lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0081e5c8083f5ed9f1c1e9b456739728@codeaurora.org>
Date:   Thu, 16 May 2019 18:27:53 +0530
From:   stummala@...eaurora.org
To:     Junxiao Bi <junxiao.bi@...cle.com>,
        Joel Becker <jlbec@...lplan.org>,
        Christoph Hellwig <hch@....de>,
        Al Viro <viro@...iv.linux.org.uk>,
        linux-kernel@...r.kernel.org, stummala@...eaurora.org
Subject: Re: [PATCH v2] configfs: Fix use-after-free when accessing
 sd->s_dentry

Hi Christoph, Al,

Can you please consider this patch for merging?

Thanks,
Sahitya.

On 2019-01-31 08:50, Sahitya Tummala wrote:
> Al,
> 
> Can we merge this patch, if there are no further comments?
> 
> Thanks,
> Sahitya.
> 
> On Thu, Jan 03, 2019 at 04:48:15PM +0530, Sahitya Tummala wrote:
>> In the vfs_statx() context, during path lookup, the dentry gets
>> added to sd->s_dentry via configfs_attach_attr(). In the end,
>> vfs_statx() kills the dentry by calling path_put(), which invokes
>> configfs_d_iput(). Ideally, this dentry must be removed from
>> sd->s_dentry but it doesn't if the sd->s_count >= 3. As a result,
>> sd->s_dentry is holding reference to a stale dentry pointer whose
>> memory is already freed up. This results in use-after-free issue,
>> when this stale sd->s_dentry is accessed later in
>> configfs_readdir() path.
>> 
>> This issue can be easily reproduced, by running the LTP test case -
>> sh fs_racer_file_list.sh /config
>> (https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/fs/racer/fs_racer_file_list.sh)
>> 
>> Fixes: 76ae281f6307 ('configfs: fix race between dentry put and 
>> lookup')
>> Signed-off-by: Sahitya Tummala <stummala@...eaurora.org>
>> ---
>> v2:
>> - update comments relevant to the code.
>> 
>>  fs/configfs/dir.c | 9 ++++-----
>>  1 file changed, 4 insertions(+), 5 deletions(-)
>> 
>> diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
>> index 39843fa..f113101 100644
>> --- a/fs/configfs/dir.c
>> +++ b/fs/configfs/dir.c
>> @@ -58,15 +58,14 @@ static void configfs_d_iput(struct dentry * 
>> dentry,
>>  	if (sd) {
>>  		/* Coordinate with configfs_readdir */
>>  		spin_lock(&configfs_dirent_lock);
>> -		/* Coordinate with configfs_attach_attr where will increase
>> -		 * sd->s_count and update sd->s_dentry to new allocated one.
>> -		 * Only set sd->dentry to null when this dentry is the only
>> -		 * sd owner.
>> +		/*
>> +		 * Set sd->s_dentry to null only when this dentry is the
>> +		 * one that is going to be killed.
>>  		 * If not do so, configfs_d_iput may run just after
>>  		 * configfs_attach_attr and set sd->s_dentry to null
>>  		 * even it's still in use.
>>  		 */
>> -		if (atomic_read(&sd->s_count) <= 2)
>> +		if (sd->s_dentry == dentry)
>>  			sd->s_dentry = NULL;
>> 
>>  		spin_unlock(&configfs_dirent_lock);
>> --
>> Qualcomm India Private Limited, on behalf of Qualcomm Innovation 
>> Center, Inc.
>> Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a 
>> Linux Foundation Collaborative Project.
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ