From: David Sterba <dsterba@suse.cz>
To: Yochai Eisenrich <echelonh@gmail.com>
Cc: Chris Mason <clm@fb.com>,
Yochai Eisenrich <yochaie@sweet.security>,
David Sterba <dsterba@suse.com>,
security@kernel.org, linux-btrfs@vger.kernel.org
Subject: Re: [PATCH] fs: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
Date: Mon, 23 Mar 2026 15:26:33 +0100 [thread overview]
Message-ID: <20260323142633.GL5735@twin.jikos.cz> (raw)
In-Reply-To: <20260322063935.3951728-1-echelonh@gmail.com>
On Sun, Mar 22, 2026 at 08:39:35AM +0200, Yochai Eisenrich wrote:
> From: Yochai Eisenrich <yochaie@sweet.security>
>
> btrfs_ioctl_space_info() has a TOCTOU race between two passes over the
> block group RAID type lists. The first pass counts entries to determine
> the allocation size, then the second pass fills the buffer. The
> groups_sem rwlock is released between passes, allowing concurrent block
> group removal to reduce the entry count.
>
> When the second pass fills fewer entries than the first pass counted,
> copy_to_user() copies the full alloc_size bytes including trailing
> uninitialized kmalloc bytes to userspace.
This sounds correct.
> Fix by copying only total_spaces entries (the actually-filled count from
> the second pass) instead of alloc_size bytes, and switch to kzalloc so
> any future copy size mismatch cannot leak heap data.
Trying to hit this race looks very hard though, reducing number of block
group types is quite rare.
The change to kzalloc looks like best fix, for all ioctls that are
exposed to userspace. Copying the exact number makes sense. The other
case (copying too much) has been fixed in 51788b1bdd0d68 ("btrfs:
prevent heap corruption in btrfs_ioctl_space_info()").
>
> Fixes: 7fde62bffb57 ("Btrfs: buffer results in the space_info ioctl")
>
> Signed-off-by: Yochai Eisenrich <echelonh@gmail.com>
Added to for-next, thanks.
next prev parent reply other threads:[~2026-03-23 14:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-22 6:39 [PATCH] fs: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Yochai Eisenrich
2026-03-23 14:26 ` David Sterba [this message]
2026-03-23 15:03 ` Yochai E
2026-03-23 18:54 ` David Sterba
2026-03-23 22:34 ` [PATCH] fs: btrfs: fix btrfs_ioctl_space_info() slot_count Teng Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260323142633.GL5735@twin.jikos.cz \
--to=dsterba@suse.cz \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=echelonh@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=security@kernel.org \
--cc=yochaie@sweet.security \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox