[syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug

Dave Chinner david at fromorbit.com
Wed Jul 17 03:22:16 UTC 2024


On Sun, Jul 14, 2024 at 03:51:17PM -0400, Kent Overstreet wrote:
> cc'ing linux-xfs, since I'm sure this has come up there and bcachefs and
> xfs verify and fsck are structured similararly at a very high level -
> I'd like to get their input.
> 
> On Sun, Jul 14, 2024 at 09:34:01PM GMT, Mickaël Salaün wrote:
> > On Fri, Jul 12, 2024 at 10:55:11AM -0400, Paul Moore wrote:
> > > On Thu, Jul 11, 2024 at 5:53 PM syzbot
> > > <syzbot+34b68f850391452207df at syzkaller.appspotmail.com> wrote:
> > > >
> > > > Hello,
> > > >
> > > > syzbot found the following issue on:
> > > >
> > > > HEAD commit:    8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm..
> > > > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=15349546db652fd3
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df
> > > > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > > userspace arch: arm64
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000
> > > >
> > > > Downloadable assets:
> > > > disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz
> > > > vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz
> > > > kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz
> > > > mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+34b68f850391452207df at syzkaller.appspotmail.com
> > > >
> > > > bcachefs (loop0): resume_logged_ops... done
> > > > bcachefs (loop0): delete_dead_inodes... done
> > > > bcachefs (loop0): done starting filesystem
> > > > ------------[ cut here ]------------
> > > > WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
> > > 
> > > I'll let Mickaël answer this for certain, but based on a quick look it
> > > appears that the fs object being moved has a umode_t that Landlock is
> > > not setup to handle?
> > 
> > syzbot found an issue with bcachefs: in some cases umode_t is invalid (i.e.
> > a weird file).
> > 
> > Kend, Brian, you'll find the incorrect filesystem with syzbot's report.
> > Could you please investigate the issue?
> > 
> > Here is the content of the file system:
> > # losetup --find --show mount_0
> > /dev/loop0
> > # mount /dev/loop0 /mnt/
> > # ls -la /mnt/
> > ls: cannot access '/mnt/file2': No such file or directory
> > ls: cannot access '/mnt/file3': No such file or directory
> > total 24
> > drwxr-xr-x 4 root root   0 May  2 20:21 .
> > drwxr-xr-x 1 root root 130 Oct 31  2023 ..
> > drwxr-xr-x 2 root root   0 May  2 20:21 file0
> > ?rwxr-xr-x 1 root root  10 May  2 20:21 file1
   ^^^

That's an unknown file type. (i.e. i_mode & S_IFMT is invalid)

> > -????????? ? ?    ?      ?            ? file2
> > -????????? ? ?    ?      ?            ? file3
> > -rwxr-xr-x 1 root root 100 May  2 20:21 file.cold
> > drwx------ 2 root root   0 May  2 20:21 lost+found
> > # stat /mnt/file1
> >   File: /mnt/file1
> >   Size: 10              Blocks: 8          IO Block: 4096   weird file
> > Device: 7,0     Inode: 1073741824  Links: 1
> > Access: (0755/?rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
> > Access: 2024-05-02 20:21:07.747039697 +0000
> > Modify: 2024-05-02 20:21:07.747039697 +0000
> > Change: 2024-05-02 20:21:07.747039697 +0000
> >  Birth: 2024-05-02 20:21:07.747039697 +0000
> 
> Ok, this is an interesting one.
> 
> So we don't seem to be checking for invwalid i_mode at all - that's a bug.

XFS verifies part of the S_IFMT part of the mode when it is read
from disk.  xfs_dinode_verify() does:

	mode = be16_to_cpu(dip->di_mode);
        if (mode && xfs_mode_to_ftype(mode) == XFS_DIR3_FT_UNKNOWN)
                return __this_address;

So if the type of the inode is not a valid XFS inode type, the whole
inode will get rejected as corrupt. i.e. the same issue on XFS
would return a corruption error for file1, not just file2 and file3.

> But if we don't want to be exposing invalid i_modes at all, that's
> tricky, since we (currently) can only repair when running fsck. "This is
> invalid and we never want to expose this" checks are done in bkey
> .invalid methods, and those can only cause the key to be deleted - we
> can't run complex repair in e.g. btree node read, and that's what would
> be required here (e.g. checking the extents and dirents btrees to guess
> if this should be a regular file or a directory).

Xfs online repair looks up the parent directory dirent for the inode
and grabs the ftype from the dirent to reset the mode....

> I wasn't planning on doing that for awhile, because I'm waiting on
> getting comprehensive filesystem error injection merged so we can make
> sure those repair paths are all well tested before running them
> automatically like that, but if this is a security issue perhaps as a
> special case we should do that now.
> 
> Thoughts?

Detect the bad mode on read, flag it as corruption and then the file
is inaccessible to users. Then you can take you time getting the
repair side of things right.

-Dave.
-- 
Dave Chinner
david at fromorbit.com



More information about the Linux-security-module-archive mailing list