From: "Theodore Ts'o" <tytso@mit.edu>
To: Shuangpeng Bai <shuangpengbai@gmail.com>
Cc: adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller@googlegroups.com
Subject: Re: KASAN: use-after-free in ext4_find_extent in v6.9
Date: Wed, 15 May 2024 16:49:32 -0600 [thread overview]
Message-ID: <20240515224932.GA202157@mit.edu> (raw)
In-Reply-To: <5B9F0C1F-C804-4A9C-8597-4E1A7D16B983@gmail.com>
On Tue, May 14, 2024 at 08:40:36PM -0400, Shuangpeng Bai wrote:
> Hi Kernel Maintainers,
>
> Our tool found a kernel bug KASAN: use-after-free in ext4_find_extent. Please see the details below.
>
> Kernel commit: v6.9 (Commits on May 12, 2024)
> Kernel config: attachment
> C/Syz reproducer: attachment
>
> We find this bug was reported and marked as fixed. (https://syzkaller.appspot.com/bug?extid=7ec4ebe875a7076ebb31)
>
> Our reproducer can trigger this bug in v6.9, so the bug may have not been fixed correctly.
The reason why it was marked as fixed is because the reproducer no
longer reproduces with CONFIG_BLK_DEV_WRITE_MOUNTED disabled.
Upstream syzkaller unconditionally disables this config, and we don't
consider reproducers that have CONFIG_BLK_DEV_WRITE_MOUNTED enabled to
be a bug.
If the reproducer is actively modifying the block device (or the
underlying file for a loop device) while it is mounted, we don't
consider this a bug. This is requires root, and it's no more a
"security bug" than someone complaining that root can execute a
reboot(2) system call and calling it a "security bug".
I've looked at your "reproducer" and it does appear to be modifying
the block device while it is mounted, and the config does have
CONFIG_BLK_DEV_WRITE_MOUNTED enabled. So I don't care (tm). If you
want to put an engineer to work on addressing the bug, and the patch
is a clean and maintable code fix, I'll certainly consider the change.
But it's not something that upstream will work on a volunteer basis;
no company I am aware of is willing to pay for engineers to work on
this sort of issue.
Cheers,
- Ted
next prev parent reply other threads:[~2024-05-15 22:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-15 0:40 KASAN: use-after-free in ext4_find_extent in v6.9 Shuangpeng Bai
2024-05-15 22:49 ` Theodore Ts'o [this message]
2024-05-16 0:33 ` Shuangpeng Bai
2024-05-16 13:58 ` Theodore Ts'o
2024-05-16 14:44 ` Dmitry Vyukov
2024-05-16 17:42 ` Shuangpeng Bai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240515224932.GA202157@mit.edu \
--to=tytso@mit.edu \
--cc=adilger.kernel@dilger.ca \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=shuangpengbai@gmail.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox