| Message ID | tencent_44CA0665C9836EF9EEC80CB9E7E206DF5206@qq.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-5014-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:24d3:b0:fb:cd0c:d3e with SMTP id r19csp1840378dyi;
Tue, 19 Dec 2023 02:25:58 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IHI2rIBSLPIIyUHhxZQi7YINh7HtGnQMP55z4hNPMRVXR0JRzfJTnjUghdWz+0AduqpNuu3
X-Received: by 2002:a0d:c2c3:0:b0:5d7:1940:7d81 with SMTP id
e186-20020a0dc2c3000000b005d719407d81mr12954061ywd.88.1702981557819;
Tue, 19 Dec 2023 02:25:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702981557; cv=none;
d=google.com; s=arc-20160816;
b=u+EUFqi0j4j+3MU6OENrPFIUMpdymwjuJW7xV0ToXZLrrzPS1ehCm1IAs6Hyo23mfo
wcocP79Q+wK1GPOAHcepoaSx/vtNuVqX7PhUSDUQRvjU7qo/eCQTun5ocNkSFrtBkocP
J+qc1bsoupICtCknbe9p4rfN4LaHm28tOjlXxzSkzn5yxuo1jwYbtqbU2u2lPFoKeBwM
5xVWYTJE9qnJWlf8Zvvsxw12+1E6DHBngtMtXwPDmMcBkZlFrmcKvXbsRY3EVnjO2v80
gmGluEwgRmMTVy4WAC57r/Gaj0HQCZWVYFTj7YHEKMAXiGXw/Wkyuf94rVLhk+caV6La
O+/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:references:in-reply-to:date
:subject:cc:to:from:message-id:dkim-signature;
bh=atxKJG/+oOQOf1n8hjqc88GOaBMrWZfLPQjGsiRwgSg=;
fh=rPWD1e3rrrhFO4NVO9AWAltp91nNgIO9D0hKHK1lfwY=;
b=LHXnSKpDErPu1FjHPaubzxuaFhhar5lUnY3cg6CcGsYkXdMZ/wVbq5H+ARXpEMdsuw
5XrSVElm5sV7RryFeAJylcgHKUKDdf/AqOBTWoWgVgjy0rcOj7IFbnQT3qq12VCm5etE
2JuRhwvgEGXsZ1o7f40o2Ni57dvHJRYI2HY1fjurxCuz9VKBudCoA6jGzqMvddnLE4Uv
f6CqFTWeorvDZ1XF1w/l4+q+LPdfypdMXWvPvFspC4qWmhyxwz0y+aRQ9LnE02glAi6Q
0BXCiI9hMn7qR7tO2ey1Mdyv7LGGo4UFbNXz/NkWglNRgq/aTFPoAiVnLWDHSs/szBJ3
HeUQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@qq.com header.s=s201512 header.b=AlEoq3cC;
spf=pass (google.com: domain of
linux-kernel+bounces-5014-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-5014-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
[2604:1380:45d1:ec00::1])
by mx.google.com with ESMTPS id
p8-20020a05622a00c800b004277f654077si75525qtw.132.2023.12.19.02.25.57
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 19 Dec 2023 02:25:57 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-5014-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
dkim=pass header.i=@qq.com header.s=s201512 header.b=AlEoq3cC;
spf=pass (google.com: domain of
linux-kernel+bounces-5014-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-5014-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ny.mirrors.kernel.org (Postfix) with ESMTPS id 99BDD1C22618
for <ouuuleilei@gmail.com>; Tue, 19 Dec 2023 10:25:57 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 0C219156D2;
Tue, 19 Dec 2023 10:25:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="AlEoq3cC"
X-Original-To: linux-kernel@vger.kernel.org
Received: from out162-62-57-210.mail.qq.com (out162-62-57-210.mail.qq.com
[162.62.57.210])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F8C114F77;
Tue, 19 Dec 2023 10:25:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=qq.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
t=1702981518; bh=atxKJG/+oOQOf1n8hjqc88GOaBMrWZfLPQjGsiRwgSg=;
h=From:To:Cc:Subject:Date:In-Reply-To:References;
b=AlEoq3cCCXt+aNM2aKsmVzCLXrnDWDvS2w5VykAoffC/pxKn9K7Fk8n6FAoslwafe
5U6TcP7VOxdwAAw8a9l+ZXs4oxnymGK5YAULKTfJvldsEHggsjNAgZ4o7bzKafCGlP
kZIa6MFTzkyGDLdxtWjFyuZqYlRnZ1XX39TnbvcU=
Received: from pek-lxu-l1.wrs.com ([111.198.225.215])
by newxmesmtplogicsvrsza7-0.qq.com (NewEsmtp) with SMTP
id 4C98AAE1; Tue, 19 Dec 2023 18:19:09 +0800
X-QQ-mid: xmsmtpt1702981149t023sln67
Message-ID: <tencent_44CA0665C9836EF9EEC80CB9E7E206DF5206@qq.com>
X-QQ-XMAILINFO: N7h1OCCDntujEmdmqzMjwNHgjylki1TMvdz8WrMzVegcBdlk2NNeYBWMItDqSi
pp9rTBFNHYT6tR2W0IPBna9Z8CWlTDm2+VRenPQ7rOxHgrHXtS+ZLpoc2/Ep380ZQ2G6Kbtxm3VA
TggA7n/2eJmTsl+TtpqqCTDmKmMkthyo0pFL+dj8Pt28b+LU+qhfB8t0SJnt6TIfskKMZnn7jX+E
GCOXEarhSulPZKeyvH906JSoS33bTR9Cvem9wnSmvfJcMAW/kWjKdcUDnkVJKv0Zq+ruKil5qfT3
qirf6QVUXnxKjyaDiigd9dIJ8bUFCigVWb92IVRypkUwQ+7IyBytDA098Pyukq2WhDoTMByMdksO
nOJa4ZwMaMn9CLu+GmTIhhTXgVSmojO3JqX3otQ+lEUjB8KXG7CU5A6zOCmTa8W1h3It04mpk3kg
uHWKeUueuVNqzDyqiv8FNjFE78xN8Dij4w3Weva/5TvvIWiMq1kqq8ZJm0rUtu5N+EPR4EIV35gY
7vorusd1idyYrntPqZtHYZVbMdF/DdEqv4oP0LSwCaLBvw61mKOigvB20gIbIN/m2I8iBqXnFPfd
RhoR7tj7p0pvDZrH1FsOVzkQhRxzxYtM72aT58IqhllRUCk+TgRukgsPNXYqUntwC7NFv+xjKBoh
gO+hWARINeGkrzG1Dflr2ueVyUxN9RAJnnSZVBKSAu9jgnv43Z05dTjmdRYlheNEsvfcZaCDVsof
1p4I3OSvcNPfTFeQHvVYfRjfX1yJ0zXrC5UKJYQip3sa2ZTCEG3MoSbp1lncHuajzQ+oCFToghLO
jai+zsOUQtgX2SRo8r+Rv6/JKpUV6FqUjhQBzZeAdX3m3sHsat6OEhRB3p+hXQ7TTtT/gES7W64n
4G5+U8IdqeEAALVyMoRHjPeK3HzX3QEhOb8MeIJyCjyjJQr9AK10YKRCmdO2IE+ujIrvAZg4Rp3c
A//KQWZGbxovH5miC0pA==
X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com
Cc: clm@fb.com,
daniel@iogearbox.net,
dsterba@suse.com,
john.fastabend@gmail.com,
josef@toxicpanda.com,
linux-btrfs@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
liujian56@huawei.com,
syzkaller-bugs@googlegroups.com
Subject: [PATCH] btrfs: fix oob Read in getname_kernel
Date: Tue, 19 Dec 2023 18:19:10 +0800
X-OQ-MSGID: <20231219101909.2058476-2-eadavis@qq.com>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <000000000000d1a1d1060cc9c5e7@google.com>
References: <000000000000d1a1d1060cc9c5e7@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1785705590286159720
X-GMAIL-MSGID: 1785705590286159720
|
| Series |
btrfs: fix oob Read in getname_kernel
|
|
Commit Message
Edward Adam Davis
Dec. 19, 2023, 10:19 a.m. UTC
If ioctl does not pass in the correct tgtdev_name string, oob will occur because
"\0" cannot be found.
Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
fs/btrfs/dev-replace.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Comments
On Tue, Dec 19, 2023 at 06:19:10PM +0800, Edward Adam Davis wrote: > If ioctl does not pass in the correct tgtdev_name string, oob will occur because > "\0" cannot be found. > > Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > --- > fs/btrfs/dev-replace.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c > index f9544fda38e9..e7e96e57f682 100644 > --- a/fs/btrfs/dev-replace.c > +++ b/fs/btrfs/dev-replace.c > @@ -730,7 +730,7 @@ static int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, > int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > struct btrfs_ioctl_dev_replace_args *args) > { > - int ret; > + int ret, len; > > switch (args->start.cont_reading_from_srcdev_mode) { > case BTRFS_IOCTL_DEV_REPLACE_CONT_READING_FROM_SRCDEV_MODE_ALWAYS: > @@ -740,8 +740,10 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > return -EINVAL; > } > > + len = strnlen(args->start.tgtdev_name, BTRFS_DEVICE_PATH_NAME_MAX + 1); > if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || > - args->start.tgtdev_name[0] == '\0') > + args->start.tgtdev_name[0] == '\0' || > + len == BTRFS_DEVICE_PATH_NAME_MAX + 1) I think srcdev_name would have to be checked the same way, but instead of strnlen I'd do memchr(name, 0, BTRFS_DEVICE_PATH_NAME_MAX). The check for 0 in [0] is probably pointless, it's just a shortcut for an empty buffer. We expect a valid 0-terminated string, which could be an invalid path but that will be found out later when opening the block device.
On Wed, Jan 10, 2024 at 04:55:46PM +0100, David Sterba wrote: > On Tue, Dec 19, 2023 at 06:19:10PM +0800, Edward Adam Davis wrote: > > If ioctl does not pass in the correct tgtdev_name string, oob will occur because > > "\0" cannot be found. > > > > Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > --- > > fs/btrfs/dev-replace.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c > > index f9544fda38e9..e7e96e57f682 100644 > > --- a/fs/btrfs/dev-replace.c > > +++ b/fs/btrfs/dev-replace.c > > @@ -730,7 +730,7 @@ static int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, > > int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > struct btrfs_ioctl_dev_replace_args *args) > > { > > - int ret; > > + int ret, len; > > > > switch (args->start.cont_reading_from_srcdev_mode) { > > case BTRFS_IOCTL_DEV_REPLACE_CONT_READING_FROM_SRCDEV_MODE_ALWAYS: > > @@ -740,8 +740,10 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > return -EINVAL; > > } > > > > + len = strnlen(args->start.tgtdev_name, BTRFS_DEVICE_PATH_NAME_MAX + 1); > > if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || > > - args->start.tgtdev_name[0] == '\0') > > + args->start.tgtdev_name[0] == '\0' || > > + len == BTRFS_DEVICE_PATH_NAME_MAX + 1) > > I think srcdev_name would have to be checked the same way, but instead > of strnlen I'd do memchr(name, 0, BTRFS_DEVICE_PATH_NAME_MAX). The check > for 0 in [0] is probably pointless, it's just a shortcut for an empty > buffer. We expect a valid 0-terminated string, which could be an invalid > path but that will be found out later when opening the block device. Please let me know if you're going to send an updated fix. I'd like to get this fixed to close the syzbot report but also want to give you the credit for debugging and fix. The preferred fix is something like that: --- a/fs/btrfs/dev-replace.c +++ b/fs/btrfs/dev-replace.c @@ -741,6 +741,8 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || args->start.tgtdev_name[0] == '\0') return -EINVAL; + args->start.srcdev_name[BTRFS_PATH_NAME_MAX] = 0; + args->start.tgtdev_name[BTRFS_PATH_NAME_MAX] = 0; ret = btrfs_dev_replace_start(fs_info, args->start.tgtdev_name, args->start.srcdevid,
On Mon, 15 Jan 2024 20:08:25 +0100, David Sterba wrote: > > > If ioctl does not pass in the correct tgtdev_name string, oob will occur because > > > "\0" cannot be found. > > > > > > Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com > > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > > --- > > > fs/btrfs/dev-replace.c | 6 ++++-- > > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > > > diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c > > > index f9544fda38e9..e7e96e57f682 100644 > > > --- a/fs/btrfs/dev-replace.c > > > +++ b/fs/btrfs/dev-replace.c > > > @@ -730,7 +730,7 @@ static int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, > > > int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > > struct btrfs_ioctl_dev_replace_args *args) > > > { > > > - int ret; > > > + int ret, len; > > > > > > switch (args->start.cont_reading_from_srcdev_mode) { > > > case BTRFS_IOCTL_DEV_REPLACE_CONT_READING_FROM_SRCDEV_MODE_ALWAYS: > > > @@ -740,8 +740,10 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > > return -EINVAL; > > > } > > > > > > + len = strnlen(args->start.tgtdev_name, BTRFS_DEVICE_PATH_NAME_MAX + 1); > > > if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || > > > - args->start.tgtdev_name[0] == '\0') > > > + args->start.tgtdev_name[0] == '\0' || > > > + len == BTRFS_DEVICE_PATH_NAME_MAX + 1) > > > > I think srcdev_name would have to be checked the same way, but instead > > of strnlen I'd do memchr(name, 0, BTRFS_DEVICE_PATH_NAME_MAX). The check > > for 0 in [0] is probably pointless, it's just a shortcut for an empty > > buffer. We expect a valid 0-terminated string, which could be an invalid > > path but that will be found out later when opening the block device. > > Please let me know if you're going to send an updated fix. I'd like to > get this fixed to close the syzbot report but also want to give you the > credit for debugging and fix. > > The preferred fix is something like that: > > --- a/fs/btrfs/dev-replace.c > +++ b/fs/btrfs/dev-replace.c > @@ -741,6 +741,8 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || > args->start.tgtdev_name[0] == '\0') > return -EINVAL; > + args->start.srcdev_name[BTRFS_PATH_NAME_MAX] = 0; > + args->start.tgtdev_name[BTRFS_PATH_NAME_MAX] = 0; This is not correct, 1. The maximum length of tgtdev_name is BTRFS_DEVICE_PATH_NAME_MAX + 1 2. strnlen should be used to confirm the presence of \0 in tgtdev_name 3. Input values should not be subjectively updated 4. The current issue only involves tgtdev_name > > ret = btrfs_dev_replace_start(fs_info, args->start.tgtdev_name, > args->start.srcdevid,
On Tue, Jan 16, 2024 at 09:09:47AM +0800, Edward Adam Davis wrote: > On Mon, 15 Jan 2024 20:08:25 +0100, David Sterba wrote: > > > > If ioctl does not pass in the correct tgtdev_name string, oob will occur because > > > > "\0" cannot be found. > > > > > > > > Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com > > > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > > > --- > > > > fs/btrfs/dev-replace.c | 6 ++++-- > > > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c > > > > index f9544fda38e9..e7e96e57f682 100644 > > > > --- a/fs/btrfs/dev-replace.c > > > > +++ b/fs/btrfs/dev-replace.c > > > > @@ -730,7 +730,7 @@ static int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, > > > > int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > > > struct btrfs_ioctl_dev_replace_args *args) > > > > { > > > > - int ret; > > > > + int ret, len; > > > > > > > > switch (args->start.cont_reading_from_srcdev_mode) { > > > > case BTRFS_IOCTL_DEV_REPLACE_CONT_READING_FROM_SRCDEV_MODE_ALWAYS: > > > > @@ -740,8 +740,10 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > > > return -EINVAL; > > > > } > > > > > > > > + len = strnlen(args->start.tgtdev_name, BTRFS_DEVICE_PATH_NAME_MAX + 1); > > > > if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || > > > > - args->start.tgtdev_name[0] == '\0') > > > > + args->start.tgtdev_name[0] == '\0' || > > > > + len == BTRFS_DEVICE_PATH_NAME_MAX + 1) > > > > > > I think srcdev_name would have to be checked the same way, but instead > > > of strnlen I'd do memchr(name, 0, BTRFS_DEVICE_PATH_NAME_MAX). The check > > > for 0 in [0] is probably pointless, it's just a shortcut for an empty > > > buffer. We expect a valid 0-terminated string, which could be an invalid > > > path but that will be found out later when opening the block device. > > > > Please let me know if you're going to send an updated fix. I'd like to > > get this fixed to close the syzbot report but also want to give you the > > credit for debugging and fix. > > > > The preferred fix is something like that: > > > > --- a/fs/btrfs/dev-replace.c > > +++ b/fs/btrfs/dev-replace.c > > @@ -741,6 +741,8 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || > > args->start.tgtdev_name[0] == '\0') > > return -EINVAL; > > + args->start.srcdev_name[BTRFS_PATH_NAME_MAX] = 0; > > + args->start.tgtdev_name[BTRFS_PATH_NAME_MAX] = 0; > This is not correct, > 1. The maximum length of tgtdev_name is BTRFS_DEVICE_PATH_NAME_MAX + 1 Yes, so if the array size is N + 1 then writing to offset N is valid. It's a bit confusing that the paths using BTRFS_PATH_NAME_MAX are +1 bigger so it's not folling the patterns using N as the limit. > 2. strnlen should be used to confirm the presence of \0 in tgtdev_name Yes, this would work, with the slight difference that memchr looks for the 0 character regardless of any other, while strnlen also looks for any intermediate 0. memchr is an optimization, for input parameter validation it does not matter. > 3. Input values should not be subjectively updated Yeah, this is indeed subjective, I propsed that because we already do that for subvolume ioctls. This probably would never show up in practice, the paths are not that long and even if the real linux limit is PATH_MAX (4096) and BTRFS_PATH_NAME_MAX was originally set to a lower value it's still enough for everybody. From practiacal perspective I don't see any difference between overwriting the last place of NUL or checking it by strnlen/memchr. > 4. The current issue only involves tgtdev_name Right, that needs to be fixed. With bugs like that it's always good to look around for similar cases or audit everything of similar pattern, here it's an ioctl taking a user-specified path. If the target path is fixed, we need the source path fixed too. It can be a separate patch, no problem.
On Tue, Jan 16, 2024 at 09:09:47AM +0800, Edward Adam Davis wrote: > On Mon, 15 Jan 2024 20:08:25 +0100, David Sterba wrote: > > > > If ioctl does not pass in the correct tgtdev_name string, oob will occur because > > > > "\0" cannot be found. > > > > > > > > Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com > > > > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > > > > --- > > > > fs/btrfs/dev-replace.c | 6 ++++-- > > > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c > > > > index f9544fda38e9..e7e96e57f682 100644 > > > > --- a/fs/btrfs/dev-replace.c > > > > +++ b/fs/btrfs/dev-replace.c > > > > @@ -730,7 +730,7 @@ static int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, > > > > int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > > > struct btrfs_ioctl_dev_replace_args *args) > > > > { > > > > - int ret; > > > > + int ret, len; > > > > > > > > switch (args->start.cont_reading_from_srcdev_mode) { > > > > case BTRFS_IOCTL_DEV_REPLACE_CONT_READING_FROM_SRCDEV_MODE_ALWAYS: > > > > @@ -740,8 +740,10 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > > > return -EINVAL; > > > > } > > > > > > > > + len = strnlen(args->start.tgtdev_name, BTRFS_DEVICE_PATH_NAME_MAX + 1); > > > > if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || > > > > - args->start.tgtdev_name[0] == '\0') > > > > + args->start.tgtdev_name[0] == '\0' || > > > > + len == BTRFS_DEVICE_PATH_NAME_MAX + 1) > > > > > > I think srcdev_name would have to be checked the same way, but instead > > > of strnlen I'd do memchr(name, 0, BTRFS_DEVICE_PATH_NAME_MAX). The check > > > for 0 in [0] is probably pointless, it's just a shortcut for an empty > > > buffer. We expect a valid 0-terminated string, which could be an invalid > > > path but that will be found out later when opening the block device. > > > > Please let me know if you're going to send an updated fix. I'd like to > > get this fixed to close the syzbot report but also want to give you the > > credit for debugging and fix. > > > > The preferred fix is something like that: > > > > --- a/fs/btrfs/dev-replace.c > > +++ b/fs/btrfs/dev-replace.c > > @@ -741,6 +741,8 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, > > if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || > > args->start.tgtdev_name[0] == '\0') > > return -EINVAL; > > + args->start.srcdev_name[BTRFS_PATH_NAME_MAX] = 0; > > + args->start.tgtdev_name[BTRFS_PATH_NAME_MAX] = 0; > This is not correct, > 1. The maximum length of tgtdev_name is BTRFS_DEVICE_PATH_NAME_MAX + 1 > 2. strnlen should be used to confirm the presence of \0 in tgtdev_name > 3. Input values should not be subjectively updated Regarding that point I agree it's not the best handling and could be confusing. There are multiple instances of that in the ioctl callbacks so the proper fix is to add a helper doing the validity check (either strnlen or memchr) and then use it. The pattern to look for is "vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';" in ioctl.c (at least). Let me know if you'd want to implement that.
diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c index f9544fda38e9..e7e96e57f682 100644 --- a/fs/btrfs/dev-replace.c +++ b/fs/btrfs/dev-replace.c @@ -730,7 +730,7 @@ static int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, struct btrfs_ioctl_dev_replace_args *args) { - int ret; + int ret, len; switch (args->start.cont_reading_from_srcdev_mode) { case BTRFS_IOCTL_DEV_REPLACE_CONT_READING_FROM_SRCDEV_MODE_ALWAYS: @@ -740,8 +740,10 @@ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info, return -EINVAL; } + len = strnlen(args->start.tgtdev_name, BTRFS_DEVICE_PATH_NAME_MAX + 1); if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') || - args->start.tgtdev_name[0] == '\0') + args->start.tgtdev_name[0] == '\0' || + len == BTRFS_DEVICE_PATH_NAME_MAX + 1) return -EINVAL; ret = btrfs_dev_replace_start(fs_info, args->start.tgtdev_name,