| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 07 Jul 2011 12:19:55 +0200
From: Miklos Szeredi <miklos@...redi.hu>
To: "J. Bruce Fields" <bfields@...ldses.org>
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
akpm@...ux-foundation.org, torvalds@...ux-foundation.org,
stable@...nel.org
Subject: Re: [PATCH] fs: fix lock initialization
"J. Bruce Fields" <bfields@...ldses.org> writes:
> On Wed, Jul 06, 2011 at 12:33:55PM +0200, Miklos Szeredi wrote:
>> From: Miklos Szeredi <mszeredi@...e.cz>
>>
>> locks_alloc_lock() assumed that the allocated struct file_lock is
>> already initialized to zero members. This is only true for the first
>> allocation of the structure, after reuse some of the members will have
>> random values.
>>
>> This will for example result in passing random fl_start values to
>> userspace in fuse for FL_FLOCK locks, which is an information leak at
>> best.
>>
>> Fix by reinitializing those members which may be non-zero after freeing.
>
> Could you also just get rid of init_once() while you're at it?
Sure. Updated patch below.
Thanks,
Miklos
----
Subject: fs: fix lock initialization
From: Miklos Szeredi <mszeredi@...e.cz>
locks_alloc_lock() assumed that the allocated struct file_lock is
already initialized to zero members. This is only true for the first
allocation of the structure, after reuse some of the members will have
random values.
This will for example result in passing random fl_start values to
userspace in fuse for FL_FLOCK locks, which is an information leak at
best.
Remove SLAB initialization entirely, as suggested by Bruce and Linus.
Allocate with __GFP_ZERO instead and only initilaize list heads.
Signed-off-by: Miklos Szeredi <mszeredi@...e.cz>
CC: stable@...nel.org
---
fs/locks.c | 45 +++++++++++++++++----------------------------
1 file changed, 17 insertions(+), 28 deletions(-)
Index: linux-2.6/fs/locks.c
===================================================================
--- linux-2.6.orig/fs/locks.c 2011-07-06 12:21:33.000000000 +0200
+++ linux-2.6/fs/locks.c 2011-07-07 12:15:19.000000000 +0200
@@ -160,10 +160,22 @@ EXPORT_SYMBOL_GPL(unlock_flocks);
static struct kmem_cache *filelock_cache __read_mostly;
+static void locks_init_lock_heads(struct file_lock *fl)
+{
+ INIT_LIST_HEAD(&fl->fl_link);
+ INIT_LIST_HEAD(&fl->fl_block);
+ init_waitqueue_head(&fl->fl_wait);
+}
+
/* Allocate an empty lock structure. */
struct file_lock *locks_alloc_lock(void)
{
- return kmem_cache_alloc(filelock_cache, GFP_KERNEL);
+ struct file_lock *fl = kmem_cache_zalloc(filelock_cache, GFP_KERNEL);
+
+ if (fl)
+ locks_init_lock_heads(fl);
+
+ return fl;
}
EXPORT_SYMBOL_GPL(locks_alloc_lock);
@@ -197,35 +209,12 @@ EXPORT_SYMBOL(locks_free_lock);
void locks_init_lock(struct file_lock *fl)
{
- INIT_LIST_HEAD(&fl->fl_link);
- INIT_LIST_HEAD(&fl->fl_block);
- init_waitqueue_head(&fl->fl_wait);
- fl->fl_next = NULL;
- fl->fl_fasync = NULL;
- fl->fl_owner = NULL;
- fl->fl_pid = 0;
- fl->fl_nspid = NULL;
- fl->fl_file = NULL;
- fl->fl_flags = 0;
- fl->fl_type = 0;
- fl->fl_start = fl->fl_end = 0;
- fl->fl_ops = NULL;
- fl->fl_lmops = NULL;
+ memset(fl, 0, sizeof(struct file_lock));
+ locks_init_lock_heads(fl);
}
EXPORT_SYMBOL(locks_init_lock);
-/*
- * Initialises the fields of the file lock which are invariant for
- * free file_locks.
- */
-static void init_once(void *foo)
-{
- struct file_lock *lock = (struct file_lock *) foo;
-
- locks_init_lock(lock);
-}
-
static void locks_copy_private(struct file_lock *new, struct file_lock *fl)
{
if (fl->fl_ops) {
@@ -2323,8 +2312,8 @@ EXPORT_SYMBOL(lock_may_write);
static int __init filelock_init(void)
{
filelock_cache = kmem_cache_create("file_lock_cache",
- sizeof(struct file_lock), 0, SLAB_PANIC,
- init_once);
+ sizeof(struct file_lock), 0, SLAB_PANIC, NULL);
+
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists