| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180806130147.GL15082@ZenIV.linux.org.uk>
Date: Mon, 6 Aug 2018 14:01:47 +0100
From: Al Viro <viro@...IV.linux.org.uk>
To: "Dae R. Jeong" <threeearcat@...il.com>
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
byoungyoung@...due.edu, kt0755@...il.com, bammanag@...due.edu
Subject: Re: KASAN: use-after-free Read in link_path_walk
On Tue, Jul 24, 2018 at 06:17:26AM +0100, Al Viro wrote:
> Do we have LOOKUP_RCU in nd->flags at that point? And how in hell
> did we get that dentry there? In LOOKUP_RCU mode no freeing should
> be happening until after we call rcu_read_unlock(), unless the final
> dput() has happened before rcu_read_lock(). In which case we shouldn't
> have gotten to that dentry in the first place.
... except that we never set DCACHE_RCUACCESS for root dentry. Which
invalidates the normal "if we run into dentry in lazy mode, its memory
won't be freed until we drop rcu_read_lock"... d_make_root() definitely
needs to set DCACHE_RCUACCESS; whether it's all there is or you are
hitting something else is a separate question, of course...
> And in non-LOOKUP_RCU
> mode we are bloody well holding references to everything (vfsmount
> and dentry alike), so that deactivate_super() shouldn't have been
> called as long as we are holding that reference.
>
> Details, please. Ideally - how to reproduce that.
Is there any way to tell KASAN that we want a crashdump triggered?
That would've been really useful for post-mortems...
Powered by blists - more mailing lists