[syzbot] [lsm?] WARNING in current_check_refer_path
13 views
Skip to first unread message
syzbot
Jul 11, 2024, 5:53:24 PMJul 11
to gno...@google.com, jmo...@namei.org, linux-...@vger.kernel.org, linux-secu...@vger.kernel.org, m...@digikod.net, pa...@paul-moore.com, se...@hallyn.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000
kernel config: https://syzkaller.appspot.com/x/.config?x=15349546db652fd3
dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+34b68f...@syzkaller.appspotmail.com
bcachefs (loop0): resume_logged_ops... done
bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): done starting filesystem
------------[ cut here ]------------
WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
Modules linked in:
CPU: 0 PID: 6284 Comm: syz-executor169 Not tainted 6.10.0-rc6-syzkaller-g8a03d70c27fc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
lr : get_mode_access security/landlock/fs.c:953 [inline]
lr : current_check_refer_path+0x4dc/0xaa8 security/landlock/fs.c:1132
sp : ffff80009bb47840
x29: ffff80009bb47980 x28: ffff80009bb478e0 x27: 0000000000000001
x26: 1fffe0001b7a831f x25: ffff0000d713ef00 x24: ffff700013768f14
x23: 000000000000f1ed x22: dfff800000000000 x21: ffff0000dbd418f8
x20: 0000000000000000 x19: 0000000000001fff x18: ffff80009bb46be0
x17: ffff800080b8363c x16: ffff80008afaca80 x15: 0000000000000004
x14: 1ffff00013768f24 x13: 0000000000000000 x12: 0000000000000000
x11: ffff700013768f28 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : ffff0000d6845ac0 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000020
x2 : 0000000000000000 x1 : 000000000000f1ed x0 : 000000000000d000
Call trace:
current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
hook_path_rename+0x4c/0x60 security/landlock/fs.c:1416
security_path_rename+0x154/0x1f0 security/security.c:1918
do_renameat2+0x724/0xe40 fs/namei.c:5031
__do_sys_renameat2 fs/namei.c:5078 [inline]
__se_sys_renameat2 fs/namei.c:5075 [inline]
__arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5075
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:131
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:150
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 67226
hardirqs last enabled at (67225): [<ffff80008b1683b4>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (67225): [<ffff80008b1683b4>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (67226): [<ffff80008b06e498>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470
softirqs last enabled at (66914): [<ffff8000800307e0>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (66912): [<ffff8000800307ac>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000
kernel config: https://syzkaller.appspot.com/x/.config?x=15349546db652fd3
dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+34b68f...@syzkaller.appspotmail.com
bcachefs (loop0): resume_logged_ops... done
bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): done starting filesystem
------------[ cut here ]------------
WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
Modules linked in:
CPU: 0 PID: 6284 Comm: syz-executor169 Not tainted 6.10.0-rc6-syzkaller-g8a03d70c27fc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
lr : get_mode_access security/landlock/fs.c:953 [inline]
lr : current_check_refer_path+0x4dc/0xaa8 security/landlock/fs.c:1132
sp : ffff80009bb47840
x29: ffff80009bb47980 x28: ffff80009bb478e0 x27: 0000000000000001
x26: 1fffe0001b7a831f x25: ffff0000d713ef00 x24: ffff700013768f14
x23: 000000000000f1ed x22: dfff800000000000 x21: ffff0000dbd418f8
x20: 0000000000000000 x19: 0000000000001fff x18: ffff80009bb46be0
x17: ffff800080b8363c x16: ffff80008afaca80 x15: 0000000000000004
x14: 1ffff00013768f24 x13: 0000000000000000 x12: 0000000000000000
x11: ffff700013768f28 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : ffff0000d6845ac0 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000020
x2 : 0000000000000000 x1 : 000000000000f1ed x0 : 000000000000d000
Call trace:
current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
hook_path_rename+0x4c/0x60 security/landlock/fs.c:1416
security_path_rename+0x154/0x1f0 security/security.c:1918
do_renameat2+0x724/0xe40 fs/namei.c:5031
__do_sys_renameat2 fs/namei.c:5078 [inline]
__se_sys_renameat2 fs/namei.c:5075 [inline]
__arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5075
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:131
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:150
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 67226
hardirqs last enabled at (67225): [<ffff80008b1683b4>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (67225): [<ffff80008b1683b4>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (67226): [<ffff80008b06e498>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470
softirqs last enabled at (66914): [<ffff8000800307e0>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (66912): [<ffff8000800307ac>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Paul Moore
Jul 12, 2024, 10:55:24 AMJul 12
to syzbot, gno...@google.com, jmo...@namei.org, linux-...@vger.kernel.org, linux-secu...@vger.kernel.org, m...@digikod.net, se...@hallyn.com, syzkall...@googlegroups.com
appears that the fs object being moved has a umode_t that Landlock is
not setup to handle?
Mickaël Salaün
Jul 14, 2024, 3:34:15 PM (13 days ago) Jul 14
to Paul Moore, Kent Overstreet, Brian Foster, linux-b...@vger.kernel.org, syzbot, gno...@google.com, jmo...@namei.org, linux-...@vger.kernel.org, linux-secu...@vger.kernel.org, se...@hallyn.com, syzkall...@googlegroups.com, linux-...@vger.kernel.org
a weird file).
Kend, Brian, you'll find the incorrect filesystem with syzbot's report.
Could you please investigate the issue?
Here is the content of the file system:
# losetup --find --show mount_0
/dev/loop0
# mount /dev/loop0 /mnt/
# ls -la /mnt/
ls: cannot access '/mnt/file2': No such file or directory
ls: cannot access '/mnt/file3': No such file or directory
total 24
drwxr-xr-x 4 root root 0 May 2 20:21 .
drwxr-xr-x 1 root root 130 Oct 31 2023 ..
drwxr-xr-x 2 root root 0 May 2 20:21 file0
?rwxr-xr-x 1 root root 10 May 2 20:21 file1
-????????? ? ? ? ? ? file2
-????????? ? ? ? ? ? file3
-rwxr-xr-x 1 root root 100 May 2 20:21 file.cold
drwx------ 2 root root 0 May 2 20:21 lost+found
# stat /mnt/file1
File: /mnt/file1
Size: 10 Blocks: 8 IO Block: 4096 weird file
Device: 7,0 Inode: 1073741824 Links: 1
Access: (0755/?rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2024-05-02 20:21:07.747039697 +0000
Modify: 2024-05-02 20:21:07.747039697 +0000
Change: 2024-05-02 20:21:07.747039697 +0000
Birth: 2024-05-02 20:21:07.747039697 +0000
dmesg:
bcachefs (loop0): mounting version 1.7: mi_btree_bitmap opts=compression=lz4,nojournal_transaction_names
bcachefs (loop0): recovering from clean shutdown, journal seq 7
bcachefs (loop0): alloc_read... done
bcachefs (loop0): stripes_read... done
bcachefs (loop0): snapshots_read... done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay... done
bcachefs (loop0): resume_logged_ops... done
bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): dirent to missing inode:
bcachefs (loop0): delete_dead_inodes... done
u64s 7 type dirent 4096:5067489913167654073:U32_MAX len 0 ver 0: file2 -> 4098 type reg
bcachefs (loop0): inconsistency detected - emergency read only at journal seq 11
bcachefs (loop0): dirent to missing inode:
u64s 7 type dirent 4096:5868742249271439647:U32_MAX len 0 ver 0:
Kent Overstreet
Jul 14, 2024, 3:51:25 PM (13 days ago) Jul 14
to Mickaël Salaün, Paul Moore, Brian Foster, linux-b...@vger.kernel.org, syzbot, gno...@google.com, jmo...@namei.org, linux-...@vger.kernel.org, linux-secu...@vger.kernel.org, se...@hallyn.com, syzkall...@googlegroups.com, linux-...@vger.kernel.org, linu...@vger.kernel.org
cc'ing linux-xfs, since I'm sure this has come up there and bcachefs and
xfs verify and fsck are structured similararly at a very high level -
I'd like to get their input.
Ok, this is an interesting one.
So we don't seem to be checking for invwalid i_mode at all - that's a bug.
But if we don't want to be exposing invalid i_modes at all, that's
tricky, since we (currently) can only repair when running fsck. "This is
invalid and we never want to expose this" checks are done in bkey
.invalid methods, and those can only cause the key to be deleted - we
can't run complex repair in e.g. btree node read, and that's what would
be required here (e.g. checking the extents and dirents btrees to guess
if this should be a regular file or a directory).
Long term I plan on running our existing fsck checks (including repair)
in our normal runtime paths - whenever we're looking at one or more keys
and there's a fsck check we can run, just run it.
I wasn't planning on doing that for awhile, because I'm waiting on
getting comprehensive filesystem error injection merged so we can make
sure those repair paths are all well tested before running them
automatically like that, but if this is a security issue perhaps as a
special case we should do that now.
Thoughts?
xfs verify and fsck are structured similararly at a very high level -
I'd like to get their input.
So we don't seem to be checking for invwalid i_mode at all - that's a bug.
But if we don't want to be exposing invalid i_modes at all, that's
tricky, since we (currently) can only repair when running fsck. "This is
invalid and we never want to expose this" checks are done in bkey
.invalid methods, and those can only cause the key to be deleted - we
can't run complex repair in e.g. btree node read, and that's what would
be required here (e.g. checking the extents and dirents btrees to guess
if this should be a regular file or a directory).
Long term I plan on running our existing fsck checks (including repair)
in our normal runtime paths - whenever we're looking at one or more keys
and there's a fsck check we can run, just run it.
I wasn't planning on doing that for awhile, because I'm waiting on
getting comprehensive filesystem error injection merged so we can make
sure those repair paths are all well tested before running them
automatically like that, but if this is a security issue perhaps as a
special case we should do that now.
Thoughts?
Dave Chinner
Jul 16, 2024, 11:22:22 PM (10 days ago) Jul 16
to Kent Overstreet, Mickaël Salaün, Paul Moore, Brian Foster, linux-b...@vger.kernel.org, syzbot, gno...@google.com, jmo...@namei.org, linux-...@vger.kernel.org, linux-secu...@vger.kernel.org, se...@hallyn.com, syzkall...@googlegroups.com, linux-...@vger.kernel.org, linu...@vger.kernel.org
That's an unknown file type. (i.e. i_mode & S_IFMT is invalid)
> > -????????? ? ? ? ? ? file2
> > -????????? ? ? ? ? ? file3
> > -rwxr-xr-x 1 root root 100 May 2 20:21 file.cold
> > drwx------ 2 root root 0 May 2 20:21 lost+found
> > # stat /mnt/file1
> > File: /mnt/file1
> > Size: 10 Blocks: 8 IO Block: 4096 weird file
> > Device: 7,0 Inode: 1073741824 Links: 1
> > Access: (0755/?rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
> > Access: 2024-05-02 20:21:07.747039697 +0000
> > Modify: 2024-05-02 20:21:07.747039697 +0000
> > Change: 2024-05-02 20:21:07.747039697 +0000
> > Birth: 2024-05-02 20:21:07.747039697 +0000
>
> Ok, this is an interesting one.
>
> So we don't seem to be checking for invwalid i_mode at all - that's a bug.
from disk. xfs_dinode_verify() does:
mode = be16_to_cpu(dip->di_mode);
if (mode && xfs_mode_to_ftype(mode) == XFS_DIR3_FT_UNKNOWN)
return __this_address;
So if the type of the inode is not a valid XFS inode type, the whole
inode will get rejected as corrupt. i.e. the same issue on XFS
would return a corruption error for file1, not just file2 and file3.
> But if we don't want to be exposing invalid i_modes at all, that's
> tricky, since we (currently) can only repair when running fsck. "This is
> invalid and we never want to expose this" checks are done in bkey
> .invalid methods, and those can only cause the key to be deleted - we
> can't run complex repair in e.g. btree node read, and that's what would
> be required here (e.g. checking the extents and dirents btrees to guess
> if this should be a regular file or a directory).
and grabs the ftype from the dirent to reset the mode....
> I wasn't planning on doing that for awhile, because I'm waiting on
> getting comprehensive filesystem error injection merged so we can make
> sure those repair paths are all well tested before running them
> automatically like that, but if this is a security issue perhaps as a
> special case we should do that now.
>
> Thoughts?
is inaccessible to users. Then you can take you time getting the
repair side of things right.
-Dave.
--
Dave Chinner
da...@fromorbit.com
Reply all
Reply to author
Forward
0 new messages