lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190425154849.GA4739@mit.edu> Date: Thu, 25 Apr 2019 11:48:49 -0400 From: "Theodore Ts'o" <tytso@....edu> To: Jan Kara <jack@...e.cz> Cc: Pan Bian <bianpan2016@....com>, Andreas Dilger <adilger.kernel@...ger.ca>, linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: ext4: avoid drop reference to iloc.bh twice On Thu, Apr 18, 2019 at 02:35:19PM +0200, Jan Kara wrote: > On Thu 18-04-19 16:31:18, Pan Bian wrote: > > The reference to iloc.bh has been dropped in ext4_mark_iloc_dirty. > > However, the reference is dropped again if error occurs during > > ext4_handle_dirty_metadata, which may result in use-after-free bugs. > > > > Fixes: fb265c9cb49e("ext4: add ext4_sb_bread() to disambiguate ENOMEM > > cases") > > > > Signed-off-by: Pan Bian <bianpan2016@....com> > > Thanks for the patch! Good spotting. You can add: > > Reviewed-by: Jan Kara <jack@...e.cz> Applied, thanks. > I'm just wondering: Ted, shouldn't we make ext4_mark_iloc_dirty() clear the > iloc.bh pointer on it's own? I believe this is not the first time we had a > bug like this and it would also catch possible use-after-free issues in > case someone tried to use iloc.bh after the reference has been dropped. > > Generally the scheme around ext4_get_inode_loc() and > ext4_mark_iloc_dirty() seems to be somewhat error prone. E.g. a quick audit > shows that there's bh leak in ext4_orphan_del() in one of the error paths. > I'll send patches. Good suggestion! I agree, the interface is error-prone. Clearing inode.bh afterwards makes sense. After we do this, we should also scan the call sites, since there are some places where we have been calling get_bh(iloc.bh) before-hand, so that the brelse(iloc.bh) in the cleanup path will work. Other call paths add iloc.bh = NULL afterwards so that the brelse() will work correctly. So we'll be able to clean up all of this afterwards. - Ted
Powered by blists - more mailing lists