| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200312102002.GA6585@athena.bobrowski.net>
Date: Thu, 12 Mar 2020 21:20:02 +1100
From: Matthew Bobrowski <mbobrowski@...browski.org>
To: David Howells <dhowells@...hat.com>
Cc: jack@...e.cz, linux-ext4@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: Is ext4_dio_read_iter() broken?
On Thu, Mar 12, 2020 at 09:19:39AM +0000, David Howells wrote:
> Hi Matthew,
>
> Is ext4_dio_read_iter() broken? It calls:
>
> file_accessed(iocb->ki_filp);
>
> at the end of the function - but surely iocb should be expected to have been
> freed when iocb->ki_complete() was called?
>
> In my cachefiles rewrite, I'm seeing the attached kasan dump. The offending
> RIP, ext4_file_read_iter+0x12b is at the above line, where it is trying to
> read iocb->ki_filp.
>
> Here's an excerpt of the relevant bits from my code:
>
> static void cachefiles_read_complete(struct kiocb *iocb, long ret, long ret2)
> {
> struct cachefiles_kiocb *ki =
> container_of(iocb, struct cachefiles_kiocb, iocb);
> struct fscache_io_request *req = ki->req;
> ...
> fput(ki->iocb.ki_filp);
> kfree(ki);
> fscache_end_io_operation(req->cookie);
> ...
> }
I'm not exactly sure what you're rewriting, although from this excerpt
the way that this is implemented would sure cause the UAF in
ext4_dio_read_iter().
I don't forsee any issues with calling file_accessed(iocb->ki_filp);
prior to calling into the iomap infrastructure, unless I'm totally
missing something obvious...
/M
Powered by blists - more mailing lists