lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170304193910.GG29622@ZenIV.linux.org.uk>
Date:   Sat, 4 Mar 2017 19:39:10 +0000
From:   Al Viro <viro@...IV.linux.org.uk>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: fs: use-after-free in path_lookupat

On Sat, Mar 04, 2017 at 03:59:36PM +0100, Dmitry Vyukov wrote:

> I am getting the following use-after-free reports while running
> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760 (but also
> happened on 6dc39c50e4aeb769c8ae06edf2b1a732f3490913 and
> c82be9d2244aacea9851c86f4fb74694c99cd874).

IOW, it's not fs/namei.c patches from this window...

>  unlazy_walk+0xf2/0x4b0 fs/namei.c:692

Could you post disassembly (e.g. from objdump -d) of your unlazy_walk()?
For the kernel the trace is from...

> r4 = memfd_create(&(0x7f0000013000)="2f6465762f6877726e6700", 0x0)
> name_to_handle_at(r4, &(0x7f0000003000-0x6)="2e2f62757300",
> &(0x7f0000003000-0xd)={0xc, 0x0, "cd21"}, &(0x7f0000002000)=0x0,
> 0x1000)
> 
> What's strange is that dirfd passed to name_to_handle_at is memfd
> handle (sic). And path lookup somehow does not fail early on this.
> Does it make any sense?

It doesn't, but is that the triggering call of name_to_handle_at(), or do you
have it called elsewhere?

FWIW, no LOOKUP_ROOT in filename_lookup() flags + NULL root + dfd not
equal to AT_FDCWD + non-empty name should've ended up in
                        if (!d_can_lookup(dentry)) {
                                fdput(f);
                                return ERR_PTR(-ENOTDIR);
			}
in path_init() and it shouldn't have progressed any further.  And in case
of name_to_handle_at() we have user_path_at(dfd, name, lookup_flags, &path),
i.e. user_path_at_empty(dfd, name, lookup_flags, &path, NULL), i.e.
filename_lookup(dfd, getname_flags(name, lookup_flags, NULL), lookup_flags,
&path, NULL).  IOW, filename_lookup() is called with root equal to NULL,
dfd and name coming straight from userland and lookup_flags containing
nothing beyond LOOKUP_EMPTY and LOOKUP_FOLLOW...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ