lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20171115134144.GB13707@quack2.suse.cz>
Date:   Wed, 15 Nov 2017 14:41:44 +0100
From:   Jan Kara <jack@...e.cz>
To:     Shankara Pailoor <sp3485@...umbia.edu>
Cc:     LKML <linux-kernel@...r.kernel.org>, viro@...iv.linux.org.uk,
        linux-fsdevel@...r.kernel.org
Subject: Re: KASAN: use-after-free in move_expired_inodes

Hi,

On Tue 31-10-17 22:04:49, Shankara Pailoor wrote:
> I was unable to find a reproducer but I was looking at
> move_expired_inodes (fs/fs-writeback.c 1093.c) and how do you ensure
> that the inode can't be freed after retrieving it from the work queue?
> Any insights would be appreciated.

In move_expired_inodes() we hold wb->list_lock which protects the list
inode is in. fs/inode.c:evict() checks for inode being in the list and
removes it from the list blocking on the wb->list_lock as well. Granted
list_empty(&inode->i_io_list) is not protected by any lock so that check
*could* be somewhat stale but it cannot be older than e.g. time when
inode's refcount dropped to 0 at which point inode->i_io_list should be
already stable. But maybe flusher is shuffling inode between lists and
evict() saw some intermediate state. So far I don't see how that could
happen but maybe it could - will look more into that later...

								Honza

> On Tue, Oct 31, 2017 at 9:24 AM, Shankara Pailoor <sp3485@...umbia.edu> wrote:
> > Hi,
> >
> > We got the following error:
> >
> > BUG: KASAN: use-after-free in move_expired_inodes+0xce6/0xdf0
> > Write of size 8 at addr ffff8800a3a36bf8 by task kworker/u8:0/5
> >
> > while fuzzing with Syzkaller on 4.14-rc4 on x86_64. Included is the
> > trace of the crash along with the programs running around the time of
> > the crash.
> >
> > Programs can be found here: https://pastebin.com/RYGtNn3z
> >
> > Stack trace here: https://pastebin.com/SaJXWMg3
> >
> > We don't have a C reproducer but we will send one if we have it.
> >
> > Regards,
> > Shankara
> 
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ