| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Mar 2021 17:20:35 +0800
From: Zhang Yi <yi.zhang@...wei.com>
To: Jan Kara <jack@...e.cz>
CC: "Theodore Y. Ts'o" <tytso@....edu>,
Ext4 Developers List <linux-ext4@...r.kernel.org>,
yangerkun <yangerkun@...wei.com>, <linfeilong@...wei.com>
Subject: Re: [BUG && Question] question of SB_ACTIVE flag in
ext4_orphan_cleanup()
On 2021/3/23 1:25, Jan Kara wrote:
> Hi!
>
> On Mon 22-03-21 23:24:23, Zhang Yi wrote:
>> We find a use after free problem when CONFIG_QUOTA is enabled, the detail of
>> this problem is below.
>>
>> mount_bdev()
>> ext4_fill_super()
>> sb->s_root = d_make_root(root);
>> ext4_orphan_cleanup()
>> sb->s_flags |= SB_ACTIVE; <--- 1. mark sb active
>> ext4_orphan_get()
>> ext4_truncate()
>> ext4_block_truncate_page()
>> mark_buffer_dirty <--- 2. dirty inode
>> iput()
>> iput_final <--- 3. put into lru list
>> ext4_mark_recovery_complete <--- 4. failed and return error
>> sb->s_root = NULL;
>> deactivate_locked_super()
>> kill_block_super()
>> generic_shutdown_super()
>> <--- 5. did not evict_inodes
>> put_super()
>> __put_super()
>> <--- 6. put super block
>>
>> Because of the truncated inodes was dirty and will write them back later, it
>> will trigger use after free problem. Now the question is why we need to set
>> SB_ACTIVE bit when enable CONFIG_QUOTA below?
>>
>> #ifdef CONFIG_QUOTA
>> /* Needed for iput() to work correctly and not trash data */
>> sb->s_flags |= SB_ACTIVE;
>>
>> This code was merged long long ago in v2.6.6, IIUC, it may not affect
>> the quota statistics it we evict inode directly in the last iput.
>> In order to slove this UAF problem, I'm not sure is there any side effect
>> if we just remove this code, or remove SB_ACTIVE and call evict_inodes()
>> in the error path of ext4_fill_super().
>>
>> Could you give some suggestions?
>
> That's a very good question. I do remember that I've added this code back
> then because otherwise orphan cleanup was loosing updates to quota files.
> But you're right that now I don't see how that could be happening and it
> would be nice if we could get rid of this hack (and even better if it also
> fixes the problem you've found). I guess I'll just try and test this change
> with various quota configurations to see whether something still breaks or
> not. Thanks report!
>
Thanks for taking time to look at this, is this change OK under your various
quota test cases?
Thanks,
Yi.
Powered by blists - more mailing lists