* [syzbot] [lsm?] WARNING in current_check_refer_path @ 2024-07-11 21:53 syzbot 2024-07-12 14:55 ` Paul Moore 2024-09-23 12:06 ` [syzbot] [lsm?] WARNING in current_check_refer_path Paul Moore 0 siblings, 2 replies; 6+ messages in thread From: syzbot @ 2024-07-11 21:53 UTC (permalink / raw) To: gnoack, jmorris, linux-kernel, linux-security-module, mic, paul, serge, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: 8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000 kernel config: https://syzkaller.appspot.com/x/.config?x=15349546db652fd3 dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 userspace arch: arm64 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+34b68f850391452207df@syzkaller.appspotmail.com bcachefs (loop0): resume_logged_ops... done bcachefs (loop0): delete_dead_inodes... done bcachefs (loop0): done starting filesystem ------------[ cut here ]------------ WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 Modules linked in: CPU: 0 PID: 6284 Comm: syz-executor169 Not tainted 6.10.0-rc6-syzkaller-g8a03d70c27fc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 lr : get_mode_access security/landlock/fs.c:953 [inline] lr : current_check_refer_path+0x4dc/0xaa8 security/landlock/fs.c:1132 sp : ffff80009bb47840 x29: ffff80009bb47980 x28: ffff80009bb478e0 x27: 0000000000000001 x26: 1fffe0001b7a831f x25: ffff0000d713ef00 x24: ffff700013768f14 x23: 000000000000f1ed x22: dfff800000000000 x21: ffff0000dbd418f8 x20: 0000000000000000 x19: 0000000000001fff x18: ffff80009bb46be0 x17: ffff800080b8363c x16: ffff80008afaca80 x15: 0000000000000004 x14: 1ffff00013768f24 x13: 0000000000000000 x12: 0000000000000000 x11: ffff700013768f28 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : ffff0000d6845ac0 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000020 x2 : 0000000000000000 x1 : 000000000000f1ed x0 : 000000000000d000 Call trace: current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 hook_path_rename+0x4c/0x60 security/landlock/fs.c:1416 security_path_rename+0x154/0x1f0 security/security.c:1918 do_renameat2+0x724/0xe40 fs/namei.c:5031 __do_sys_renameat2 fs/namei.c:5078 [inline] __se_sys_renameat2 fs/namei.c:5075 [inline] __arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5075 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:131 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:150 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 irq event stamp: 67226 hardirqs last enabled at (67225): [<ffff80008b1683b4>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (67225): [<ffff80008b1683b4>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 hardirqs last disabled at (67226): [<ffff80008b06e498>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470 softirqs last enabled at (66914): [<ffff8000800307e0>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32 softirqs last disabled at (66912): [<ffff8000800307ac>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 ---[ end trace 0000000000000000 ]--- --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [lsm?] WARNING in current_check_refer_path 2024-07-11 21:53 [syzbot] [lsm?] WARNING in current_check_refer_path syzbot @ 2024-07-12 14:55 ` Paul Moore 2024-07-14 19:34 ` [syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug Mickaël Salaün 2024-09-23 12:06 ` [syzbot] [lsm?] WARNING in current_check_refer_path Paul Moore 1 sibling, 1 reply; 6+ messages in thread From: Paul Moore @ 2024-07-12 14:55 UTC (permalink / raw) To: syzbot Cc: gnoack, jmorris, linux-kernel, linux-security-module, mic, serge, syzkaller-bugs On Thu, Jul 11, 2024 at 5:53 PM syzbot <syzbot+34b68f850391452207df@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm.. > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci > console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=15349546db652fd3 > dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > userspace arch: arm64 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz > kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz > mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+34b68f850391452207df@syzkaller.appspotmail.com > > bcachefs (loop0): resume_logged_ops... done > bcachefs (loop0): delete_dead_inodes... done > bcachefs (loop0): done starting filesystem > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 I'll let Mickaël answer this for certain, but based on a quick look it appears that the fs object being moved has a umode_t that Landlock is not setup to handle? > Modules linked in: > CPU: 0 PID: 6284 Comm: syz-executor169 Not tainted 6.10.0-rc6-syzkaller-g8a03d70c27fc #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 > pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 > lr : get_mode_access security/landlock/fs.c:953 [inline] > lr : current_check_refer_path+0x4dc/0xaa8 security/landlock/fs.c:1132 > sp : ffff80009bb47840 > x29: ffff80009bb47980 x28: ffff80009bb478e0 x27: 0000000000000001 > x26: 1fffe0001b7a831f x25: ffff0000d713ef00 x24: ffff700013768f14 > x23: 000000000000f1ed x22: dfff800000000000 x21: ffff0000dbd418f8 > x20: 0000000000000000 x19: 0000000000001fff x18: ffff80009bb46be0 > x17: ffff800080b8363c x16: ffff80008afaca80 x15: 0000000000000004 > x14: 1ffff00013768f24 x13: 0000000000000000 x12: 0000000000000000 > x11: ffff700013768f28 x10: 0000000000ff0100 x9 : 0000000000000000 > x8 : ffff0000d6845ac0 x7 : 0000000000000000 x6 : 0000000000000000 > x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000020 > x2 : 0000000000000000 x1 : 000000000000f1ed x0 : 000000000000d000 > Call trace: > current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 > hook_path_rename+0x4c/0x60 security/landlock/fs.c:1416 > security_path_rename+0x154/0x1f0 security/security.c:1918 > do_renameat2+0x724/0xe40 fs/namei.c:5031 > __do_sys_renameat2 fs/namei.c:5078 [inline] > __se_sys_renameat2 fs/namei.c:5075 [inline] > __arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5075 > __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] > invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 > el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:131 > do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:150 > el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 > el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 > el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 > irq event stamp: 67226 > hardirqs last enabled at (67225): [<ffff80008b1683b4>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] > hardirqs last enabled at (67225): [<ffff80008b1683b4>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 > hardirqs last disabled at (67226): [<ffff80008b06e498>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470 > softirqs last enabled at (66914): [<ffff8000800307e0>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32 > softirqs last disabled at (66912): [<ffff8000800307ac>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 > ---[ end trace 0000000000000000 ]--- -- paul-moore.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug 2024-07-12 14:55 ` Paul Moore @ 2024-07-14 19:34 ` Mickaël Salaün 2024-07-14 19:51 ` Kent Overstreet 0 siblings, 1 reply; 6+ messages in thread From: Mickaël Salaün @ 2024-07-14 19:34 UTC (permalink / raw) To: Paul Moore, Kent Overstreet, Brian Foster, linux-bcachefs Cc: syzbot, gnoack, jmorris, linux-kernel, linux-security-module, serge, syzkaller-bugs, linux-fsdevel On Fri, Jul 12, 2024 at 10:55:11AM -0400, Paul Moore wrote: > On Thu, Jul 11, 2024 at 5:53 PM syzbot > <syzbot+34b68f850391452207df@syzkaller.appspotmail.com> wrote: > > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm.. > > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci > > console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=15349546db652fd3 > > dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > userspace arch: arm64 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000 > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz > > mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+34b68f850391452207df@syzkaller.appspotmail.com > > > > bcachefs (loop0): resume_logged_ops... done > > bcachefs (loop0): delete_dead_inodes... done > > bcachefs (loop0): done starting filesystem > > ------------[ cut here ]------------ > > WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 > > I'll let Mickaël answer this for certain, but based on a quick look it > appears that the fs object being moved has a umode_t that Landlock is > not setup to handle? syzbot found an issue with bcachefs: in some cases umode_t is invalid (i.e. a weird file). Kend, Brian, you'll find the incorrect filesystem with syzbot's report. Could you please investigate the issue? Here is the content of the file system: # losetup --find --show mount_0 /dev/loop0 # mount /dev/loop0 /mnt/ # ls -la /mnt/ ls: cannot access '/mnt/file2': No such file or directory ls: cannot access '/mnt/file3': No such file or directory total 24 drwxr-xr-x 4 root root 0 May 2 20:21 . drwxr-xr-x 1 root root 130 Oct 31 2023 .. drwxr-xr-x 2 root root 0 May 2 20:21 file0 ?rwxr-xr-x 1 root root 10 May 2 20:21 file1 -????????? ? ? ? ? ? file2 -????????? ? ? ? ? ? file3 -rwxr-xr-x 1 root root 100 May 2 20:21 file.cold drwx------ 2 root root 0 May 2 20:21 lost+found # stat /mnt/file1 File: /mnt/file1 Size: 10 Blocks: 8 IO Block: 4096 weird file Device: 7,0 Inode: 1073741824 Links: 1 Access: (0755/?rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2024-05-02 20:21:07.747039697 +0000 Modify: 2024-05-02 20:21:07.747039697 +0000 Change: 2024-05-02 20:21:07.747039697 +0000 Birth: 2024-05-02 20:21:07.747039697 +0000 dmesg: bcachefs (loop0): mounting version 1.7: mi_btree_bitmap opts=compression=lz4,nojournal_transaction_names bcachefs (loop0): recovering from clean shutdown, journal seq 7 bcachefs (loop0): alloc_read... done bcachefs (loop0): stripes_read... done bcachefs (loop0): snapshots_read... done bcachefs (loop0): going read-write bcachefs (loop0): journal_replay... done bcachefs (loop0): resume_logged_ops... done bcachefs (loop0): delete_dead_inodes... done bcachefs (loop0): dirent to missing inode: u64s 7 type dirent 4096:5067489913167654073:U32_MAX len 0 ver 0: file2 -> 4098 type reg bcachefs (loop0): inconsistency detected - emergency read only at journal seq 11 bcachefs (loop0): dirent to missing inode: u64s 7 type dirent 4096:5868742249271439647:U32_MAX len 0 ver 0: > > > Modules linked in: > > CPU: 0 PID: 6284 Comm: syz-executor169 Not tainted 6.10.0-rc6-syzkaller-g8a03d70c27fc #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 > > pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > > pc : current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 > > lr : get_mode_access security/landlock/fs.c:953 [inline] > > lr : current_check_refer_path+0x4dc/0xaa8 security/landlock/fs.c:1132 > > sp : ffff80009bb47840 > > x29: ffff80009bb47980 x28: ffff80009bb478e0 x27: 0000000000000001 > > x26: 1fffe0001b7a831f x25: ffff0000d713ef00 x24: ffff700013768f14 > > x23: 000000000000f1ed x22: dfff800000000000 x21: ffff0000dbd418f8 > > x20: 0000000000000000 x19: 0000000000001fff x18: ffff80009bb46be0 > > x17: ffff800080b8363c x16: ffff80008afaca80 x15: 0000000000000004 > > x14: 1ffff00013768f24 x13: 0000000000000000 x12: 0000000000000000 > > x11: ffff700013768f28 x10: 0000000000ff0100 x9 : 0000000000000000 > > x8 : ffff0000d6845ac0 x7 : 0000000000000000 x6 : 0000000000000000 > > x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000020 > > x2 : 0000000000000000 x1 : 000000000000f1ed x0 : 000000000000d000 > > Call trace: > > current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 > > hook_path_rename+0x4c/0x60 security/landlock/fs.c:1416 > > security_path_rename+0x154/0x1f0 security/security.c:1918 > > do_renameat2+0x724/0xe40 fs/namei.c:5031 > > __do_sys_renameat2 fs/namei.c:5078 [inline] > > __se_sys_renameat2 fs/namei.c:5075 [inline] > > __arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5075 > > __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] > > invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 > > el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:131 > > do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:150 > > el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 > > el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 > > el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 > > irq event stamp: 67226 > > hardirqs last enabled at (67225): [<ffff80008b1683b4>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] > > hardirqs last enabled at (67225): [<ffff80008b1683b4>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 > > hardirqs last disabled at (67226): [<ffff80008b06e498>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470 > > softirqs last enabled at (66914): [<ffff8000800307e0>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32 > > softirqs last disabled at (66912): [<ffff8000800307ac>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 > > ---[ end trace 0000000000000000 ]--- > > -- > paul-moore.com > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug 2024-07-14 19:34 ` [syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug Mickaël Salaün @ 2024-07-14 19:51 ` Kent Overstreet 2024-07-17 3:22 ` Dave Chinner 0 siblings, 1 reply; 6+ messages in thread From: Kent Overstreet @ 2024-07-14 19:51 UTC (permalink / raw) To: Mickaël Salaün Cc: Paul Moore, Brian Foster, linux-bcachefs, syzbot, gnoack, jmorris, linux-kernel, linux-security-module, serge, syzkaller-bugs, linux-fsdevel, linux-xfs cc'ing linux-xfs, since I'm sure this has come up there and bcachefs and xfs verify and fsck are structured similararly at a very high level - I'd like to get their input. On Sun, Jul 14, 2024 at 09:34:01PM GMT, Mickaël Salaün wrote: > On Fri, Jul 12, 2024 at 10:55:11AM -0400, Paul Moore wrote: > > On Thu, Jul 11, 2024 at 5:53 PM syzbot > > <syzbot+34b68f850391452207df@syzkaller.appspotmail.com> wrote: > > > > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: 8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm.. > > > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci > > > console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=15349546db652fd3 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > > userspace arch: arm64 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000 > > > > > > Downloadable assets: > > > disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz > > > vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz > > > kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz > > > mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+34b68f850391452207df@syzkaller.appspotmail.com > > > > > > bcachefs (loop0): resume_logged_ops... done > > > bcachefs (loop0): delete_dead_inodes... done > > > bcachefs (loop0): done starting filesystem > > > ------------[ cut here ]------------ > > > WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 > > > > I'll let Mickaël answer this for certain, but based on a quick look it > > appears that the fs object being moved has a umode_t that Landlock is > > not setup to handle? > > syzbot found an issue with bcachefs: in some cases umode_t is invalid (i.e. > a weird file). > > Kend, Brian, you'll find the incorrect filesystem with syzbot's report. > Could you please investigate the issue? > > Here is the content of the file system: > # losetup --find --show mount_0 > /dev/loop0 > # mount /dev/loop0 /mnt/ > # ls -la /mnt/ > ls: cannot access '/mnt/file2': No such file or directory > ls: cannot access '/mnt/file3': No such file or directory > total 24 > drwxr-xr-x 4 root root 0 May 2 20:21 . > drwxr-xr-x 1 root root 130 Oct 31 2023 .. > drwxr-xr-x 2 root root 0 May 2 20:21 file0 > ?rwxr-xr-x 1 root root 10 May 2 20:21 file1 > -????????? ? ? ? ? ? file2 > -????????? ? ? ? ? ? file3 > -rwxr-xr-x 1 root root 100 May 2 20:21 file.cold > drwx------ 2 root root 0 May 2 20:21 lost+found > # stat /mnt/file1 > File: /mnt/file1 > Size: 10 Blocks: 8 IO Block: 4096 weird file > Device: 7,0 Inode: 1073741824 Links: 1 > Access: (0755/?rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) > Access: 2024-05-02 20:21:07.747039697 +0000 > Modify: 2024-05-02 20:21:07.747039697 +0000 > Change: 2024-05-02 20:21:07.747039697 +0000 > Birth: 2024-05-02 20:21:07.747039697 +0000 Ok, this is an interesting one. So we don't seem to be checking for invwalid i_mode at all - that's a bug. But if we don't want to be exposing invalid i_modes at all, that's tricky, since we (currently) can only repair when running fsck. "This is invalid and we never want to expose this" checks are done in bkey .invalid methods, and those can only cause the key to be deleted - we can't run complex repair in e.g. btree node read, and that's what would be required here (e.g. checking the extents and dirents btrees to guess if this should be a regular file or a directory). Long term I plan on running our existing fsck checks (including repair) in our normal runtime paths - whenever we're looking at one or more keys and there's a fsck check we can run, just run it. I wasn't planning on doing that for awhile, because I'm waiting on getting comprehensive filesystem error injection merged so we can make sure those repair paths are all well tested before running them automatically like that, but if this is a security issue perhaps as a special case we should do that now. Thoughts? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug 2024-07-14 19:51 ` Kent Overstreet @ 2024-07-17 3:22 ` Dave Chinner 0 siblings, 0 replies; 6+ messages in thread From: Dave Chinner @ 2024-07-17 3:22 UTC (permalink / raw) To: Kent Overstreet Cc: Mickaël Salaün, Paul Moore, Brian Foster, linux-bcachefs, syzbot, gnoack, jmorris, linux-kernel, linux-security-module, serge, syzkaller-bugs, linux-fsdevel, linux-xfs On Sun, Jul 14, 2024 at 03:51:17PM -0400, Kent Overstreet wrote: > cc'ing linux-xfs, since I'm sure this has come up there and bcachefs and > xfs verify and fsck are structured similararly at a very high level - > I'd like to get their input. > > On Sun, Jul 14, 2024 at 09:34:01PM GMT, Mickaël Salaün wrote: > > On Fri, Jul 12, 2024 at 10:55:11AM -0400, Paul Moore wrote: > > > On Thu, Jul 11, 2024 at 5:53 PM syzbot > > > <syzbot+34b68f850391452207df@syzkaller.appspotmail.com> wrote: > > > > > > > > Hello, > > > > > > > > syzbot found the following issue on: > > > > > > > > HEAD commit: 8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm.. > > > > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000 > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=15349546db652fd3 > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df > > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > > > userspace arch: arm64 > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000 > > > > > > > > Downloadable assets: > > > > disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz > > > > vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz > > > > kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz > > > > mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > > Reported-by: syzbot+34b68f850391452207df@syzkaller.appspotmail.com > > > > > > > > bcachefs (loop0): resume_logged_ops... done > > > > bcachefs (loop0): delete_dead_inodes... done > > > > bcachefs (loop0): done starting filesystem > > > > ------------[ cut here ]------------ > > > > WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 > > > > > > I'll let Mickaël answer this for certain, but based on a quick look it > > > appears that the fs object being moved has a umode_t that Landlock is > > > not setup to handle? > > > > syzbot found an issue with bcachefs: in some cases umode_t is invalid (i.e. > > a weird file). > > > > Kend, Brian, you'll find the incorrect filesystem with syzbot's report. > > Could you please investigate the issue? > > > > Here is the content of the file system: > > # losetup --find --show mount_0 > > /dev/loop0 > > # mount /dev/loop0 /mnt/ > > # ls -la /mnt/ > > ls: cannot access '/mnt/file2': No such file or directory > > ls: cannot access '/mnt/file3': No such file or directory > > total 24 > > drwxr-xr-x 4 root root 0 May 2 20:21 . > > drwxr-xr-x 1 root root 130 Oct 31 2023 .. > > drwxr-xr-x 2 root root 0 May 2 20:21 file0 > > ?rwxr-xr-x 1 root root 10 May 2 20:21 file1 ^^^ That's an unknown file type. (i.e. i_mode & S_IFMT is invalid) > > -????????? ? ? ? ? ? file2 > > -????????? ? ? ? ? ? file3 > > -rwxr-xr-x 1 root root 100 May 2 20:21 file.cold > > drwx------ 2 root root 0 May 2 20:21 lost+found > > # stat /mnt/file1 > > File: /mnt/file1 > > Size: 10 Blocks: 8 IO Block: 4096 weird file > > Device: 7,0 Inode: 1073741824 Links: 1 > > Access: (0755/?rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) > > Access: 2024-05-02 20:21:07.747039697 +0000 > > Modify: 2024-05-02 20:21:07.747039697 +0000 > > Change: 2024-05-02 20:21:07.747039697 +0000 > > Birth: 2024-05-02 20:21:07.747039697 +0000 > > Ok, this is an interesting one. > > So we don't seem to be checking for invwalid i_mode at all - that's a bug. XFS verifies part of the S_IFMT part of the mode when it is read from disk. xfs_dinode_verify() does: mode = be16_to_cpu(dip->di_mode); if (mode && xfs_mode_to_ftype(mode) == XFS_DIR3_FT_UNKNOWN) return __this_address; So if the type of the inode is not a valid XFS inode type, the whole inode will get rejected as corrupt. i.e. the same issue on XFS would return a corruption error for file1, not just file2 and file3. > But if we don't want to be exposing invalid i_modes at all, that's > tricky, since we (currently) can only repair when running fsck. "This is > invalid and we never want to expose this" checks are done in bkey > .invalid methods, and those can only cause the key to be deleted - we > can't run complex repair in e.g. btree node read, and that's what would > be required here (e.g. checking the extents and dirents btrees to guess > if this should be a regular file or a directory). Xfs online repair looks up the parent directory dirent for the inode and grabs the ftype from the dirent to reset the mode.... > I wasn't planning on doing that for awhile, because I'm waiting on > getting comprehensive filesystem error injection merged so we can make > sure those repair paths are all well tested before running them > automatically like that, but if this is a security issue perhaps as a > special case we should do that now. > > Thoughts? Detect the bad mode on read, flag it as corruption and then the file is inaccessible to users. Then you can take you time getting the repair side of things right. -Dave. -- Dave Chinner david@fromorbit.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [lsm?] WARNING in current_check_refer_path 2024-07-11 21:53 [syzbot] [lsm?] WARNING in current_check_refer_path syzbot 2024-07-12 14:55 ` Paul Moore @ 2024-09-23 12:06 ` Paul Moore 1 sibling, 0 replies; 6+ messages in thread From: Paul Moore @ 2024-09-23 12:06 UTC (permalink / raw) To: syzbot Cc: gnoack, jmorris, linux-kernel, linux-security-module, mic, serge, syzkaller-bugs On Thu, Jul 11, 2024 at 5:53 PM syzbot <syzbot+34b68f850391452207df@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 8a03d70c27fc Merge remote-tracking branch 'tglx/devmsi-arm.. > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci > console output: https://syzkaller.appspot.com/x/log.txt?x=174b0e6e980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=15349546db652fd3 > dashboard link: https://syzkaller.appspot.com/bug?extid=34b68f850391452207df > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > userspace arch: arm64 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13cd1b69980000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12667fd1980000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/efb354033e75/disk-8a03d70c.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/c747c205d094/vmlinux-8a03d70c.xz > kernel image: https://storage.googleapis.com/syzbot-assets/5641f4fb7265/Image-8a03d70c.gz.xz > mounted in repro: https://storage.googleapis.com/syzbot-assets/4e4d1faacdef/mount_0.gz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+34b68f850391452207df@syzkaller.appspotmail.com > > bcachefs (loop0): resume_logged_ops... done > bcachefs (loop0): delete_dead_inodes... done > bcachefs (loop0): done starting filesystem > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 6284 at security/landlock/fs.c:971 current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 > Modules linked in: > CPU: 0 PID: 6284 Comm: syz-executor169 Not tainted 6.10.0-rc6-syzkaller-g8a03d70c27fc #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 > pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 > lr : get_mode_access security/landlock/fs.c:953 [inline] > lr : current_check_refer_path+0x4dc/0xaa8 security/landlock/fs.c:1132 > sp : ffff80009bb47840 > x29: ffff80009bb47980 x28: ffff80009bb478e0 x27: 0000000000000001 > x26: 1fffe0001b7a831f x25: ffff0000d713ef00 x24: ffff700013768f14 > x23: 000000000000f1ed x22: dfff800000000000 x21: ffff0000dbd418f8 > x20: 0000000000000000 x19: 0000000000001fff x18: ffff80009bb46be0 > x17: ffff800080b8363c x16: ffff80008afaca80 x15: 0000000000000004 > x14: 1ffff00013768f24 x13: 0000000000000000 x12: 0000000000000000 > x11: ffff700013768f28 x10: 0000000000ff0100 x9 : 0000000000000000 > x8 : ffff0000d6845ac0 x7 : 0000000000000000 x6 : 0000000000000000 > x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000020 > x2 : 0000000000000000 x1 : 000000000000f1ed x0 : 000000000000d000 > Call trace: > current_check_refer_path+0x4e0/0xaa8 security/landlock/fs.c:1132 > hook_path_rename+0x4c/0x60 security/landlock/fs.c:1416 > security_path_rename+0x154/0x1f0 security/security.c:1918 > do_renameat2+0x724/0xe40 fs/namei.c:5031 > __do_sys_renameat2 fs/namei.c:5078 [inline] > __se_sys_renameat2 fs/namei.c:5075 [inline] > __arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5075 > __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline] > invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48 > el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:131 > do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:150 > el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 > el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 > el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 > irq event stamp: 67226 > hardirqs last enabled at (67225): [<ffff80008b1683b4>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] > hardirqs last enabled at (67225): [<ffff80008b1683b4>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 > hardirqs last disabled at (67226): [<ffff80008b06e498>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:470 > softirqs last enabled at (66914): [<ffff8000800307e0>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32 > softirqs last disabled at (66912): [<ffff8000800307ac>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 > ---[ end trace 0000000000000000 ]--- > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup Based on the rest of the discussion with the bcachefs/xfs devs, moving this to bcachefs since it still appears to be an open issue (at least to syzkaller). #syz set subsystems: bcachefs -- paul-moore.com ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-09-23 12:06 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-07-11 21:53 [syzbot] [lsm?] WARNING in current_check_refer_path syzbot 2024-07-12 14:55 ` Paul Moore 2024-07-14 19:34 ` [syzbot] [lsm?] WARNING in current_check_refer_path - bcachefs bug Mickaël Salaün 2024-07-14 19:51 ` Kent Overstreet 2024-07-17 3:22 ` Dave Chinner 2024-09-23 12:06 ` [syzbot] [lsm?] WARNING in current_check_refer_path Paul Moore
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).