lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 7 Oct 2014 18:46:31 -0500
From:	Tyler Hicks <tyhicks@...onical.com>
To:	Priya Bansal <p.bansal@...sung.com>
Cc:	ecryptfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] NULL pointer dereference in ecryptfs (ecryptfs_setxattr)

Hi Priya - Thanks for the report and patch. I have some inline comments.

On 2014-09-24 06:58:01, Priya Bansal wrote:
> This patch fixes the issue which was found in
>  ecryptfs_setxattr(). Previously, while trying to create a file when ecryptfs
>  is mounted over ext4 filesystem  with  encrypted view enabled, the kernel
>  crashes. the reason being the function fsstack_copy_attr_all was trying to
>  access dentry->d_inode which was null hence the kernel crashes with NULL
>  pointer dereference. Now a check has been applied which prevents such
>  condition.
> 
> From 74856445756aba18f98aa5b98ad46e7d98f54737 Mon Sep 17 00:00:00 2001
> From: Priya Bansal <p.bansal@...sung.com>
> Date: Fri, 29 Aug 2014 10:27:27 +0530
> Subject: [PATCH] Fix in ecryptfs_setxattr for NULL check before calling
>  fsstack_copy_attr_all. This patch fixes the issue which was found in
>  ecryptfs_setxattr(). Previously, while trying to create a file when ecryptfs
>  is mounted over ext4 filesystem  with  encrypted view enabled, the kernel
>  crashes. the reason being the function fsstack_copy_attr_all was trying to
>  access dentry->d_inode which was null hence the kernel crashes with NULL
>  pointer dereference. Now a check has been applied which prevents such
>  condition.
> Signed-off-by: Priya Bansal <p.bansal@...sung.com>

This commit message is poorly formatted. Have a look at the
"15) The canonical patch format" section of the
Documentation/SubmittingPatches file. It gives a nice description of how
the commit message should be formatted.

> ---
>  linux-3.16.1/fs/ecryptfs/inode.c | 18 ++++++++++++++++--
>  1 file changed, 16 insertions(+), 2 deletions(-)
> diff --git a/linux-3.16.1/fs/ecryptfs/inode.c b/linux-3.16.1/fs/ecryptfs/inode.c
> index d4a9431..7da03e5 100644
> --- a/linux-3.16.1/fs/ecryptfs/inode.c
> +++ b/linux-3.16.1/fs/ecryptfs/inode.c
> @@ -1031,6 +1031,8 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
>  {
>   int rc = 0;
>   struct dentry *lower_dentry;
> + struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
> +  &ecryptfs_superblock_to_private(dentry->d_sb)->mount_crypt_stat;
>  
>   lower_dentry = ecryptfs_dentry_to_lower(dentry);
>   if (!lower_dentry->d_inode->i_op->setxattr) {
> @@ -1039,8 +1041,20 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
>   }
>  
>   rc = vfs_setxattr(lower_dentry, name, value, size, flags);
> - if (!rc)
> -  fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode);
> + if (!rc) {
> +  if (dentry->d_inode == NULL) {
> +   if (mount_crypt_stat->flags
> +     & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
> +    rc = -EPERM;
> +   else if (mount_crypt_stat->flags
> +     & ECRYPTFS_XATTR_METADATA_ENABLED)
> +    goto out;
> +  } else {
> +   fsstack_copy_attr_all(dentry->d_inode,
> +     lower_dentry->d_inode);
> +  }
> + }
> +
>  out:
>   return rc;
>  }
> -- 

I don't think this is the proper fix. It fixes the NULL pointer
dereference but ecryptfs_setxattr() shouldn't be reachable in encrypted
view mounts. There's a feeble attempt to prevent the modification of
files in ecryptfs_open() when encrypted view is in use but I think we
should force the MS_RDONLY flag on the superblock when the
ecryptfs_encrypted_view mount option is specified.

I'll follow this email up with a patch. I'd appreciate any review and/or
testing you can provide. Thanks!

Tyler

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists