From: "Theodore Ts'o" <tytso@mit.edu>
To: Jan Kara <jack@suse.cz>
Cc: Ext4 Developers List <linux-ext4@vger.kernel.org>,
syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com
Subject: Re: [PATCH 2/2] ext4: remove a BUG_ON in ext4_mb_release_group_pa()
Date: Mon, 8 May 2023 16:35:15 -0400 [thread overview]
Message-ID: <ZFldA72PlRBDOrRD@mit.edu> (raw)
In-Reply-To: <20230507182833.ma7fugevh7imz2tj@quack3>
On Sun, May 07, 2023 at 08:28:33PM +0200, Jan Kara wrote:
> OK, looks good to me. But frankly there are many other interesting ways how
> bogus group numbers output when this happens can return is fun stuff - e.g.
> ext4_group_first_block_no() is going to return invalid blocks etc. So it
> feels a bit like endless whack-a-mole game. Anyway I agree the series seem
> to fix a big chunk of these sites so feel free to add:
The main thing I'm trying to avoid is a kernel crash or possible
out-of-bounds read or write, which could lead to a security
vulnerability. If a a bad block number being returned by. say,
ext4_group_first_block_no() "only" results in an I/O error when or
(further) corruption of the block device, that's not a problem as far
as I'm concerned. After all, if a malicious root access has
read/write access to the block device, they can corrupt the file
system *anyway*.
I wasn't able to find cases where a crazy return value from
ext4_group_first_block_no() which would cause a BUG or a buffer
overrun. If we (or syzbot) finds a case where this could happen, we
could copy s_es->s_first_data_block to sbi->s_first_data_block and
then validate it during the file system mount.
I also did a quick spot check what nastiness could be caused by
real-time frobbing of s_blocks_count s_inodes_count and couldn't find
anything there either. So it looks like s_first_data_block is the one
which is the most problematic.
Cheers,
- Ted
prev parent reply other threads:[~2023-05-08 20:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-30 15:43 [PATCH 0/2] ext4: fix syzbot report: kernel BUG in ext4_get_group_info Theodore Ts'o
2023-04-30 15:43 ` [PATCH 1/2] ext4: allow ext4_get_group_info() to fail Theodore Ts'o
2023-05-07 18:18 ` Jan Kara
2023-05-10 0:22 ` Theodore Ts'o
2023-04-30 15:43 ` [PATCH 2/2] ext4: remove a BUG_ON in ext4_mb_release_group_pa() Theodore Ts'o
2023-05-07 18:28 ` Jan Kara
2023-05-08 20:35 ` Theodore Ts'o [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZFldA72PlRBDOrRD@mit.edu \
--to=tytso@mit.edu \
--cc=jack@suse.cz \
--cc=linux-ext4@vger.kernel.org \
--cc=syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).