lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 15 May 2017 16:20:05 +0200
From:   Richard Weinberger <richard@....at>
To:     linux-mtd@...ts.infradead.org
Cc:     linux-kernel@...r.kernel.org, adrian.hunter@...el.com,
        dedekind1@...il.com, Richard Weinberger <richard@....at>,
        stable@...r.kernel.org
Subject: [PATCH] ubifs: Fix inode leak in xattr code

UBIFS handles extended attributes just like files, as consequence of
that, they also have inodes.
Therefore UBIFS does all the inode machinery also for xattrs. Since new
inodes have i_nlink of 1, a file or xattr inode will be evicted
if i_nlink goes down to 0 after an unlink. UBIFS assumes this model also
for xattrs, which is not correct.
One can create a file "foo" with xattr "user.test". By reading
"user.test" an inode will be created, and by deleting "user.test" it
will get evicted later. The assumption breaks if the file "foo", which
hosts the xattrs, will be removed. VFS nor UBIFS does not remove each
xattr via ubifs_xattr_remove(), it just removes the host inode from
the TNC and all underlying xattr nodes too.
The inode will stay in the system with i_count=0, i_nlink=1 and
i_state=I_REFERENCED until UBIFS is umounted.

To solve this problem, set i_nlink for all xattr inodes to 0, such that
the iput() in the UBIFS xattr code makes the temporary inode vanish
immediately.

Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Cc: <stable@...r.kernel.org>
Signed-off-by: Richard Weinberger <richard@....at>
---
 fs/ubifs/xattr.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c
index efe00fcb8b75..7d23404d73dc 100644
--- a/fs/ubifs/xattr.c
+++ b/fs/ubifs/xattr.c
@@ -173,7 +173,7 @@ static int create_xattr(struct ubifs_info *c, struct inode *host,
 	mutex_unlock(&host_ui->ui_mutex);
 
 	ubifs_release_budget(c, &req);
-	insert_inode_hash(inode);
+	clear_nlink(inode);
 	iput(inode);
 	return 0;
 
@@ -272,8 +272,10 @@ static struct inode *iget_xattr(struct ubifs_info *c, ino_t inum)
 			  (int)PTR_ERR(inode));
 		return inode;
 	}
-	if (ubifs_inode(inode)->xattr)
+	if (ubifs_inode(inode)->xattr) {
+		clear_nlink(inode);
 		return inode;
+	}
 	ubifs_err(c, "corrupt extended attribute entry");
 	iput(inode);
 	return ERR_PTR(-EINVAL);
@@ -546,7 +548,6 @@ static int ubifs_xattr_remove(struct inode *host, const char *name)
 	}
 
 	ubifs_assert(inode->i_nlink == 1);
-	clear_nlink(inode);
 	err = remove_xattr(c, host, inode, &nm);
 	if (err)
 		set_nlink(inode, 1);
-- 
2.7.3

Powered by blists - more mailing lists