From: Gao Xiang <hsiangkao@linux.alibaba.com>
To: Sheng Yong <shengyong2021@gmail.com>,
xiang@kernel.org, chao@kernel.org, zbestahu@gmail.com,
jefflexu@linux.alibaba.com, lihongbo22@huawei.com,
dhavale@google.com
Cc: linux-erofs@lists.ozlabs.org, linux-kernel@vger.kernel.org,
Sheng Yong <shengyong1@xiaomi.com>
Subject: Re: [PATCH 2/2] erofs: avoid using multiple devices with different type
Date: Wed, 14 May 2025 19:51:59 +0800 [thread overview]
Message-ID: <a18463df-a63b-4bdd-af85-bd8435cb23e7@linux.alibaba.com> (raw)
In-Reply-To: <20250513113418.249798-2-shengyong1@xiaomi.com>
Hi Yong,
On 2025/5/13 19:34, Sheng Yong wrote:
> From: Sheng Yong <shengyong1@xiaomi.com>
>
> For multiple devices, both primary and extra devices should be the
> same type. `erofs_init_device` has already guaranteed that if the
> primary is a file-backed device, extra devices should also be
> regular files.
>
> However, if the primary is a block device while the extra device
> is a file-backed device, `erofs_init_device` will get an ENOTBLK,
> which is not treated as an error in `erofs_fc_get_tree`, and that
> leads to an UAF:
>
> erofs_fc_get_tree
> get_tree_bdev_flags(erofs_fc_fill_super)
> erofs_read_superblock
> erofs_init_device // sbi->dif0 is not inited yet,
> // return -ENOTBLK
> deactivate_locked_super
> free(sbi)
> if (err is -ENOTBLK)
> sbi->dif0.file = filp_open() // sbi UAF
>
> So if -ENOTBLK is hitted in `erofs_init_device`, it means the
> primary device must be a block device, and the extra device
> is not a block device. The error can be converted to -EINVAL.
Yeah, nice catch.
As Hongbo said, it'd be better to add "Fixes:" tag
in the next version.
>
> Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>
> ---
> fs/erofs/super.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/erofs/super.c b/fs/erofs/super.c
> index 512877d7d855..16b5b1f66584 100644
> --- a/fs/erofs/super.c
> +++ b/fs/erofs/super.c
> @@ -165,8 +165,11 @@ static int erofs_init_device(struct erofs_buf *buf, struct super_block *sb,
> filp_open(dif->path, O_RDONLY | O_LARGEFILE, 0) :
> bdev_file_open_by_path(dif->path,
> BLK_OPEN_READ, sb->s_type, NULL);
> - if (IS_ERR(file))
> + if (IS_ERR(file)) {
> + if (PTR_ERR(file) == -ENOTBLK)
It's preferred to use:
if (file == ERR_PTR(-ENOTBLK))
return -EINVAL;
Otherwise it looks good to me.
Could you submit it as a seperate patch so I
could apply directly?
Thanks,
Gao Xiang
next prev parent reply other threads:[~2025-05-14 11:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 11:34 [PATCH v5 1/2] erofs: add 'fsoffset' mount option for file-backed & bdev-based mounts Sheng Yong
2025-05-13 11:34 ` [PATCH 2/2] erofs: avoid using multiple devices with different type Sheng Yong
2025-05-13 15:10 ` Hongbo Li
2025-05-14 10:07 ` Sheng Yong
2025-05-14 11:51 ` Gao Xiang [this message]
2025-05-13 13:56 ` [PATCH v5 1/2] erofs: add 'fsoffset' mount option for file-backed & bdev-based mounts Hongbo Li
2025-05-13 13:59 ` Hongbo Li
2025-05-14 1:41 ` Sheng Yong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a18463df-a63b-4bdd-af85-bd8435cb23e7@linux.alibaba.com \
--to=hsiangkao@linux.alibaba.com \
--cc=chao@kernel.org \
--cc=dhavale@google.com \
--cc=jefflexu@linux.alibaba.com \
--cc=lihongbo22@huawei.com \
--cc=linux-erofs@lists.ozlabs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=shengyong1@xiaomi.com \
--cc=shengyong2021@gmail.com \
--cc=xiang@kernel.org \
--cc=zbestahu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.