From: Ian Kent <raven@themaw.net>
To: Hugh Dickins <hughd@google.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: syzbot <syzbot+db1d2ea936378be0e4ea@syzkaller.appspotmail.com>,
syzkaller-bugs@googlegroups.com,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
Carlos Maiolino <cmaiolino@redhat.com>,
David Howells <dhowells@redhat.com>,
kernel test robot <oliver.sang@intel.com>,
Miklos Szeredi <miklos@szeredi.hu>,
Siddhesh Poyarekar <siddhesh@gotplt.org>,
Theodore Ts'o <tytso@mit.edu>,
Hawkins Jiawei <yin31149@gmail.com>
Subject: Re: [syzbot] general protection fault in _parse_integer_fixup_radix
Date: Mon, 24 Oct 2022 08:06:51 +0800 [thread overview]
Message-ID: <55fad458-e2ef-3e5f-e1fa-b389167858f4@themaw.net> (raw)
In-Reply-To: <17a1fdc-14a0-cf3c-784f-baa939895aef@google.com>
On 24/10/22 02:50, Hugh Dickins wrote:
> On Sun, 23 Oct 2022, Tetsuo Handa wrote:
>
>> syzbot is reporting that "vfs: parse: deal with zero length string value"
>> in linux-next.git broke tmpfs's mount option parsing, for tmpfs is expecting that
>> vfs_parse_fs_string() returning 0 implies that param.string != NULL.
>>
>> The "nr_inodes" parameter for tmpfs is interpreted as "nr_inodes=$integer", but
>> the addition of
>>
>> if (!v_size) {
>> param.string = NULL;
>> param.type = fs_value_is_empty;
>> } else {
>>
>> to vfs_parse_fs_string() and
>>
>> if (param->type == fs_value_is_empty)
>> return 0;
>>
>> to fs_param_is_string() broke expectation by tmpfs.
>>
>> Parsing an fs string that has zero length should result in the parameter
>> being set to NULL so that downstream processing handles it correctly.
>>
>> is wrong and
>>
>> Parsing an fs string that has zero length should result in invalid argument
>> error so that downstream processing does not dereference NULL param.string
>> field.
It's not quite as simple at that.
Not allowing a zero length string will break cases where mount "source"
can be empty.
Maybe parsing of "source" would be better handled separately, rather than
with options handling code, it is slightly different ... mmm ... I'll check
the reported cases ...
Ian
prev parent reply other threads:[~2022-10-24 0:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-20 6:16 [syzbot] general protection fault in _parse_integer_fixup_radix syzbot
2022-10-23 2:18 ` Tetsuo Handa
2022-10-23 18:50 ` Hugh Dickins
2022-10-23 23:47 ` Ian Kent
2022-10-24 0:06 ` Ian Kent [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55fad458-e2ef-3e5f-e1fa-b389167858f4@themaw.net \
--to=raven@themaw.net \
--cc=akpm@linux-foundation.org \
--cc=cmaiolino@redhat.com \
--cc=dhowells@redhat.com \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=oliver.sang@intel.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=siddhesh@gotplt.org \
--cc=syzbot+db1d2ea936378be0e4ea@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=yin31149@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox