From: "Theodore Ts'o" <tytso@mit.edu>
To: Jan Kara <jack@suse.cz>
Cc: Ext4 Developers List <linux-ext4@vger.kernel.org>,
syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com
Subject: Re: [PATCH 2/2] ext4: remove a BUG_ON in ext4_mb_release_group_pa()
Date: Mon, 8 May 2023 16:35:15 -0400 [thread overview]
Message-ID: <ZFldA72PlRBDOrRD@mit.edu> (raw)
In-Reply-To: <20230507182833.ma7fugevh7imz2tj@quack3>
On Sun, May 07, 2023 at 08:28:33PM +0200, Jan Kara wrote:
> OK, looks good to me. But frankly there are many other interesting ways how
> bogus group numbers output when this happens can return is fun stuff - e.g.
> ext4_group_first_block_no() is going to return invalid blocks etc. So it
> feels a bit like endless whack-a-mole game. Anyway I agree the series seem
> to fix a big chunk of these sites so feel free to add:
The main thing I'm trying to avoid is a kernel crash or possible
out-of-bounds read or write, which could lead to a security
vulnerability. If a a bad block number being returned by. say,
ext4_group_first_block_no() "only" results in an I/O error when or
(further) corruption of the block device, that's not a problem as far
as I'm concerned. After all, if a malicious root access has
read/write access to the block device, they can corrupt the file
system *anyway*.
I wasn't able to find cases where a crazy return value from
ext4_group_first_block_no() which would cause a BUG or a buffer
overrun. If we (or syzbot) finds a case where this could happen, we
could copy s_es->s_first_data_block to sbi->s_first_data_block and
then validate it during the file system mount.
I also did a quick spot check what nastiness could be caused by
real-time frobbing of s_blocks_count s_inodes_count and couldn't find
anything there either. So it looks like s_first_data_block is the one
which is the most problematic.
Cheers,
- Ted
prev parent reply other threads:[~2023-05-08 20:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-30 15:43 [PATCH 0/2] ext4: fix syzbot report: kernel BUG in ext4_get_group_info Theodore Ts'o
2023-04-30 15:43 ` [PATCH 1/2] ext4: allow ext4_get_group_info() to fail Theodore Ts'o
2023-05-07 18:18 ` Jan Kara
2023-05-10 0:22 ` Theodore Ts'o
2023-04-30 15:43 ` [PATCH 2/2] ext4: remove a BUG_ON in ext4_mb_release_group_pa() Theodore Ts'o
2023-05-07 18:28 ` Jan Kara
2023-05-08 20:35 ` Theodore Ts'o [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZFldA72PlRBDOrRD@mit.edu \
--to=tytso@mit.edu \
--cc=jack@suse.cz \
--cc=linux-ext4@vger.kernel.org \
--cc=syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.