Re: [syzbot] [overlayfs?] general protection fault in ovl_llseek

Amir Goldstein <amir73il@xxxxxxxxx> · Fri, 27 Sep 2024 14:41:14 +0200

On Fri, Sep 27, 2024 at 2:03 PM Amir Goldstein <amir73il@xxxxxxxxx> wrote:
>
> On Fri, Sep 27, 2024 at 9:10 AM Leo Stone <leocstone@xxxxxxxxx> wrote:
> >
> > Add a check to avoid using an invalid pointer if ovl_open_realfile fails.
> >
> > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> >
> > diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> > index 2b7a5a3a7a2f..67f75eeb1e51 100644
> > --- a/fs/overlayfs/file.c
> > +++ b/fs/overlayfs/file.c
> > @@ -117,7 +117,11 @@ static int ovl_real_fdget_meta(const struct file *file, struct fd *real,
> >                 struct file *f = ovl_open_realfile(file, &realpath);
> >                 if (IS_ERR(f))
> >                         return PTR_ERR(f);
> > -               real->word = (unsigned long)ovl_open_realfile(file, &realpath) | FDPUT_FPUT;
> > +               f = ovl_open_realfile(file, &realpath);
> > +               if (IS_ERR(f))
> > +                       return PTR_ERR(f);
> > +               real->word = (unsigned long)f;
> > +               real->word |= FDPUT_FPUT;
> >                 return 0;
> >         }
> >
> >
>
> No, that's the wrong fix.
> There is a braino and a file leak in this code.
>
> Linus,
>
> Could you apply this braino fix manually before releasing rc1.
>

Too quick to send. I messed up the Fixes: tag.
Now fixed.

Thanks,
Amir.
From 994d5a61855da275292780af72948d7207025ec8 Mon Sep 17 00:00:00 2001
From: Amir Goldstein <amir73il@xxxxxxxxx>
Date: Fri, 27 Sep 2024 13:54:23 +0200
Subject: [PATCH] ovl: fix file leak in ovl_real_fdget_meta()

ovl_open_realfile() is wrongly called twice after conversion to
new struct fd.

Fixes: 88a2f6468d01 ("struct fd: representation change")
Reported-by: syzbot+d9efec94dcbfa0de1c07@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
---
 fs/overlayfs/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 2b7a5a3a7a2f..4504493b20be 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -117,7 +117,7 @@ static int ovl_real_fdget_meta(const struct file *file, struct fd *real,
 		struct file *f = ovl_open_realfile(file, &realpath);
 		if (IS_ERR(f))
 			return PTR_ERR(f);
-		real->word = (unsigned long)ovl_open_realfile(file, &realpath) | FDPUT_FPUT;
+		real->word = (unsigned long)f | FDPUT_FPUT;
 		return 0;
 	}
 
-- 
2.34.1





