| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 Dec 2022 15:22:00 -0500
From: "Theodore Ts'o" <tytso@....edu>
To: Tudor Ambarus <tudor.ambarus@...aro.org>
Cc: Eric Biggers <ebiggers@...nel.org>, adilger.kernel@...ger.ca,
linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
joneslee@...gle.com,
syzbot+0827b4b52b5ebf65f219@...kaller.appspotmail.com,
stable@...r.kernel.org
Subject: Re: [PATCH v2] ext4: Fix possible use-after-free in ext4_find_extent
On Fri, Dec 30, 2022 at 01:42:45PM +0200, Tudor Ambarus wrote:
> > This is (incompletely) validating the extent header in the inode. Isn't that
> > supposed to happen when the inode is loaded? See how __ext4_iget() calls
> > ext4_ext_check_inode(). Why isn't that working here?
> >
>
> Seems that __ext4_iget() is not called on writes. You can find below the
> sequence of calls that leads to the bug. The debug was done on v6.2-rc1.
> I assume the extents check is no longer done on writes since
> commit 7a262f7c69163cd4811f2f838faef5c5b18439c9. The commit doesn't
> specify the reason though.
Commit 7a262f7c6916 no longer does the check if the inode is already
in memory (which is the case when there is an open file descriptor).
That's because it should have been checked when it was first read into
memory.
So the the question is, did the inode get corrupted somehow after it
was read in from disk? If so that's the real problem, and that's what
needs to be root caused and fixed. It's not sufficient to just to
make the syzbot reproducer only longer reproduce. The question is
understanding what is fundamentally going on and fixing the real root
problem.
Regards,
- Ted
Powered by blists - more mailing lists