fs/minix: don't allow getting deleted inodes Eric Biggers
@ 2020-06-28  6:08 ` Eric Biggers
  2020-06-28  6:08 ` [PATCH 4/6] fs/minix: set s_maxbytes correctly Eric Biggers
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 10+ messages in thread
From: Eric Biggers @ 2020-06-28  6:08 UTC (permalink / raw)
  To: linux-fsdevel, Alexander Viro, Andrew Morton
  Cc: linux-kernel, Qiujun Huang, stable, syzbot+c7d9ec7a1a7272dd71b3,
	syzbot+3b7b03a0c28948054fb5, syzbot+6e056ee473568865f3e6

From: Eric Biggers <ebiggers@google.com>

If the minix filesystem tries to map a very large logical block number
to its on-disk location, block_to_path() can return offsets that are too
large, causing out-of-bounds memory accesses when accessing indirect
index blocks.  This should be prevented by the check against the maximum
file size, but this doesn't work because the maximum file size is read
directly from the on-disk superblock and isn't validated itself.

Fix this by validating the maximum file size at mount time.

Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com
Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com
Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/minix/inode.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index 2bca95abe8f4..0dd929346f3f 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -150,6 +150,23 @@ static int minix_remount (struct super_block * sb, int * flags, char * data)
 	return 0;
 }
 
+static bool minix_check_superblock(struct minix_sb_info *sbi)
+{
+	if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0)
+		return false;
+
+	/*
+	 * s_max_size must not exceed the block mapping limitation.  This check
+	 * is only needed for V1 filesystems, since V2/V3 support an extra level
+	 * of indirect blocks which places the limit well above U32_MAX.
+	 */
+	if (sbi->s_version == MINIX_V1 &&
+	    sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE)
+		return false;
+
+	return true;
+}
+
 static int minix_fill_super(struct super_block *s, void *data, int silent)
 {
 	struct buffer_head *bh;
@@ -228,11 +245,12 @@ static int minix_fill_super(struct super_block *s, void *data, int silent)
 	} else
 		goto out_no_fs;
 
+	if (!minix_check_superblock(sbi))
+		goto out_illegal_sb;
+
 	/*
 	 * Allocate the buffer map to keep the superblock small.
 	 */
-	if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0)
-		goto out_illegal_sb;
 	i = (sbi->s_imap_blocks + sbi->s_zmap_blocks) * sizeof(bh);
 	map = kzalloc(i, GFP_KERNEL);
 	if (!map)
-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 4/6] fs/minix: set s_maxbytes correctly
  2020-06-28  6:08 [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
                   ` (2 preceding siblings ...)
  2020-06-28  6:08 ` [PATCH 3/6] fs/minix: reject too-large maximum file size Eric Biggers
@ 2020-06-28  6:08 ` Eric Biggers
  2020-06-28  6:08 ` [PATCH 5/6] fs/minix: fix block limit check for V1 filesystems Eric Biggers
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 10+ messages in thread
From: Eric Biggers @ 2020-06-28  6:08 UTC (permalink / raw)
  To: linux-fsdevel, Alexander Viro, Andrew Morton; +Cc: linux-kernel, Qiujun Huang

From: Eric Biggers <ebiggers@google.com>

The minix filesystem leaves super_block::s_maxbytes at MAX_NON_LFS
rather than setting it to the actual filesystem-specific limit.  This is
broken because it means userspace doesn't see the standard behavior like
getting EFBIG and SIGXFSZ when exceeding the maximum file size.

Fix this by setting s_maxbytes correctly.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/minix/inode.c    | 12 +++++++-----
 fs/minix/itree_v1.c |  2 +-
 fs/minix/itree_v2.c |  3 +--
 fs/minix/minix.h    |  1 -
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index 0dd929346f3f..7b09a9158e40 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -150,8 +150,10 @@ static int minix_remount (struct super_block * sb, int * flags, char * data)
 	return 0;
 }
 
-static bool minix_check_superblock(struct minix_sb_info *sbi)
+static bool minix_check_superblock(struct super_block *sb)
 {
+	struct minix_sb_info *sbi = minix_sb(sb);
+
 	if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0)
 		return false;
 
@@ -161,7 +163,7 @@ static bool minix_check_superblock(struct minix_sb_info *sbi)
 	 * of indirect blocks which places the limit well above U32_MAX.
 	 */
 	if (sbi->s_version == MINIX_V1 &&
-	    sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE)
+	    sb->s_maxbytes > (7 + 512 + 512*512) * BLOCK_SIZE)
 		return false;
 
 	return true;
@@ -202,7 +204,7 @@ static int minix_fill_super(struct super_block *s, void *data, int silent)
 	sbi->s_zmap_blocks = ms->s_zmap_blocks;
 	sbi->s_firstdatazone = ms->s_firstdatazone;
 	sbi->s_log_zone_size = ms->s_log_zone_size;
-	sbi->s_max_size = ms->s_max_size;
+	s->s_maxbytes = ms->s_max_size;
 	s->s_magic = ms->s_magic;
 	if (s->s_magic == MINIX_SUPER_MAGIC) {
 		sbi->s_version = MINIX_V1;
@@ -233,7 +235,7 @@ static int minix_fill_super(struct super_block *s, void *data, int silent)
 		sbi->s_zmap_blocks = m3s->s_zmap_blocks;
 		sbi->s_firstdatazone = m3s->s_firstdatazone;
 		sbi->s_log_zone_size = m3s->s_log_zone_size;
-		sbi->s_max_size = m3s->s_max_size;
+		s->s_maxbytes = m3s->s_max_size;
 		sbi->s_ninodes = m3s->s_ninodes;
 		sbi->s_nzones = m3s->s_zones;
 		sbi->s_dirsize = 64;
@@ -245,7 +247,7 @@ static int minix_fill_super(struct super_block *s, void *data, int silent)
 	} else
 		goto out_no_fs;
 
-	if (!minix_check_superblock(sbi))
+	if (!minix_check_superblock(s))
 		goto out_illegal_sb;
 
 	/*
diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c
index 046cc96ee7ad..c0d418209ead 100644
--- a/fs/minix/itree_v1.c
+++ b/fs/minix/itree_v1.c
@@ -29,7 +29,7 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
 	if (block < 0) {
 		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n",
 			block, inode->i_sb->s_bdev);
-	} else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
+	} else if (block >= inode->i_sb->s_maxbytes/BLOCK_SIZE) {
 		if (printk_ratelimit())
 			printk("MINIX-fs: block_to_path: "
 			       "block %ld too big on dev %pg\n",
diff --git a/fs/minix/itree_v2.c b/fs/minix/itree_v2.c
index f7fc7ecccccc..ee8af2f9e282 100644
--- a/fs/minix/itree_v2.c
+++ b/fs/minix/itree_v2.c
@@ -32,8 +32,7 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
 	if (block < 0) {
 		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n",
 			block, sb->s_bdev);
-	} else if ((u64)block * (u64)sb->s_blocksize >=
-			minix_sb(sb)->s_max_size) {
+	} else if ((u64)block * (u64)sb->s_blocksize >= sb->s_maxbytes) {
 		if (printk_ratelimit())
 			printk("MINIX-fs: block_to_path: "
 			       "block %ld too big on dev %pg\n",
diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index df081e8afcc3..168d45d3de73 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -32,7 +32,6 @@ struct minix_sb_info {
 	unsigned long s_zmap_blocks;
 	unsigned long s_firstdatazone;
 	unsigned long s_log_zone_size;
-	unsigned long s_max_size;
 	int s_dirsize;
 	int s_namelen;
 	struct buffer_head ** s_imap;
-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 5/6] fs/minix: fix block limit check for V1 filesystems
  2020-06-28  6:08 [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
                   ` (3 preceding siblings ...)
  2020-06-28  6:08 ` [PATCH 4/6] fs/minix: set s_maxbytes correctly Eric Biggers
@ 2020-06-28  6:08 ` Eric Biggers
  2020-06-28  6:08 ` [PATCH 6/6] fs/minix: remove expected error message in block_to_path() Eric Biggers
  2020-07-07 17:14 ` [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
  6 siblings, 0 replies; 10+ messages in thread
From: Eric Biggers @ 2020-06-28  6:08 UTC (permalink / raw)
  To: linux-fsdevel, Alexander Viro, Andrew Morton; +Cc: linux-kernel, Qiujun Huang

From: Eric Biggers <ebiggers@google.com>

The minix filesystem reads its maximum file size from its on-disk
superblock.  This value isn't necessarily a multiple of the block size.
When it's not, the V1 block mapping code doesn't allow mapping the last
possible block.  Commit 6ed6a722f9ab ("minixfs: fix block limit check")
fixed this in the V2 mapping code.  Fix it in the V1 mapping code too.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/minix/itree_v1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c
index c0d418209ead..405573a79aab 100644
--- a/fs/minix/itree_v1.c
+++ b/fs/minix/itree_v1.c
@@ -29,7 +29,7 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
 	if (block < 0) {
 		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n",
 			block, inode->i_sb->s_bdev);
-	} else if (block >= inode->i_sb->s_maxbytes/BLOCK_SIZE) {
+	} else if ((u64)block * BLOCK_SIZE >= inode->i_sb->s_maxbytes) {
 		if (printk_ratelimit())
 			printk("MINIX-fs: block_to_path: "
 			       "block %ld too big on dev %pg\n",
-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 6/6] fs/minix: remove expected error message in block_to_path()
  2020-06-28  6:08 [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
                   ` (4 preceding siblings ...)
  2020-06-28  6:08 ` [PATCH 5/6] fs/minix: fix block limit check for V1 filesystems Eric Biggers
@ 2020-06-28  6:08 ` Eric Biggers
  2020-07-07 17:14 ` [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
  6 siblings, 0 replies; 10+ messages in thread
From: Eric Biggers @ 2020-06-28  6:08 UTC (permalink / raw)
  To: linux-fsdevel, Alexander Viro, Andrew Morton; +Cc: linux-kernel, Qiujun Huang

From: Eric Biggers <ebiggers@google.com>

When truncating a file to a size within the last allowed logical block,
block_to_path() is called with the *next* block.  This exceeds the
limit, causing the "block %ld too big" error message to be printed.

This case isn't actually an error; there are just no more blocks past
that point.  So, remove this error message.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/minix/itree_v1.c | 12 ++++++------
 fs/minix/itree_v2.c | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c
index 405573a79aab..1fed906042aa 100644
--- a/fs/minix/itree_v1.c
+++ b/fs/minix/itree_v1.c
@@ -29,12 +29,12 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
 	if (block < 0) {
 		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n",
 			block, inode->i_sb->s_bdev);
-	} else if ((u64)block * BLOCK_SIZE >= inode->i_sb->s_maxbytes) {
-		if (printk_ratelimit())
-			printk("MINIX-fs: block_to_path: "
-			       "block %ld too big on dev %pg\n",
-				block, inode->i_sb->s_bdev);
-	} else if (block < 7) {
+		return 0;
+	}
+	if ((u64)block * BLOCK_SIZE >= inode->i_sb->s_maxbytes)
+		return 0;
+
+	if (block < 7) {
 		offsets[n++] = block;
 	} else if ((block -= 7) < 512) {
 		offsets[n++] = 7;
diff --git a/fs/minix/itree_v2.c b/fs/minix/itree_v2.c
index ee8af2f9e282..9d00f31a2d9d 100644
--- a/fs/minix/itree_v2.c
+++ b/fs/minix/itree_v2.c
@@ -32,12 +32,12 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
 	if (block < 0) {
 		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n",
 			block, sb->s_bdev);
-	} else if ((u64)block * (u64)sb->s_blocksize >= sb->s_maxbytes) {
-		if (printk_ratelimit())
-			printk("MINIX-fs: block_to_path: "
-			       "block %ld too big on dev %pg\n",
-				block, sb->s_bdev);
-	} else if (block < DIRCOUNT) {
+		return 0;
+	}
+	if ((u64)block * (u64)sb->s_blocksize >= sb->s_maxbytes)
+		return 0;
+
+	if (block < DIRCOUNT) {
 		offsets[n++] = block;
 	} else if ((block -= DIRCOUNT) < INDIRCOUNT(sb)) {
 		offsets[n++] = DIRCOUNT;
-- 
2.27.0


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes
  2020-06-28  6:08 [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
                   ` (5 preceding siblings ...)
  2020-06-28  6:08 ` [PATCH 6/6] fs/minix: remove expected error message in block_to_path() Eric Biggers
@ 2020-07-07 17:14 ` Eric Biggers
  6 siblings, 0 replies; 10+ messages in thread
From: Eric Biggers @ 2020-07-07 17:14 UTC (permalink / raw)
  To: Andrew Morton; +Cc: linux-fsdevel, Alexander Viro, linux-kernel, Qiujun Huang

On Sat, Jun 27, 2020 at 11:08:39PM -0700, Eric Biggers wrote:
> This series fixes all syzbot bugs in the minix filesystem:
> 
> 	KASAN: null-ptr-deref Write in get_block
> 	KASAN: use-after-free Write in get_block
> 	KASAN: use-after-free Read in get_block
> 	WARNING in inc_nlink
> 	KMSAN: uninit-value in get_block
> 	WARNING in drop_nlink
> 
> It also fixes the minix filesystem to set s_maxbytes correctly, so that
> userspace sees the correct behavior when exceeding the max file size.
> 
> Al or Andrew: one of you will need to take these patches, since no one
> is maintaining this filesystem.
> 

Andrew, any interest in taking these patches?

- Eric

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/6] fs/minix: check return value of sb_getblk()
  2020-06-28  6:08 ` [PATCH 1/6] fs/minix: check return value of sb_getblk() Eric Biggers
@ 2020-07-07 19:26   ` Andrew Morton
  2020-07-07 20:34     ` Eric Biggers
  0 siblings, 1 reply; 10+ messages in thread
From: Andrew Morton @ 2020-07-07 19:26 UTC (permalink / raw)
  To: Eric Biggers
  Cc: linux-fsdevel, Alexander Viro, linux-kernel, Qiujun Huang,
	stable, syzbot+4a88b2b9dc280f47baf4

On Sat, 27 Jun 2020 23:08:40 -0700 Eric Biggers <ebiggers@kernel.org> wrote:

> From: Eric Biggers <ebiggers@google.com>
> 
> sb_getblk() can fail, so check its return value.
> 
> This fixes a NULL pointer dereference.
> 
> Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Originally-from: Qiujun Huang <anenbupt@gmail.com>

Originally-from: isn't really a thing.  Did the original come with a
signed-off-by:?

> Signed-off-by: Eric Biggers <ebiggers@google.com>
>
> ...
>

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/6] fs/minix: check return value of sb_getblk()
  2020-07-07 19:26   ` Andrew Morton
@ 2020-07-07 20:34     ` Eric Biggers
  0 siblings, 0 replies; 10+ messages in thread
From: Eric Biggers @ 2020-07-07 20:34 UTC (permalink / raw)
  To: Andrew Morton
  Cc: linux-fsdevel, Alexander Viro, linux-kernel, Qiujun Huang,
	stable, syzbot+4a88b2b9dc280f47baf4

On Tue, Jul 07, 2020 at 12:26:12PM -0700, Andrew Morton wrote:
> On Sat, 27 Jun 2020 23:08:40 -0700 Eric Biggers <ebiggers@kernel.org> wrote:
> 
> > From: Eric Biggers <ebiggers@google.com>
> > 
> > sb_getblk() can fail, so check its return value.
> > 
> > This fixes a NULL pointer dereference.
> > 
> > Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Cc: stable@vger.kernel.org
> > Originally-from: Qiujun Huang <anenbupt@gmail.com>
> 
> Originally-from: isn't really a thing.  Did the original come with a
> signed-off-by:?
> 

Yes it did.  Qiujun's patch was
https://lkml.kernel.org/lkml/20200323125700.7512-1-hqjagain@gmail.com
But I basically started from scratch anyway and my patch ended up different,
so I didn't leave the original "Author:".  Feel free to adjust the patch.

- Eric

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, back to index

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-28  6:08 [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers
2020-06-28  6:08 ` [PATCH 1/6] fs/minix: check return value of sb_getblk() Eric Biggers
2020-07-07 19:26   ` Andrew Morton
2020-07-07 20:34     ` Eric Biggers
2020-06-28  6:08 ` [PATCH 2/6] fs/minix: don't allow getting deleted inodes Eric Biggers
2020-06-28  6:08 ` [PATCH 3/6] fs/minix: reject too-large maximum file size Eric Biggers
2020-06-28  6:08 ` [PATCH 4/6] fs/minix: set s_maxbytes correctly Eric Biggers
2020-06-28  6:08 ` [PATCH 5/6] fs/minix: fix block limit check for V1 filesystems Eric Biggers
2020-06-28  6:08 ` [PATCH 6/6] fs/minix: remove expected error message in block_to_path() Eric Biggers
2020-07-07 17:14 ` [PATCH 0/6] fs/minix: fix syzbot bugs and set s_maxbytes Eric Biggers

Linux-Fsdevel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-fsdevel/0 linux-fsdevel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-fsdevel linux-fsdevel/ https://lore.kernel.org/linux-fsdevel \
		linux-fsdevel@vger.kernel.org
	public-inbox-index linux-fsdevel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-fsdevel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git