[PATCH (REPOST)] hpfs: make check=none mount option excludable
0 views
Skip to first unread message
Tetsuo Handa
5:09 AM (9 hours ago) 5:09 AM
to Mikulas Patocka, linux-fsdevel, syzkaller, Viacheslav Sablin, Dmitry Vyukov, Aleksandr Nogikh, Linus Torvalds, Jan Kara, Sasha Levin, Christian Brauner, vi...@zeniv.linux.org.uk
syzbot is reporting use-after-free read problem when a crafted HPFS image
was mounted with "check=none" option.
The "check=none" option is intended for only users who want maximum speed
and use the filesystem only on trusted input. But fuzzers are for using
the filesystem on untrusted input.
Mikulas Patocka (the HPFS maintainer) thinks that there is no need to add
some middle ground where "check=none" would check some structures and won't
check others. Therefore, to make sure that fuzzers and careful users do not
by error specify "check=none" at runtime, make "check=none" being
excludable at build time.
Reported-by: syzbot+fa88eb...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
Link: https://lkml.kernel.org/r/9ca81125-1c7b-ddaf...@redhat.com
Tested-by: syzbot+fa88eb...@syzkaller.appspotmail.com
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
---
Mikulas wants fuzz testing systems not to specify "check=none" option. But it is
too difficult to enforce that. It is possible that an unexpected input hides
"hpfs: You really don't want any checks? You are crazy..." message due to changing
loglevel, and after that the kernel may hit this problem (i.e. we will be needlessly
bothered by stupid inputs).
Honestly speaking, the code that runs in the kernel space needs to be as careful as
possible, for any memory access error in the kernel space can result in serious result.
We are fixing various input validations for all (but HPFS) filesystems. It is strange
that HPFS is exempted from this rule. I expect that "check=none" behavior (if someone
wants such behavior) should be emulated in the user space using FUSE filesystem.
fs/hpfs/Kconfig | 11 +++++++++++
fs/hpfs/super.c | 2 ++
2 files changed, 13 insertions(+)
diff --git a/fs/hpfs/Kconfig b/fs/hpfs/Kconfig
index ac1e9318e65a..d3dfbe76be8a 100644
--- a/fs/hpfs/Kconfig
+++ b/fs/hpfs/Kconfig
@@ -15,3 +15,14 @@ config HPFS_FS
To compile this file system support as a module, choose M here: the
module will be called hpfs. If unsure, say N.
+
+config HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
+ bool "Allow no-error-check mode for maximum speed"
+ depends on HPFS_FS
+ default n
+ help
+ This option enables check=none mount option. If check=none is
+ specified, users can expect maximum speed at the cost of minimum
+ robustness. Sane users should not specify check=none option, for e.g.
+ use-after-free bug will happen when the filesystem is corrupted or
+ crafted.
diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index 8ab85e7ac91e..656b1ae01812 100644
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -285,7 +285,9 @@ static const struct constant_table hpfs_param_case[] = {
};
static const struct constant_table hpfs_param_check[] = {
+#ifdef CONFIG_HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
{"none", 0},
+#endif
{"normal", 1},
{"strict", 2},
{}
--
2.47.3
was mounted with "check=none" option.
The "check=none" option is intended for only users who want maximum speed
and use the filesystem only on trusted input. But fuzzers are for using
the filesystem on untrusted input.
Mikulas Patocka (the HPFS maintainer) thinks that there is no need to add
some middle ground where "check=none" would check some structures and won't
check others. Therefore, to make sure that fuzzers and careful users do not
by error specify "check=none" at runtime, make "check=none" being
excludable at build time.
Reported-by: syzbot+fa88eb...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa88eb476e42878f2844
Link: https://lkml.kernel.org/r/9ca81125-1c7b-ddaf...@redhat.com
Tested-by: syzbot+fa88eb...@syzkaller.appspotmail.com
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
---
Mikulas wants fuzz testing systems not to specify "check=none" option. But it is
too difficult to enforce that. It is possible that an unexpected input hides
"hpfs: You really don't want any checks? You are crazy..." message due to changing
loglevel, and after that the kernel may hit this problem (i.e. we will be needlessly
bothered by stupid inputs).
Honestly speaking, the code that runs in the kernel space needs to be as careful as
possible, for any memory access error in the kernel space can result in serious result.
We are fixing various input validations for all (but HPFS) filesystems. It is strange
that HPFS is exempted from this rule. I expect that "check=none" behavior (if someone
wants such behavior) should be emulated in the user space using FUSE filesystem.
fs/hpfs/Kconfig | 11 +++++++++++
fs/hpfs/super.c | 2 ++
2 files changed, 13 insertions(+)
diff --git a/fs/hpfs/Kconfig b/fs/hpfs/Kconfig
index ac1e9318e65a..d3dfbe76be8a 100644
--- a/fs/hpfs/Kconfig
+++ b/fs/hpfs/Kconfig
@@ -15,3 +15,14 @@ config HPFS_FS
To compile this file system support as a module, choose M here: the
module will be called hpfs. If unsure, say N.
+
+config HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
+ bool "Allow no-error-check mode for maximum speed"
+ depends on HPFS_FS
+ default n
+ help
+ This option enables check=none mount option. If check=none is
+ specified, users can expect maximum speed at the cost of minimum
+ robustness. Sane users should not specify check=none option, for e.g.
+ use-after-free bug will happen when the filesystem is corrupted or
+ crafted.
diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index 8ab85e7ac91e..656b1ae01812 100644
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -285,7 +285,9 @@ static const struct constant_table hpfs_param_case[] = {
};
static const struct constant_table hpfs_param_check[] = {
+#ifdef CONFIG_HPFS_FS_ALLOW_NO_ERROR_CHECK_MODE
{"none", 0},
+#endif
{"normal", 1},
{"strict", 2},
{}
--
2.47.3
Reply all
Reply to author
Forward
0 new messages