lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20190511020159.GF2534@mit.edu>
Date:   Fri, 10 May 2019 22:01:59 -0400
From:   "Theodore Ts'o" <tytso@....edu>
To:     Sahitya Tummala <stummala@...eaurora.org>
Cc:     Andreas Dilger <adilger.kernel@...ger.ca>,
        linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] ext4: fix use-after-free in dx_release()

On Wed, May 08, 2019 at 02:04:03PM +0530, Sahitya Tummala wrote:
> The buffer_head (frames[0].bh) and it's corresping page can be
> potentially free'd once brelse() is done inside the for loop
> but before the for loop exits in dx_release(). It can be free'd
> in another context, when the page cache is flushed via
> drop_caches_sysctl_handler(). This results into below data abort
> when accessing info->indirect_levels in dx_release().
> 
> Unable to handle kernel paging request at virtual address ffffffc17ac3e01e
> Call trace:
>  dx_release+0x70/0x90
>  ext4_htree_fill_tree+0x2d4/0x300
>  ext4_readdir+0x244/0x6f8
>  iterate_dir+0xbc/0x160
>  SyS_getdents64+0x94/0x174
> 
> Signed-off-by: Sahitya Tummala <stummala@...eaurora.org>

Nice catch.  Thanks, applied.

					- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ