Re: [syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug

Re: [syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug

[Mickaël Salaün]

On Fri, Jul 12, 2024 at 10:55:11AM -0400, Paul Moore wrote:
> On Thu, Jul 11, 2024 at 5:53 PM syzbot
> <syzbot+34b68f850391452207df@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm..
> > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=15349546db652fd3
> > dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df
> > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > userspace arch: arm64
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz
> > mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+34b68f850391452207df@syzkaller.appspotmail.com
> >
> > bcachefs (loop0): resume_logged_ops... done
> > bcachefs (loop0): delete_dead_inodes... done
> > bcachefs (loop0): done starting filesystem
> > ------------[ cut here ]------------
> > WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
> 
> I'll let Mickaël answer this for certain, but based on a quick look it
> appears that the fs object being moved has a umode_t that Landlock is
> not setup to handle?

syzbot found an issue with bcachefs: in some cases umode_t is invalid (i.e.
a weird file).

Kend, Brian, you'll find the incorrect filesystem with syzbot's report.
Could you please investigate the issue?

Here is the content of the file system:
# losetup --find --show mount_0
/dev/loop0
# mount /dev/loop0 /mnt/
# ls -la /mnt/
ls: cannot access '/mnt/file2': No such file or directory
ls: cannot access '/mnt/file3': No such file or directory
total 24
drwxr-xr-x 4 root root   0 May  2 20:21 .
drwxr-xr-x 1 root root 130 Oct 31  2023 ..
drwxr-xr-x 2 root root   0 May  2 20:21 file0
?rwxr-xr-x 1 root root  10 May  2 20:21 file1
-????????? ? ?    ?      ?            ? file2
-????????? ? ?    ?      ?            ? file3
-rwxr-xr-x 1 root root 100 May  2 20:21 file.cold
drwx------ 2 root root   0 May  2 20:21 lost+found
# stat /mnt/file1
  File: /mnt/file1
  Size: 10              Blocks: 8          IO Block: 4096   weird file
Device: 7,0     Inode: 1073741824  Links: 1
Access: (0755/?rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-05-02 20:21:07.747039697 +0000
Modify: 2024-05-02 20:21:07.747039697 +0000
Change: 2024-05-02 20:21:07.747039697 +0000
 Birth: 2024-05-02 20:21:07.747039697 +0000

dmesg:
bcachefs (loop0): mounting version 1.7: mi_btree_bitmap opts=compression=lz4,nojournal_transaction_names
bcachefs (loop0): recovering from clean shutdown, journal seq 7
bcachefs (loop0): alloc_read... done
bcachefs (loop0): stripes_read... done
bcachefs (loop0): snapshots_read... done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay... done
bcachefs (loop0): resume_logged_ops... done
bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): dirent to missing inode:
  u64s 7 type dirent 4096:5067489913167654073:U32_MAX len 0 ver 0: file2 -> 4098 type reg
bcachefs (loop0): inconsistency detected - emergency read only at journal seq 11
bcachefs (loop0): dirent to missing inode:
  u64s 7 type dirent 4096:5868742249271439647:U32_MAX len 0 ver 0:

> 
> > Modules linked in:
> > CPU: 0 PID: 6284 Comm: syz-executor169 Not tainted 6.10.0-rc6-syzkaller-g8a03d70c27fc #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
> > pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> > pc : current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
> > lr : get_mode_access security/landlock/fs.c:953 [inline]
> > lr : current_check_refer_path+0x4dc/0xaa8 security/landlock/fs.c:1132
> > sp : ffff80009bb47840
> > x29: ffff80009bb47980 x28: ffff80009bb478e0 x27: 0000000000000001
> > x26: 1fffe0001b7a831f x25: ffff0000d713ef00 x24: ffff700013768f14
> > x23: 000000000000f1ed x22: dfff800000000000 x21: ffff0000dbd418f8
> > x20: 0000000000000000 x19: 0000000000001fff x18: ffff80009bb46be0
> > x17: ffff800080b8363c x16: ffff80008afaca80 x15: 0000000000000004
> > x14: 1ffff00013768f24 x13: 0000000000000000 x12: 0000000000000000
> > x11: ffff700013768f28 x10: 0000000000ff0100 x9 : 0000000000000000
> > x8 : ffff0000d6845ac0 x7 : 0000000000000000 x6 : 0000000000000000
> > x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000020
> > x2 : 0000000000000000 x1 : 000000000000f1ed x0 : 000000000000d000
> > Call trace:
> >  current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
> >  hook_path_rename+0x4c/0x60 security/landlock/fs.c:1416
> >  security_path_rename+0x154/0x1f0 security/security.c:1918
> >  do_renameat2+0x724/0xe40 fs/namei.c:5031
> >  __do_sys_renameat2 fs/namei.c:5078 [inline]
> >  __se_sys_renameat2 fs/namei.c:5075 [inline]
> >  __arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5075
> >  __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
> >  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
> >  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:131
> >  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:150
> >  el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
> >  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
> >  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
> > irq event stamp: 67226
> > hardirqs last  enabled at (67225): [<ffff80008b1683b4>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
> > hardirqs last  enabled at (67225): [<ffff80008b1683b4>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
> > hardirqs last disabled at (67226): [<ffff80008b06e498>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470
> > softirqs last  enabled at (66914): [<ffff8000800307e0>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
> > softirqs last disabled at (66912): [<ffff8000800307ac>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
> > ---[ end trace 0000000000000000 ]---
> 
> -- 
> paul-moore.com
> 

Re: [syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug

[Kent Overstreet]

cc'ing linux-xfs, since I'm sure this has come up there and bcachefs and
xfs verify and fsck are structured similararly at a very high level -
I'd like to get their input.

On Sun, Jul 14, 2024 at 09:34:01PM GMT, Mickaël Salaün wrote:
> On Fri, Jul 12, 2024 at 10:55:11AM -0400, Paul Moore wrote:
> > On Thu, Jul 11, 2024 at 5:53 PM syzbot
> > <syzbot+34b68f850391452207df@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm..
> > > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=15349546db652fd3
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df
> > > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > userspace arch: arm64
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz
> > > mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+34b68f850391452207df@syzkaller.appspotmail.com
> > >
> > > bcachefs (loop0): resume_logged_ops... done
> > > bcachefs (loop0): delete_dead_inodes... done
> > > bcachefs (loop0): done starting filesystem
> > > ------------[ cut here ]------------
> > > WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
> > 
> > I'll let Mickaël answer this for certain, but based on a quick look it
> > appears that the fs object being moved has a umode_t that Landlock is
> > not setup to handle?
> 
> syzbot found an issue with bcachefs: in some cases umode_t is invalid (i.e.
> a weird file).
> 
> Kend, Brian, you'll find the incorrect filesystem with syzbot's report.
> Could you please investigate the issue?
> 
> Here is the content of the file system:
> # losetup --find --show mount_0
> /dev/loop0
> # mount /dev/loop0 /mnt/
> # ls -la /mnt/
> ls: cannot access '/mnt/file2': No such file or directory
> ls: cannot access '/mnt/file3': No such file or directory
> total 24
> drwxr-xr-x 4 root root   0 May  2 20:21 .
> drwxr-xr-x 1 root root 130 Oct 31  2023 ..
> drwxr-xr-x 2 root root   0 May  2 20:21 file0
> ?rwxr-xr-x 1 root root  10 May  2 20:21 file1
> -????????? ? ?    ?      ?            ? file2
> -????????? ? ?    ?      ?            ? file3
> -rwxr-xr-x 1 root root 100 May  2 20:21 file.cold
> drwx------ 2 root root   0 May  2 20:21 lost+found
> # stat /mnt/file1
>   File: /mnt/file1
>   Size: 10              Blocks: 8          IO Block: 4096   weird file
> Device: 7,0     Inode: 1073741824  Links: 1
> Access: (0755/?rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
> Access: 2024-05-02 20:21:07.747039697 +0000
> Modify: 2024-05-02 20:21:07.747039697 +0000
> Change: 2024-05-02 20:21:07.747039697 +0000
>  Birth: 2024-05-02 20:21:07.747039697 +0000

Ok, this is an interesting one.

So we don't seem to be checking for invwalid i_mode at all - that's a bug.

But if we don't want to be exposing invalid i_modes at all, that's
tricky, since we (currently) can only repair when running fsck. "This is
invalid and we never want to expose this" checks are done in bkey
.invalid methods, and those can only cause the key to be deleted - we
can't run complex repair in e.g. btree node read, and that's what would
be required here (e.g. checking the extents and dirents btrees to guess
if this should be a regular file or a directory).

Long term I plan on running our existing fsck checks (including repair)
in our normal runtime paths - whenever we're looking at one or more keys
and there's a fsck check we can run, just run it.

I wasn't planning on doing that for awhile, because I'm waiting on
getting comprehensive filesystem error injection merged so we can make
sure those repair paths are all well tested before running them
automatically like that, but if this is a security issue perhaps as a
special case we should do that now.

Thoughts?

Re: [syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug

[Dave Chinner]

On Sun, Jul 14, 2024 at 03:51:17PM -0400, Kent Overstreet wrote:
> cc'ing linux-xfs, since I'm sure this has come up there and bcachefs and
> xfs verify and fsck are structured similararly at a very high level -
> I'd like to get their input.
> 
> On Sun, Jul 14, 2024 at 09:34:01PM GMT, Mickaël Salaün wrote:
> > On Fri, Jul 12, 2024 at 10:55:11AM -0400, Paul Moore wrote:
> > > On Thu, Jul 11, 2024 at 5:53 PM syzbot
> > > <syzbot+34b68f850391452207df@syzkaller.appspotmail.com> wrote:
> > > >
> > > > Hello,
> > > >
> > > > syzbot found the following issue on:
> > > >
> > > > HEAD commit:    8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm..
> > > > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=15349546db652fd3
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df
> > > > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > > userspace arch: arm64
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000
> > > >
> > > > Downloadable assets:
> > > > disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz
> > > > vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz
> > > > kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz
> > > > mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+34b68f850391452207df@syzkaller.appspotmail.com
> > > >
> > > > bcachefs (loop0): resume_logged_ops... done
> > > > bcachefs (loop0): delete_dead_inodes... done
> > > > bcachefs (loop0): done starting filesystem
> > > > ------------[ cut here ]------------
> > > > WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132
> > > 
> > > I'll let Mickaël answer this for certain, but based on a quick look it
> > > appears that the fs object being moved has a umode_t that Landlock is
> > > not setup to handle?
> > 
> > syzbot found an issue with bcachefs: in some cases umode_t is invalid (i.e.
> > a weird file).
> > 
> > Kend, Brian, you'll find the incorrect filesystem with syzbot's report.
> > Could you please investigate the issue?
> > 
> > Here is the content of the file system:
> > # losetup --find --show mount_0
> > /dev/loop0
> > # mount /dev/loop0 /mnt/
> > # ls -la /mnt/
> > ls: cannot access '/mnt/file2': No such file or directory
> > ls: cannot access '/mnt/file3': No such file or directory
> > total 24
> > drwxr-xr-x 4 root root   0 May  2 20:21 .
> > drwxr-xr-x 1 root root 130 Oct 31  2023 ..
> > drwxr-xr-x 2 root root   0 May  2 20:21 file0
> > ?rwxr-xr-x 1 root root  10 May  2 20:21 file1
   ^^^

That's an unknown file type. (i.e. i_mode & S_IFMT is invalid)

> > -????????? ? ?    ?      ?            ? file2
> > -????????? ? ?    ?      ?            ? file3
> > -rwxr-xr-x 1 root root 100 May  2 20:21 file.cold
> > drwx------ 2 root root   0 May  2 20:21 lost+found
> > # stat /mnt/file1
> >   File: /mnt/file1
> >   Size: 10              Blocks: 8          IO Block: 4096   weird file
> > Device: 7,0     Inode: 1073741824  Links: 1
> > Access: (0755/?rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
> > Access: 2024-05-02 20:21:07.747039697 +0000
> > Modify: 2024-05-02 20:21:07.747039697 +0000
> > Change: 2024-05-02 20:21:07.747039697 +0000
> >  Birth: 2024-05-02 20:21:07.747039697 +0000
> 
> Ok, this is an interesting one.
> 
> So we don't seem to be checking for invwalid i_mode at all - that's a bug.

XFS verifies part of the S_IFMT part of the mode when it is read
from disk.  xfs_dinode_verify() does:

	mode = be16_to_cpu(dip->di_mode);
        if (mode && xfs_mode_to_ftype(mode) == XFS_DIR3_FT_UNKNOWN)
                return __this_address;

So if the type of the inode is not a valid XFS inode type, the whole
inode will get rejected as corrupt. i.e. the same issue on XFS
would return a corruption error for file1, not just file2 and file3.

> But if we don't want to be exposing invalid i_modes at all, that's
> tricky, since we (currently) can only repair when running fsck. "This is
> invalid and we never want to expose this" checks are done in bkey
> .invalid methods, and those can only cause the key to be deleted - we
> can't run complex repair in e.g. btree node read, and that's what would
> be required here (e.g. checking the extents and dirents btrees to guess
> if this should be a regular file or a directory).

Xfs online repair looks up the parent directory dirent for the inode
and grabs the ftype from the dirent to reset the mode....

> I wasn't planning on doing that for awhile, because I'm waiting on
> getting comprehensive filesystem error injection merged so we can make
> sure those repair paths are all well tested before running them
> automatically like that, but if this is a security issue perhaps as a
> special case we should do that now.
> 
> Thoughts?

Detect the bad mode on read, flag it as corruption and then the file
is inaccessible to users. Then you can take you time getting the
repair side of things right.

-Dave.
-- 
Dave Chinner
david@fromorbit.com