lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20190425154849.GA4739@mit.edu>
Date:   Thu, 25 Apr 2019 11:48:49 -0400
From:   "Theodore Ts'o" <tytso@....edu>
To:     Jan Kara <jack@...e.cz>
Cc:     Pan Bian <bianpan2016@....com>,
        Andreas Dilger <adilger.kernel@...ger.ca>,
        linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: ext4: avoid drop reference to iloc.bh twice

On Thu, Apr 18, 2019 at 02:35:19PM +0200, Jan Kara wrote:
> On Thu 18-04-19 16:31:18, Pan Bian wrote:
> > The reference to iloc.bh has been dropped in ext4_mark_iloc_dirty.
> > However, the reference is dropped again if error occurs during
> > ext4_handle_dirty_metadata, which may result in use-after-free bugs.
> > 
> > Fixes: fb265c9cb49e("ext4: add ext4_sb_bread() to disambiguate ENOMEM
> > cases")
> > 
> > Signed-off-by: Pan Bian <bianpan2016@....com>
> 
> Thanks for the patch! Good spotting. You can add:
> 
> Reviewed-by: Jan Kara <jack@...e.cz>

Applied, thanks.

> I'm just wondering: Ted, shouldn't we make ext4_mark_iloc_dirty() clear the
> iloc.bh pointer on it's own? I believe this is not the first time we had a
> bug like this and it would also catch possible use-after-free issues in
> case someone tried to use iloc.bh after the reference has been dropped.
> 
> Generally the scheme around ext4_get_inode_loc() and
> ext4_mark_iloc_dirty() seems to be somewhat error prone. E.g. a quick audit
> shows that there's bh leak in ext4_orphan_del() in one of the error paths.
> I'll send patches.

Good suggestion!

I agree, the interface is error-prone.  Clearing inode.bh afterwards
makes sense.

After we do this, we should also scan the call sites, since there are
some places where we have been calling get_bh(iloc.bh) before-hand, so
that the brelse(iloc.bh) in the cleanup path will work.  Other call
paths add iloc.bh = NULL afterwards so that the brelse() will work
correctly.  So we'll be able to clean up all of this afterwards.

		       	     	     - Ted

Powered by blists - more mailing lists