lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 31 May 2017 11:54:21 +0800
From:   "石祤" <linxiulei@...il.com>
To:     leilei.lin@...baba-inc.com, viro@...iv.linux.org.uk,
        linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        zhiche.yy@...baba-inc.com
Subject: [PATCH 0/2] fsnotify: fix mem overwritten

From: "leilei.lin" <leilei.lin@...baba-inc.com>

Slub alloced mem overwritten ocurrs when fsnotify thread was copying the
dentry name and another rename thread change the dentry name at same
time.

These patches do the following:

1. A new copy_dname method was created which copy file_name to new alloc mem.
   The later patch (of 2) would use this method

2. Use the new copy_dname method instead of using the point of dentry->name,
   which may be modified anytime

We can use script below to reproduce overwritten warning

```
#!/usr/bin/python

import os
import random
import time
import string
import multiprocessing

WRITE_SIZE = 100
filename = "/watch/tdc_admin.LOG"
#filename = "/watch/tdc_admin.LOG.1234567890.1234567890.1234567890"

def file_op_process():
    for j in range(10):
        n = random.randrange(0, 10)
        tobe_wrote = "".join(random.sample(string.ascii_letters, 10))
        for i in xrange(n):
            try:
                os.rename(filename, filename + ".1123123123")
            except OSError:
                pass

        for i in xrange(n):
            f = file(filename, "w+")
            f.write(tobe_wrote * i * (1024 / 2))
            f.flush()

            f.close()


if __name__ == '__main__':
    process_list = []
    while True:
        for i in range(100):
            p0 = multiprocessing.Process(target=file_op_process)
            p0.start()
            process_list.append(p0)

        #time.sleep(0.002)
        for p in process_list:
            if p.is_alive():
                p.join(0.01)
            else:
                del p

```

leilei.lin (2):
  fs/dcache.c: New copy_dname method
  fsnotify: use method copy_dname copying filename

 fs/dcache.c            | 36 ++++++++++++++++++++++++++++++++++++
 fs/notify/fsnotify.c   | 14 ++++++++++++--
 include/linux/dcache.h |  2 ++
 3 files changed, 50 insertions(+), 2 deletions(-)

-- 
2.8.4.31.g9ed660f

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ