| Message ID | 20221023163945.39920-1-yin31149@gmail.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp61908wru;
Sun, 23 Oct 2022 09:42:46 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM6sseR8Q7O2e8jCs/I9WHoe2kqsXjp9KspVfSX93kHRZD9vde2KePiD9lvg7l2a30G9/8jA
X-Received: by 2002:a17:902:e94f:b0:17f:6df3:1a99 with SMTP id
b15-20020a170902e94f00b0017f6df31a99mr29600344pll.20.1666543366304;
Sun, 23 Oct 2022 09:42:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666543366; cv=none;
d=google.com; s=arc-20160816;
b=oztGHZdaMcfvlTwjbGn8e4t0aOmlBaU3c4Z1+l/wXkfZkQ4bBWd2ELDDaQLtZpTi0F
f3vOPX2X9GCoThLOHZdWE4/B/zlmigLZdCU2CyxNF2LbVwjprpEFvCZ0JYKB3WH5nBa0
KTF1Wx+BSDPhiKmQG0aqChyH9en5tRPfOvJNiHyZC9Bj5k7x4qAfFFxFoE/zmdT6g6o4
KcfRnC9ulR+K+1LFTks0C13FanlpVxbzC3rn1An2Jh7/YKQ1fwk4DTIjeOWpdlawm24G
oEa/tlzb1PtALqRHfDlPxTSR4Ezmyna0JBFO9CYbzwI5cs1m0fg5UJFW9MjekW9kThOY
Mcbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=EEMf11Sn3FVY4fOuES/7fY+Nkkl02+sUy0b7CrgdHj8=;
b=H8CGxK62M6YM6me5tGh1/JeHdQFbqE9+++gxvx8Od0RsgrYys8bP6hcqVdHsXe8NvY
J0WCpWUUXnlGMyGs5LHXixbJb/W+RjlocZ5yUd2uPOqlT38y9K/53JBuUWo2wKQ6LhLJ
/lfDAOOTGesCBzFHbP9slel9n5DOTl30vJzVIpssHwSIMbfZbMiglCbJPJKaPWRn+kLV
2+YLvh3n+amv/p9tx6SoEx78Oj7AefYvyk6fe7GhVrccEZesHZWUS0mYWcVtbbIMppBO
SuQqdTX68xJKPtbVJS4Ayi4dG4mFQS+CcpfllQNFquXcoucoJzgr1wfnwOy16T4OSbZw
VjFg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=lz68HAfW;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
f71-20020a636a4a000000b004541962a9basi29956028pgc.701.2022.10.23.09.42.34;
Sun, 23 Oct 2022 09:42:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=lz68HAfW;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230167AbiJWQke (ORCPT <rfc822;pwkd43@gmail.com> + 99 others);
Sun, 23 Oct 2022 12:40:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43268 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229956AbiJWQkc (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sun, 23 Oct 2022 12:40:32 -0400
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com
[IPv6:2607:f8b0:4864:20::62d])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7AA7D5FC0E;
Sun, 23 Oct 2022 09:40:31 -0700 (PDT)
Received: by mail-pl1-x62d.google.com with SMTP id f23so6603192plr.6;
Sun, 23 Oct 2022 09:40:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=EEMf11Sn3FVY4fOuES/7fY+Nkkl02+sUy0b7CrgdHj8=;
b=lz68HAfWMz/Hm+dWWSLVqa5c4QpYztULx5yhXHyFqbFCJc6K59PLIhw0jslwbMj/iO
Ssz8UMjCfS2ltlHzkFgO6TNwrshKqSSEuvi1k+1NyMXZx9gaT5sdlsgRgWUgXo4Jno6L
VmKnIlHjqhW2wfpyzIlY4nmSbEt9F+c06ZY7BhE4HtN73rQdIgwqwPH1ekrKJpXpefGQ
J3fkfbjPAcHQqeGO/6yHZGnEMHfhdVs3h7E57rU8CtUAVzOYomiPDg7vyeR7bzA57SDM
WMfchOnSe1jEtRj37tKs8vS7tqHZH9s2snvchl0+l2+ysOtMHJ2ad4GJ+6Ore5a3F4Kr
BMjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=EEMf11Sn3FVY4fOuES/7fY+Nkkl02+sUy0b7CrgdHj8=;
b=L96+5EYQEAZ3vydM2wO7GhrfFCYTMgDckirL/wmAGS4zDkoONj5JDi5fN17i6f72ZL
xoIpexGI2ityFunyaigWLwWEfXmYo7ZXsWaLJKP6F0gEBOq4/NA8Yv+eGVneXJE/LZf0
WckJJCuvdpDc4dJKaxat6BzMoJ5jjbg/rcRc7CImD1kaijZD38KstZWGeoT0D62kt9qm
i9EjFEpuorwloKiTpkjV/odm/Stf2Cm/JNBMD/aLlAvpUD1rM0aXHI1vNB+pxE0WNPju
sJmkZ7+p/gqFE4+il8f5jFnxbmrHsq63Hm2xbmaXTXs8WNojMbO8roAkKyIapX9pOnXC
iq2Q==
X-Gm-Message-State: ACrzQf3PH3jzkxOoiV7QnwKBcsqEJ8WhqFDMqvORNN6yLlOHDOVWeOoh
8oYYYvbRQN8lFn3PysCmPyI=
X-Received: by 2002:a17:902:c1c6:b0:186:994f:6e57 with SMTP id
c6-20020a170902c1c600b00186994f6e57mr5190100plc.17.1666543230975;
Sun, 23 Oct 2022 09:40:30 -0700 (PDT)
Received: from localhost ([223.104.41.250])
by smtp.gmail.com with ESMTPSA id
i7-20020a1709026ac700b00172fad607b3sm18118264plt.207.2022.10.23.09.40.29
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 23 Oct 2022 09:40:30 -0700 (PDT)
From: Hawkins Jiawei <yin31149@gmail.com>
To: yin31149@gmail.com
Cc: 18801353760@163.com, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: [PATCH -next 0/5] fs: fix possible null-ptr-deref when parsing param
Date: Mon, 24 Oct 2022 00:39:41 +0800
Message-Id: <20221023163945.39920-1-yin31149@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747497376778530691?=
X-GMAIL-MSGID: =?utf-8?q?1747497376778530691?=
|
| Series |
fs: fix possible null-ptr-deref when parsing param
|
|
Message
Hawkins Jiawei
Oct. 23, 2022, 4:39 p.m. UTC
According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, when fs parses its mount parameters, it will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. So this patchset reviews all functions for fs to parse parameters, by using `git grep -n "\.parse_param" fs/*`, and adds sanity check on param->string if its function will dereference param->string without check. Hawkins Jiawei (5): smb3: fix possible null-ptr-deref when parsing param nfs: fix possible null-ptr-deref when parsing param ceph: fix possible null-ptr-deref when parsing param gfs2: fix possible null-ptr-deref when parsing param proc: fix possible null-ptr-deref when parsing param fs/ceph/super.c | 3 +++ fs/cifs/fs_context.c | 58 +++++++++++++++++++++++++++++++++++++++++++- fs/gfs2/ops_fstype.c | 10 ++++++++ fs/nfs/fs_context.c | 6 +++++ fs/proc/root.c | 3 +++ 5 files changed, 79 insertions(+), 1 deletion(-)
Comments
On Mon, Oct 24, 2022 at 12:39:41AM +0800, Hawkins Jiawei wrote: > According to commit "vfs: parse: deal with zero length string value", > kernel will set the param->string to null pointer in vfs_parse_fs_string() > if fs string has zero length. > > Yet the problem is that, when fs parses its mount parameters, it will > dereferences the param->string, without checking whether it is a > null pointer, which may trigger a null-ptr-deref bug. > > So this patchset reviews all functions for fs to parse parameters, > by using `git grep -n "\.parse_param" fs/*`, and adds sanity check > on param->string if its function will dereference param->string > without check. How about reverting the commit in question instead? Or dropping it from patch series, depending upon the way akpm handles the pile these days...
On Mon, 24 Oct 2022 at 00:48, Al Viro <viro@zeniv.linux.org.uk> wrote: > > On Mon, Oct 24, 2022 at 12:39:41AM +0800, Hawkins Jiawei wrote: > > According to commit "vfs: parse: deal with zero length string value", > > kernel will set the param->string to null pointer in vfs_parse_fs_string() > > if fs string has zero length. > > > > Yet the problem is that, when fs parses its mount parameters, it will > > dereferences the param->string, without checking whether it is a > > null pointer, which may trigger a null-ptr-deref bug. > > > > So this patchset reviews all functions for fs to parse parameters, > > by using `git grep -n "\.parse_param" fs/*`, and adds sanity check > > on param->string if its function will dereference param->string > > without check. > > How about reverting the commit in question instead? Or dropping it > from patch series, depending upon the way akpm handles the pile > these days... I think both are OK. On one hand, commit "vfs: parse: deal with zero length string value" seems just want to make output more informattive, which probably is not the one which must be applied immediately to fix the panic. On the other hand, commit "vfs: parse: deal with zero length string value" affects so many file systems, so there are probably some deeper null-ptr-deref bugs I ignore, which may take time to review.
On 24/10/22 08:42, Hawkins Jiawei wrote: > On Mon, 24 Oct 2022 at 00:48, Al Viro <viro@zeniv.linux.org.uk> wrote: >> On Mon, Oct 24, 2022 at 12:39:41AM +0800, Hawkins Jiawei wrote: >>> According to commit "vfs: parse: deal with zero length string value", >>> kernel will set the param->string to null pointer in vfs_parse_fs_string() >>> if fs string has zero length. >>> >>> Yet the problem is that, when fs parses its mount parameters, it will >>> dereferences the param->string, without checking whether it is a >>> null pointer, which may trigger a null-ptr-deref bug. >>> >>> So this patchset reviews all functions for fs to parse parameters, >>> by using `git grep -n "\.parse_param" fs/*`, and adds sanity check >>> on param->string if its function will dereference param->string >>> without check. >> How about reverting the commit in question instead? Or dropping it >> from patch series, depending upon the way akpm handles the pile >> these days... > I think both are OK. > > On one hand, commit "vfs: parse: deal with zero length string value" > seems just want to make output more informattive, which probably is not > the one which must be applied immediately to fix the > panic. > > On the other hand, commit "vfs: parse: deal with zero length string value" > affects so many file systems, so there are probably some deeper > null-ptr-deref bugs I ignore, which may take time to review. Yeah, it would be good to make the file system handling consistent but I think there's been a bit too much breakage and it appears not everyone thinks the approach is the right way to do it. I'm thinking of abandoning this and restricting it to the "source" parameter only to solve the user space mount table parser problem but still doing it in the mount context code to keep it general (at least for this case). Ian
On 2022/10/24 12:34, Ian Kent wrote: > > On 24/10/22 08:42, Hawkins Jiawei wrote: >> On Mon, 24 Oct 2022 at 00:48, Al Viro <viro@zeniv.linux.org.uk> wrote: >>> On Mon, Oct 24, 2022 at 12:39:41AM +0800, Hawkins Jiawei wrote: >>>> According to commit "vfs: parse: deal with zero length string value", >>>> kernel will set the param->string to null pointer in vfs_parse_fs_string() >>>> if fs string has zero length. >>>> >>>> Yet the problem is that, when fs parses its mount parameters, it will >>>> dereferences the param->string, without checking whether it is a >>>> null pointer, which may trigger a null-ptr-deref bug. >>>> >>>> So this patchset reviews all functions for fs to parse parameters, >>>> by using `git grep -n "\.parse_param" fs/*`, and adds sanity check >>>> on param->string if its function will dereference param->string >>>> without check. >>> How about reverting the commit in question instead? Or dropping it >>> from patch series, depending upon the way akpm handles the pile >>> these days... >> I think both are OK. >> >> On one hand, commit "vfs: parse: deal with zero length string value" >> seems just want to make output more informattive, which probably is not >> the one which must be applied immediately to fix the >> panic. >> >> On the other hand, commit "vfs: parse: deal with zero length string value" >> affects so many file systems, so there are probably some deeper >> null-ptr-deref bugs I ignore, which may take time to review. > > Yeah, it would be good to make the file system handling consistent > but I think there's been a bit too much breakage and it appears not > everyone thinks the approach is the right way to do it. > > I'm thinking of abandoning this and restricting it to the "source" > parameter only to solve the user space mount table parser problem but > still doing it in the mount context code to keep it general (at least > for this case). No progress on this problem, and syzbot is reporting one after the other... I think that reverting is the better choice.
On 31/10/22 19:28, Tetsuo Handa wrote: > On 2022/10/24 12:34, Ian Kent wrote: >> On 24/10/22 08:42, Hawkins Jiawei wrote: >>> On Mon, 24 Oct 2022 at 00:48, Al Viro <viro@zeniv.linux.org.uk> wrote: >>>> On Mon, Oct 24, 2022 at 12:39:41AM +0800, Hawkins Jiawei wrote: >>>>> According to commit "vfs: parse: deal with zero length string value", >>>>> kernel will set the param->string to null pointer in vfs_parse_fs_string() >>>>> if fs string has zero length. >>>>> >>>>> Yet the problem is that, when fs parses its mount parameters, it will >>>>> dereferences the param->string, without checking whether it is a >>>>> null pointer, which may trigger a null-ptr-deref bug. >>>>> >>>>> So this patchset reviews all functions for fs to parse parameters, >>>>> by using `git grep -n "\.parse_param" fs/*`, and adds sanity check >>>>> on param->string if its function will dereference param->string >>>>> without check. >>>> How about reverting the commit in question instead? Or dropping it >>>> from patch series, depending upon the way akpm handles the pile >>>> these days... >>> I think both are OK. >>> >>> On one hand, commit "vfs: parse: deal with zero length string value" >>> seems just want to make output more informattive, which probably is not >>> the one which must be applied immediately to fix the >>> panic. >>> >>> On the other hand, commit "vfs: parse: deal with zero length string value" >>> affects so many file systems, so there are probably some deeper >>> null-ptr-deref bugs I ignore, which may take time to review. >> Yeah, it would be good to make the file system handling consistent >> but I think there's been a bit too much breakage and it appears not >> everyone thinks the approach is the right way to do it. >> >> I'm thinking of abandoning this and restricting it to the "source" >> parameter only to solve the user space mount table parser problem but >> still doing it in the mount context code to keep it general (at least >> for this case). > No progress on this problem, and syzbot is reporting one after the other... > > I think that reverting is the better choice. Yes, I agree/ Ian