Re: [PATCH] fs: fs_parser: avoid NULL param->string to kstrtouint
On Fri, Jul 19, 2019 at 07:38:11PM +0200, Greg KH wrote: > On Fri, Jul 19, 2019 at 08:43:29PM +0800, Yin Fengwei wrote: > > syzbot reported general protection fault in kstrtouint: > > https://lkml.org/lkml/2019/7/18/328 > > > > >From the log, if the mount option is something like: > >fd, > > > > The default parameter (which has NULL param->string) will be > > passed to vfs_parse_fs_param. Finally, this NULL param->string > > is passed to kstrtouint and trigger NULL pointer access. > > > > Reported-by: syzbot+398343b7c1b1b9892...@syzkaller.appspotmail.com > > Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse") > > > > Signed-off-by: Yin Fengwei > > --- > > fs/fs_parser.c | 4 > > 1 file changed, 4 insertions(+) > > > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c > > index d13fe7d797c2..578e6880ac67 100644 > > --- a/fs/fs_parser.c > > +++ b/fs/fs_parser.c > > @@ -210,6 +210,10 @@ int fs_parse(struct fs_context *fc, > > case fs_param_is_fd: { > > switch (param->type) { > > case fs_value_is_string: > > + if (result->has_value) { > > + goto bad_value; > > + } > > Always run checkpatch.pl so grumpy maintainers do not tell you to go run > checkpatch.pl :) Thanks a lot for kindly reminder. Will be careful for future patch. :) Regards Yin, Fengwei
Re: [PATCH] fs: fs_parser: avoid NULL param->string to kstrtouint
On Fri, Jul 19, 2019 at 03:37:37PM +0200, Dmitry Vyukov wrote: > On Fri, Jul 19, 2019 at 2:44 PM Yin Fengwei wrote: > > > > syzbot reported general protection fault in kstrtouint: > > https://lkml.org/lkml/2019/7/18/328 > > > > From the log, if the mount option is something like: > >fd, > > > > The default parameter (which has NULL param->string) will be > > passed to vfs_parse_fs_param. Finally, this NULL param->string > > is passed to kstrtouint and trigger NULL pointer access. > > > > Reported-by: syzbot+398343b7c1b1b9892...@syzkaller.appspotmail.com > > Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse") > > > > Signed-off-by: Yin Fengwei > > --- > > fs/fs_parser.c | 4 > > 1 file changed, 4 insertions(+) > > > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c > > index d13fe7d797c2..578e6880ac67 100644 > > --- a/fs/fs_parser.c > > +++ b/fs/fs_parser.c > > @@ -210,6 +210,10 @@ int fs_parse(struct fs_context *fc, > > case fs_param_is_fd: { > > switch (param->type) { > > case fs_value_is_string: > > + if (result->has_value) { > > !result->has_value ? Yes. Should have ! in condition for NULL param->string. Will fix in v2. Regards Yin, Fengwei > > > + goto bad_value; > > + } > > + > > ret = kstrtouint(param->string, 0, > > >uint_32); > > break; > > case fs_value_is_file: > > -- > > 2.17.1 > > > > -- > > You received this message because you are subscribed to the Google Groups > > "syzkaller-bugs" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to syzkaller-bugs+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/syzkaller-bugs/20190719124329.23207-1-nh26223.lmm%40gmail.com.
Re: general protection fault in kstrtouint (2)
Hi, On Thu, Jul 18, 2019 at 05:18:07AM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:e40115c0 Add linux-next specific files for 20190717 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=11d51b7060 > kernel config: https://syzkaller.appspot.com/x/.config?x=3430a151e1452331 > dashboard link: https://syzkaller.appspot.com/bug?extid=398343b7c1b1b989228d > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=164e743460 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1399554c60 > > The bug was bisected to: > > commit 71cbb7570a9a0b830125163c20125a8b5e65ac45 > Author: David Howells > Date: Mon Mar 25 16:38:31 2019 + > > vfs: Move the subtype parameter into fuse After this patch, if mount option is something like fd, (no "=" in ), the default parameter which has NULL param->string is passed to vfs_parse_fs_param. And this NULL param->string is passed to kstrtouint and trigger null pointer access finally. Regards Yin, Fengwei > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1432307860 > final crash:https://syzkaller.appspot.com/x/report.txt?x=1632307860 > console output: https://syzkaller.appspot.com/x/log.txt?x=1232307860 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+398343b7c1b1b9892...@syzkaller.appspotmail.com > Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse") > > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] PREEMPT SMP KASAN > CPU: 0 PID: 9017 Comm: syz-executor410 Not tainted 5.2.0-next-20190717 #40 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:kstrtoull lib/kstrtox.c:123 [inline] > RIP: 0010:kstrtouint+0x85/0x1a0 lib/kstrtox.c:222 > Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6c 35 > 35 fe 4c 89 e2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 4c 89 > e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 db 00 00 00 > RSP: 0018:8880997a79e0 EFLAGS: 00010246 > RAX: dc00 RBX: 8880997a7b38 RCX: 81c482dc > RDX: RSI: 833d4f84 RDI: > RBP: 8880997a7a70 R08: 8880a17ce100 R09: ed1015d06c84 > R10: ed1015d06c83 R11: 8880ae83641b R12: > R13: 1110132f4f3d R14: 8880997a7a48 R15: > FS: 56585880() GS:8880ae80() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 00455340 CR3: 95a49000 CR4: 001406f0 > DR0: DR1: DR2: > DR3: DR6: fffe0ff0 DR7: 0400 > Call Trace: > fs_parse+0xde1/0x1080 fs/fs_parser.c:209 > fuse_parse_param+0xac/0x750 fs/fuse/inode.c:491 > vfs_parse_fs_param+0x2ca/0x540 fs/fs_context.c:145 > vfs_parse_fs_string+0x105/0x170 fs/fs_context.c:188 > generic_parse_monolithic+0x181/0x200 fs/fs_context.c:228 > parse_monolithic_mount_data+0x69/0x90 fs/fs_context.c:708 > do_new_mount fs/namespace.c:2779 [inline] > do_mount+0x1369/0x1c30 fs/namespace.c:3103 > ksys_mount+0xdb/0x150 fs/namespace.c:3312 > __do_sys_mount fs/namespace.c:3326 [inline] > __se_sys_mount fs/namespace.c:3323 [inline] > __x64_sys_mount+0xbe/0x150 fs/namespace.c:3323 > do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x440299 > Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff > 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:7fff19b997e8 EFLAGS: 0246 ORIG_RAX: 00a5 > RAX: ffda RBX: 7fff19b997f0 RCX: 00440299 > RDX: 2080 RSI: 20c0 RDI: > RBP: 006cb018 R08: 22c0 R09: 65732f636f72702f > R10: R11: 0246 R12: 00401b80 > R13: 00401c10 R14: R15: > Modules linked in: > ---[ end trace 8c219e63b0160ea4 ]--- > RIP: 0010:kstrtoull lib/kstrtox.c:123 [inline] > RIP: 0010:kstrtouint+0x85/0x1a0 lib/kstrtox.c:222 > Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6c 35 > 35 fe 4c 89 e2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 4c 89 > e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 db 00 00 00 > RSP: 0018:8880997a79e0 EFLAGS: 00010246 > RAX: dc00 RBX: 8880997a7b38 RCX: 81c482dc > RDX: RSI: 833d4f84 RDI: > RBP: 8880997a7a70 R08: 8880a17ce100 R09: ed1015d06c84 > R10: ed1015d06c83 R11: 8880ae83641b R12: >