lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191004160219.GI26530@ZenIV.linux.org.uk>
Date:   Fri, 4 Oct 2019 17:02:19 +0100
From:   Al Viro <viro@...iv.linux.org.uk>
To:     Christian Brauner <christian.brauner@...ntu.com>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        linux-kernel@...r.kernel.org, Will Deacon <will@...nel.org>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Amir Goldstein <amir73il@...il.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Varad Gautam <vrd@...zon.de>, stable@...r.kernel.org,
        Jan Glauber <jglauber@...vell.com>
Subject: Re: [PATCH] devpts: Fix NULL pointer dereference in dcache_readdir()

On Fri, Oct 04, 2019 at 05:25:28PM +0200, Christian Brauner wrote:
> On Fri, Oct 04, 2019 at 04:10:58PM +0100, Al Viro wrote:
> > On Fri, Oct 04, 2019 at 04:33:02PM +0200, Christian Brauner wrote:
> > > On Fri, Oct 04, 2019 at 03:27:48PM +0100, Al Viro wrote:
> > > > On Fri, Oct 04, 2019 at 04:05:03PM +0200, Christian Brauner wrote:
> > > > > From: Will Deacon <will@...nel.org>
> > > > > 
> > > > > Closing /dev/pts/ptmx removes the corresponding pty under /dev/pts/
> > > > > without synchronizing against concurrent path walkers. This can lead to
> > > > > 'dcache_readdir()' tripping over a 'struct dentry' with a NULL 'd_inode'
> > > > > field:
> > > > 
> > > > FWIW, vfs.git#fixes (or #next.dcache) ought to deal with that one.
> > > 
> > > Is it feasible to backport your changes? Or do we want to merge the one
> > > here first and backport?
> > 
> > I'm not sure.  The whole pile is backportable, all right (and the first commit
> 
> Ok. So here's what I propose: we'll merge this one as it seems an
> obvious fix to the problem and can easily be backported to stable
> kernels.
> Then you'll land your generic workaround alleviating callers from
> holding inode_lock(). Then I'll send a patch to remove the inode_lock()
> from devpts for master.
> If we see that your fix is fine to backport and has no performance
> impacts that you find unacceptable we backport it.

There's more than one bug here.
	* fucked up lockless traversals.  Affect anything that uses dcache_readdir()
	* devpts (and selinuxfs, while we are at it) running afoul of (implicit)
assumption by dcache_readdir() - that stuff won't get removed from under it
	* (possibly) cifs hitting the same on eviction by memory pressure alone
(no locked inodes anywhere in sight).  Possibly == if cifs IPC$ share happens to
show up non-empty (e.g. due to server playing silly buggers).
	* (possibly) cifs hitting *another* lovely issue - lookup in one subdirectory
of IPC$ root finding an alias for another subdirectory of said root, triggering
d_move() of dentry of the latter.  IF the name happens to be long enough to be
externally allocated and if dcache_readdir() on root is currently copying it to
userland, Bad Things(tm) will happen.  That one almost certainly depends upon the
server playing silly buggers and might or might not be possible.  I'm not familiar
enough with CIFS to tell.

The first 3 are dealt with by the first commit in that pile; the last one is
not.  devpts patch of yours would deal with a part of the second bug.
Performance regression comes with fixing the first one, which is also
quite real.  There might be a way to avoid that performance hit,
but it will be harder to backport.

FWIW, some discussion of that fun went in a thread shortly before the merge
window - look for "Possible FS race condition between iterate_dir and
d_alloc_parallel" on fsdevel.  Some of that went off-list, though...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ