| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <153786915356.22029.14929917223689579717.stgit@localhost.localdomain>
Date: Tue, 25 Sep 2018 12:52:42 +0300
From: Kirill Tkhai <ktkhai@...tuozzo.com>
To: miklos@...redi.hu, dvyukov@...gle.com,
syzbot+4e975615ca01f2277bdd@...kaller.appspotmail.com,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
ktkhai@...tuozzo.com
Subject: [PATCH] fuse: Fix use-after-free in fuse_dev_do_write()
After we found req in request_find() and released the lock,
everything may happen with the req in parallel.
Keep it alive till we finish touch its memory.
Signed-off-by: Kirill Tkhai <ktkhai@...tuozzo.com>
---
fs/fuse/dev.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 675caed3e655..c2af8042f176 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1877,16 +1877,20 @@ static ssize_t fuse_dev_do_write(struct fuse_dev *fud,
/* Is it an interrupt reply? */
if (req->intr_unique == oh.unique) {
+ __fuse_get_request(req);
spin_unlock(&fpq->lock);
err = -EINVAL;
- if (nbytes != sizeof(struct fuse_out_header))
+ if (nbytes != sizeof(struct fuse_out_header)) {
+ fuse_put_request(fc, req);
goto err_finish;
+ }
if (oh.error == -ENOSYS)
fc->no_interrupt = 1;
else if (oh.error == -EAGAIN)
queue_interrupt(&fc->iq, req);
+ fuse_put_request(fc, req);
fuse_copy_finish(cs);
return nbytes;
Powered by blists - more mailing lists