lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8a6864dd-7e6c-5268-2b5b-1010f99d2a1b@huawei.com>
Date:   Mon, 22 Mar 2021 23:24:23 +0800
From:   Zhang Yi <yi.zhang@...wei.com>
To:     Jan Kara <jack@...e.cz>
CC:     "Theodore Y. Ts'o" <tytso@....edu>,
        Ext4 Developers List <linux-ext4@...r.kernel.org>,
        yangerkun <yangerkun@...wei.com>
Subject: [BUG && Question] question of SB_ACTIVE flag in ext4_orphan_cleanup()

Hi, Jan.

We find a use after free problem when CONFIG_QUOTA is enabled, the detail of
this problem is below.

mount_bdev()
	ext4_fill_super()
		sb->s_root = d_make_root(root);
		ext4_orphan_cleanup()
			sb->s_flags |= SB_ACTIVE; <--- 1. mark sb active
			ext4_orphan_get()
			ext4_truncate()
				ext4_block_truncate_page()
					mark_buffer_dirty <--- 2. dirty inode
			iput()
				iput_final  <--- 3. put into lru list
		ext4_mark_recovery_complete  <--- 4. failed and return error
		sb->s_root = NULL;
	deactivate_locked_super()
		kill_block_super()
			generic_shutdown_super()
				<--- 5. did not evict_inodes
		put_super()
			__put_super()
				<--- 6. put super block

Because of the truncated inodes was dirty and will write them back later, it
will trigger use after free problem. Now the question is why we need to set
SB_ACTIVE bit when enable CONFIG_QUOTA below?

  #ifdef CONFIG_QUOTA
          /* Needed for iput() to work correctly and not trash data */
          sb->s_flags |= SB_ACTIVE;

This code was merged long long ago in v2.6.6, IIUC, it may not affect
the quota statistics it we evict inode directly in the last iput.
In order to slove this UAF problem, I'm not sure is there any side effect
if we just remove this code, or remove SB_ACTIVE and call evict_inodes()
in the error path of ext4_fill_super().

Could you give some suggestions?

Thanks,
Yi.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ