lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110706182154.GB31214@fieldses.org>
Date:	Wed, 6 Jul 2011 14:21:54 -0400
From:	"J. Bruce Fields" <bfields@...ldses.org>
To:	Miklos Szeredi <miklos@...redi.hu>
Cc:	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	akpm@...ux-foundation.org, torvalds@...ux-foundation.org,
	stable@...nel.org
Subject: Re: [PATCH] fs: fix lock initialization

On Wed, Jul 06, 2011 at 12:33:55PM +0200, Miklos Szeredi wrote:
> From: Miklos Szeredi <mszeredi@...e.cz>
> 
> locks_alloc_lock() assumed that the allocated struct file_lock is
> already initialized to zero members.  This is only true for the first
> allocation of the structure, after reuse some of the members will have
> random values.
> 
> This will for example result in passing random fl_start values to
> userspace in fuse for FL_FLOCK locks, which is an information leak at
> best.
> 
> Fix by reinitializing those members which may be non-zero after freeing.

Could you also just get rid of init_once() while you're at it?

--b.

> 
> Signed-off-by: Miklos Szeredi <mszeredi@...e.cz>
> CC: stable@...nel.org
> ---
>  fs/locks.c |   30 ++++++++++++++++++++----------
>  1 file changed, 20 insertions(+), 10 deletions(-)
> 
> Index: linux-2.6/fs/locks.c
> ===================================================================
> --- linux-2.6.orig/fs/locks.c	2011-07-04 17:06:01.000000000 +0200
> +++ linux-2.6/fs/locks.c	2011-07-04 17:06:04.000000000 +0200
> @@ -160,10 +160,28 @@ EXPORT_SYMBOL_GPL(unlock_flocks);
>  
>  static struct kmem_cache *filelock_cache __read_mostly;
>  
> +static void locks_init_lock_always(struct file_lock *fl)
> +{
> +	fl->fl_next = NULL;
> +	fl->fl_fasync = NULL;
> +	fl->fl_owner = NULL;
> +	fl->fl_pid = 0;
> +	fl->fl_nspid = NULL;
> +	fl->fl_file = NULL;
> +	fl->fl_flags = 0;
> +	fl->fl_type = 0;
> +	fl->fl_start = fl->fl_end = 0;
> +}
> +
>  /* Allocate an empty lock structure. */
>  struct file_lock *locks_alloc_lock(void)
>  {
> -	return kmem_cache_alloc(filelock_cache, GFP_KERNEL);
> +	struct file_lock *fl = kmem_cache_alloc(filelock_cache, GFP_KERNEL);
> +
> +	if (fl)
> +		locks_init_lock_always(fl);
> +
> +	return fl;
>  }
>  EXPORT_SYMBOL_GPL(locks_alloc_lock);
>  
> @@ -200,17 +218,9 @@ void locks_init_lock(struct file_lock *f
>  	INIT_LIST_HEAD(&fl->fl_link);
>  	INIT_LIST_HEAD(&fl->fl_block);
>  	init_waitqueue_head(&fl->fl_wait);
> -	fl->fl_next = NULL;
> -	fl->fl_fasync = NULL;
> -	fl->fl_owner = NULL;
> -	fl->fl_pid = 0;
> -	fl->fl_nspid = NULL;
> -	fl->fl_file = NULL;
> -	fl->fl_flags = 0;
> -	fl->fl_type = 0;
> -	fl->fl_start = fl->fl_end = 0;
>  	fl->fl_ops = NULL;
>  	fl->fl_lmops = NULL;
> +	locks_init_lock_always(fl);
>  }
>  
>  EXPORT_SYMBOL(locks_init_lock);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ