| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120705224251.GH3051@fieldses.org>
Date: Thu, 5 Jul 2012 18:42:51 -0400
From: "J. Bruce Fields" <bfields@...ldses.org>
To: Filipe Brandenburger <filbranden@...il.com>
Cc: Al Viro <viro@...iv.linux.org.uk>, Matthew Wilcox <matthew@....cx>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/1] locks: prevent side-effects of
locks_release_private before file_lock is initialized
On Tue, Jun 26, 2012 at 09:50:48PM -0400, Filipe Brandenburger wrote:
> When calling fcntl(F_SETLEASE) for a second time on the same file descriptor,
> do_fcntl_add_lease will allocate and initialize a new file_lock to pass to
> __vfs_setlease. If that function decides to reuse the existing file_lock, it
> will free the newly allocated one to prevent leaking memory.
>
> However, the newly allocate file_lock was initialized with a valid file
> descriptor pointer and fl_lmops that contains a lm_release_private function,
> so calling locks_free_lock will trigger a call to lease_release_private_callback
> which will clear the fcntl(F_SETOWN) and fcntl(F_SETSIG) settings for the file
> descriptor even though the lease is not really being cleared at that point (as
> only the temporary file_lock is being freed.)
>
> This patch will fix this bug by calling kmem_cache_free directly instead of
> locks_free_lock if the file_lock will not be used. This will end up avoiding
> the call to lease_release_private_callback.
>
> This bug was tracked in kernel.org Bugzilla database:
> https://bugzilla.kernel.org/show_bug.cgi?id=43336
>
> Signed-off-by: Filipe Brandenburger <filbranden@...il.com>
> ---
> fs/locks.c | 22 +++++++++++++++++-----
> 1 files changed, 17 insertions(+), 5 deletions(-)
>
> diff --git a/fs/locks.c b/fs/locks.c
> index 814c51d..2a751d8 100644
> --- a/fs/locks.c
> +++ b/fs/locks.c
> @@ -473,7 +473,10 @@ static struct file_lock *lease_alloc(struct file *filp, int type)
>
> error = lease_init(filp, type, fl);
> if (error) {
> - locks_free_lock(fl);
> + /* Free the lock by hand instead of calling locks_free_lock
> + * to prevent the call back to lease_release_private_callback
> + */
> + kmem_cache_free(filelock_cache, fl);
> return ERR_PTR(error);
> }
> return fl;
> @@ -1538,19 +1541,28 @@ static int do_fcntl_add_lease(unsigned int fd, struct file *filp, long arg)
>
> new = fasync_alloc();
> if (!new) {
> - locks_free_lock(fl);
> + /* Free the lock by hand instead of calling locks_free_lock
> + * to prevent the call back to lease_release_private_callback
> + */
> + kmem_cache_free(filelock_cache, fl);
> return -ENOMEM;
> }
> ret = fl;
> lock_flocks();
> error = __vfs_setlease(filp, arg, &ret);
> + if (error || ret != fl)
> + /*
> + * Free the lock by hand instead of calling locks_free_lock
> + * to prevent the call back to lease_release_private_callback
> + * which will unset F_SETOWN and F_SETSIG for the file
> + * descriptor but that is not wanted as the lease was not
> + * really in use.
> + */
> + kmem_cache_free(filelock_cache, fl);
Ugh, and now we end up with essentially the same comment in 3 different
places. So maybe marking the lock somehow *was* the better idea.
--b.
> if (error) {
> unlock_flocks();
> - locks_free_lock(fl);
> goto out_free_fasync;
> }
> - if (ret != fl)
> - locks_free_lock(fl);
>
> /*
> * fasync_insert_entry() returns the old entry if any.
> --
> 1.7.7.6
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists