From: Dave Chinner <david@fromorbit.com>
To: "Xu, Wen" <wen.xu@gatech.edu>
Cc: "linux-xfs@vger.kernel.org" <linux-xfs@vger.kernel.org>
Subject: Re: Kernel oops at NULL pointer when performing readlink on a fuzzed v5 image
Date: Mon, 18 Jun 2018 15:21:10 +1000 [thread overview]
Message-ID: <20180618052110.GE19934@dastard> (raw)
In-Reply-To: <15FCAC1E-1320-4122-8768-A45FFCFD1AC2@gatech.edu>
On Mon, Jun 18, 2018 at 03:49:52AM +0000, Xu, Wen wrote:
> Hi,
>
> Here is an issue I found when fuzzing V5 filesystem related with softlink.
>
> - Reproduce (4.17/for-next branch)
> # mkdir mnt
> # mount -t xfs final.img mnt
> # gcc -o poc poc.c
> # ./poc ./mnt
This does not reproduce on my local dev tree.
This is as much output as I get:
> [ 315.207956] XFS (loop0): Mounting V5 Filesystem
> [ 315.214851] XFS (loop0): Ending clean mount
> [ 315.214976] Filesystem "loop0": reserve blocks depleted! Consider increasing reserve pool size.
> [ 315.214979] XFS (loop0): Per-AG reservation for AG 0 failed. Filesystem may run out of space.
> [ 315.214981] XFS (loop0): Per-AG reservation for AG 0 failed. Filesystem may run out of space.
> [ 326.041728] XFS (loop0): Failed to remove inode(s) from unlinked list. Please free space, unmount and run xfs_repair.
i.e. Nothing unexpected fails, I get ENOENT as expected once the baz
-> ./baz symlink loop has been removed.
Ok, now I'm betting that this has something to do with zero length
symlinks not being caught correctly, given that a) we identified
this flaw a few days ago, b) strlen(symlink_data_ptr) gets a
null dereference indicating an empty symlink is being read, and c)
there's a warning about failing to remove an inode from the unlinked
list and that can leave symlinks with a zeroed in-memory data fork.
Ok, so lets try a plain 4.17 + xfs/for-next. Yup, that does indeed
fail.
IOWs, the patch I wrote a few hours ago to prevent zero length
symlinks from hitting the disk by not screwing with the inline inode
data fork until the inode has been pulled from the unlinked list
prevents the crash from occurring.
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2018-06-18 5:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-18 3:49 Kernel oops at NULL pointer when performing readlink on a fuzzed v5 image Xu, Wen
2018-06-18 5:21 ` Dave Chinner [this message]
2018-06-29 17:04 ` Xu, Wen
2018-06-30 18:34 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180618052110.GE19934@dastard \
--to=david@fromorbit.com \
--cc=linux-xfs@vger.kernel.org \
--cc=wen.xu@gatech.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).