[Kernel Bug] WARNING in bfs_rename

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Developers and Maintainers,

We found a Linux kernel bug titled "WARNING in bfs_rename" on
Linux-6.6.63 through our modified tool. We also tested the reproducer
on the latest Linux-6.13-rc1, where the PoC can still crash the kernel
through WARN_ON. Here are the relevant attachments:

kernel config: https://drive.google.com/file/d/1wog0WflzY_EuOPj-n7iUHAyILxSZCwks/view?usp=sharing
crash report: https://drive.google.com/file/d/1oZcZLgQpPvQ5tZ7tTYmt0bk6NaPt7MVV/view?usp=sharing
repro report: https://drive.google.com/file/d/1Cw1dB8aO40lMS_a2EpL-jj2GM-8Tz18o/view?usp=sharing
syz reproducer:
https://drive.google.com/file/d/10fNQMrcHhUT0VoEopMjvuNPtxM2KVk-d/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1t-Pk6w76Xzes-j6Mg8oCTgo3XxzABHtz/view?usp=sharing

[Basic Cause Analysis]
In the bfs_rename function, the link count of new_inode is decremented
via inode_dec_link_count(new_inode) without first checking if
new_inode->i_nlink is greater than 0. If the i_nlink is already 0,
this causes an invalid decrement, triggering the WARN_ON and
potentially corrupting the filesystem state. This situation may occur
if the new_inode has already been marked as deleted (i.e., i_nlink ==
0) or if its link count has been improperly modified by other
operations.

[Possible Fix]
1. Check new_inode->i_nlink before calling inode_dec_link_count to
ensure that it is greater than 0. This prevents invalid decrements of
the link count.
2. Ensure consistent inode link count management across the file
system code, particularly during file rename or deletion operations.
Link counts should be updated properly and consistently to avoid such
errors.
3. Implement additional validation checks for inode link counts to
ensure that file system operations like renaming are safe and do not
operate on inodes with an invalid state.

Hope these would help improve the kernel security. If you fix the
issue, please add the following tag to the commit:
Reported-by: Zhiyu Zhang<zhiyuzhang999@xxxxxxxxx>


------------[ cut here ]------------
WARNING: CPU: 0 PID: 9422 at fs/inode.c:332 drop_nlink+0xab/0xd0 fs/inode.c:332
Modules linked in:
CPU: 0 PID: 9422 Comm: syz.7.210 Not tainted 6.6.63 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:drop_nlink+0xab/0xd0 fs/inode.c:332
Code: 43 48 8b 5d 38 be 08 00 00 00 48 8d bb 78 07 00 00 e8 29 27 e9
ff f0 48 ff 83 78 07 00 00 5b 5d e9 da 4e 93 ff e8 d5 4e 93 ff <0f> 0b
c7 45 58 ff ff ff ff 5b 5d e9 c5 4e 93 ff e8 40 20 e9 ff e9
RSP: 0018:ffffc90002f6fab0 EFLAGS: 00010283
RAX: 0000000000004e2c RBX: 0000000000000000 RCX: ffffc90003561000
RDX: 0000000000080000 RSI: ffffffff81f4149b RDI: 0000000000000005
RBP: ffff88803642f058 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88803642faa8
R13: ffff88803642ba68 R14: ffff88803642f058 R15: ffff888036a4ee20
FS:  00007ff30b784700(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c31eff8 CR3: 00000000331c7000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 inode_dec_link_count include/linux/fs.h:2340 [inline]
 bfs_rename+0x42c/0x730 fs/bfs/dir.c:247
 vfs_rename+0xf83/0x20a0 fs/namei.c:4872
 do_renameat2+0xc3c/0xdc0 fs/namei.c:5025
 __do_sys_rename fs/namei.c:5071 [inline]
 __se_sys_rename fs/namei.c:5069 [inline]
 __x64_sys_rename+0x81/0xa0 fs/namei.c:5069
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x5687ad
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff30b783bc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0000000000715fa0 RCX: 00000000005687ad
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000020000140
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000715fac
R13: 0000000000000000 R14: 0000000000715fa0 R15: 00007ff30b783d40
 </TASK>
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux