| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20181005225705.GA2548@thunk.org>
Date: Fri, 5 Oct 2018 18:57:05 -0400
From: "Theodore Y. Ts'o" <tytso@....edu>
To: Jan Kara <jack@...e.cz>
Cc: linux-ext4@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] jbd2: Fix use after free in jbd2_log_do_checkpoint()
On Thu, Oct 04, 2018 at 12:46:40PM +0200, Jan Kara wrote:
> The code cleaning transaction's lists of checkpoint buffers has a bug
> where it increases bh refcount only after releasing
> journal->j_list_lock. Thus the following race is possible:
>
> CPU0 CPU1
> jbd2_log_do_checkpoint()
> jbd2_journal_try_to_free_buffers()
> __journal_try_to_free_buffer(bh)
> ...
> while (transaction->t_checkpoint_io_list)
> ...
> if (buffer_locked(bh)) {
>
> <-- IO completes now, buffer gets unlocked -->
>
> spin_unlock(&journal->j_list_lock);
> spin_lock(&journal->j_list_lock);
> __jbd2_journal_remove_checkpoint(jh);
> spin_unlock(&journal->j_list_lock);
> try_to_free_buffers(page);
> get_bh(bh) <-- accesses freed bh
>
> Fix the problem by grabbing bh reference before unlocking
> journal->j_list_lock.
>
> Fixes: dc6e8d669cf5cb3ff84707c372c0a2a8a5e80845
> Fixes: be1158cc615fd723552f0d9912087423c7cadda5
> Reported-by: syzbot+7f4a27091759e2fe7453@...kaller.appspotmail.com
> CC: stable@...r.kernel.org
> Signed-off-by: Jan Kara <jack@...e.cz>
Applied, thanks (with the Fixes field adjusted).
- Ted
Powered by blists - more mailing lists