Re: [syzbot] WARNING in __kernel_write_iter
From: Jann Horn
Date: Fri Nov 24 2023 - 12:27:22 EST
On Fri, Nov 24, 2023 at 6:24 PM David Sterba <dsterba@xxxxxxx> wrote:
> On Fri, Nov 24, 2023 at 05:21:20PM +0100, Jann Horn wrote:
> > On Mon, Oct 10, 2022 at 9:04 AM syzbot
> > <syzbot+12e098239d20385264d3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > > HEAD commit: a6afa4199d3d Merge tag 'mailbox-v6.1' of git://git.linaro...
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=110f6f0a880000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
> > > compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/12e24d042ff9/disk-a6afa419.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/4862ae4e2edf/vmlinux-a6afa419.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+12e098239d20385264d3@xxxxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > ------------[ cut here ]------------
> > > WARNING: CPU: 1 PID: 20347 at fs/read_write.c:504 __kernel_write_iter+0x639/0x740
> > [...]
> > > __kernel_write fs/read_write.c:537 [inline]
> > > kernel_write+0x1c5/0x340 fs/read_write.c:558
> > > write_buf fs/btrfs/send.c:590 [inline]
> > > send_header fs/btrfs/send.c:708 [inline]
> > > send_subvol+0x1a7/0x4b60 fs/btrfs/send.c:7648
> > > btrfs_ioctl_send+0x1e34/0x2340 fs/btrfs/send.c:8014
> > > _btrfs_ioctl_send+0x2e8/0x420 fs/btrfs/ioctl.c:5233
> > > btrfs_ioctl+0x5eb/0xc10
> > > vfs_ioctl fs/ioctl.c:51 [inline]
> >
> > The issue here is that BTRFS_IOC_SEND looks up an fd with fget() and
> > then writes into it with kernel_write(). Luckily the ioctl requires
> > CAP_SYS_ADMIN, and also Linux >=5.8 bails out on __kernel_write() on a
> > read-only file, so this has no security impact.
>
> I'm not sure if we could make the send ioctl safe for a non-root user,
> the code there has been doing tricks that have security implications.
>
> > I'm about to send a fix, let's have syzkaller check it beforehand:
> >
> > #syz test https://github.com/thejh/linux.git 573fd2562e0f
>
> The fix looks correct to me, thanks.
(I sent the fix to you and the other btrfs maintainers separately with
subject "[PATCH] btrfs: send: Ensure send_fd is writable", see
<https://lore.kernel.org/lkml/20231124164831.2191549-1-jannh@xxxxxxxxxx/T/>.)