lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <bug-219254-13602@https.bugzilla.kernel.org/>
Date: Mon, 09 Sep 2024 18:05:21 +0000
From: bugzilla-daemon@...nel.org
To: linux-ext4@...r.kernel.org
Subject: [Bug 219254] New: Missing memory barrier in __ext4_remount for
 checking ext4_forced_shutdown

https://bugzilla.kernel.org/show_bug.cgi?id=219254

            Bug ID: 219254
           Summary: Missing memory barrier in __ext4_remount for checking
                    ext4_forced_shutdown
           Product: File System
           Version: 2.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: fanqi.yu@...umbia.edu
        Regression: No

Hi,

In other places of the kernel, accesses to SB_RDONLY and EXT4_FLAGS_SHUTDOWN
are ordered by smp_wmb() for writes and smp_rmb() for reads:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4418e14112e3ca85e8492a4489a3552b0cc526a8

There seems to be a missing smp_rmb() here between sb_rdonly(sb) and
ext4_forced_shutdown(sb):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/ext4/super.c?h=v6.11-rc7#n6506

The affected scenario:
Normally a remount-ro-after-error file system would not be able to be remounted
as rw again because the ext4_forced_shutdown(sb) check will return -EROFS. On a
relaxed memory architecture, it is possible to see ext4_forced_shutdown(sb) as
false despite sb_rdonly(sb) being true (i.e. the write to EXT4_FLAGS_SHUTDOWN
not being propagated in time to the reader). __ext4_remount therefore misses
the shutdown check and can remount the fs as rw without giving any errors.

I am not sure about the severity of this but it is probably something hard to
find otherwise so I thought it might be useful to share it here and see what
you guys think.

Thank you very much for your time!

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists