| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Mar 2021 23:24:23 +0800
From: Zhang Yi <yi.zhang@...wei.com>
To: Jan Kara <jack@...e.cz>
CC: "Theodore Y. Ts'o" <tytso@....edu>,
Ext4 Developers List <linux-ext4@...r.kernel.org>,
yangerkun <yangerkun@...wei.com>
Subject: [BUG && Question] question of SB_ACTIVE flag in ext4_orphan_cleanup()
Hi, Jan.
We find a use after free problem when CONFIG_QUOTA is enabled, the detail of
this problem is below.
mount_bdev()
ext4_fill_super()
sb->s_root = d_make_root(root);
ext4_orphan_cleanup()
sb->s_flags |= SB_ACTIVE; <--- 1. mark sb active
ext4_orphan_get()
ext4_truncate()
ext4_block_truncate_page()
mark_buffer_dirty <--- 2. dirty inode
iput()
iput_final <--- 3. put into lru list
ext4_mark_recovery_complete <--- 4. failed and return error
sb->s_root = NULL;
deactivate_locked_super()
kill_block_super()
generic_shutdown_super()
<--- 5. did not evict_inodes
put_super()
__put_super()
<--- 6. put super block
Because of the truncated inodes was dirty and will write them back later, it
will trigger use after free problem. Now the question is why we need to set
SB_ACTIVE bit when enable CONFIG_QUOTA below?
#ifdef CONFIG_QUOTA
/* Needed for iput() to work correctly and not trash data */
sb->s_flags |= SB_ACTIVE;
This code was merged long long ago in v2.6.6, IIUC, it may not affect
the quota statistics it we evict inode directly in the last iput.
In order to slove this UAF problem, I'm not sure is there any side effect
if we just remove this code, or remove SB_ACTIVE and call evict_inodes()
in the error path of ext4_fill_super().
Could you give some suggestions?
Thanks,
Yi.
Powered by blists - more mailing lists