From: Yochai E <echelonh@gmail.com>
To: dsterba@suse.cz
Cc: Chris Mason <clm@fb.com>,
Yochai Eisenrich <yochaie@sweet.security>,
David Sterba <dsterba@suse.com>,
security@kernel.org, linux-btrfs@vger.kernel.org
Subject: Re: [PATCH] fs: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
Date: Mon, 23 Mar 2026 17:03:47 +0200 [thread overview]
Message-ID: <CACo1jfiWUVViXh7FTeWyFpubudq-qF4=hJZOFcEF0n0OZLVQtQ@mail.gmail.com> (raw)
In-Reply-To: <20260323142633.GL5735@twin.jikos.cz>
On Mon, Mar 23, 2026 at 4:26 PM David Sterba <dsterba@suse.cz> wrote:
>
> On Sun, Mar 22, 2026 at 08:39:35AM +0200, Yochai Eisenrich wrote:
> > From: Yochai Eisenrich <yochaie@sweet.security>
> >
> > btrfs_ioctl_space_info() has a TOCTOU race between two passes over the
> > block group RAID type lists. The first pass counts entries to determine
> > the allocation size, then the second pass fills the buffer. The
> > groups_sem rwlock is released between passes, allowing concurrent block
> > group removal to reduce the entry count.
> >
> > When the second pass fills fewer entries than the first pass counted,
> > copy_to_user() copies the full alloc_size bytes including trailing
> > uninitialized kmalloc bytes to userspace.
>
> This sounds correct.
>
> > Fix by copying only total_spaces entries (the actually-filled count from
> > the second pass) instead of alloc_size bytes, and switch to kzalloc so
> > any future copy size mismatch cannot leak heap data.
>
> Trying to hit this race looks very hard though, reducing number of block
> group types is quite rare.
I agree that this may not be your btrfs typical behavior, but I wouldn't
have raised the issue if I wasn't able to prove it. I can send the PoC
code your way if you're interested - it leaks kernel data. A malicious
user can utilize a fresh btrfs disk over e.g. zram to trigger the issue.
> The change to kzalloc looks like best fix, for all ioctls that are
> exposed to userspace. Copying the exact number makes sense. The other
> case (copying too much) has been fixed in 51788b1bdd0d68 ("btrfs:
> prevent heap corruption in btrfs_ioctl_space_info()").
Just to make sure we're on the same page:
1. Following the above, do you approve of the copy_to_user fix I
suggested?
2. I think it makes sense to treat other ioctl kmallocs in a different
patch, no?
> >
> > Fixes: 7fde62bffb57 ("Btrfs: buffer results in the space_info ioctl")
> >
> > Signed-off-by: Yochai Eisenrich <echelonh@gmail.com>
>
> Added to for-next, thanks.
next prev parent reply other threads:[~2026-03-23 15:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-22 6:39 [PATCH] fs: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Yochai Eisenrich
2026-03-23 14:26 ` David Sterba
2026-03-23 15:03 ` Yochai E [this message]
2026-03-23 18:54 ` David Sterba
2026-03-23 22:34 ` [PATCH] fs: btrfs: fix btrfs_ioctl_space_info() slot_count Teng Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACo1jfiWUVViXh7FTeWyFpubudq-qF4=hJZOFcEF0n0OZLVQtQ@mail.gmail.com' \
--to=echelonh@gmail.com \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=dsterba@suse.cz \
--cc=linux-btrfs@vger.kernel.org \
--cc=security@kernel.org \
--cc=yochaie@sweet.security \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox