lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20191119220055.GC4495@amd>
Date:   Tue, 19 Nov 2019 23:00:55 +0100
From:   Pavel Machek <pavel@...x.de>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        Al Viro <viro@...iv.linux.org.uk>
Subject: Re: [PATCH 4.19 025/422] ecryptfs_lookup_interpose():
 lower_dentry->d_inode is not stable

Hi!

> From: Al Viro <viro@...iv.linux.org.uk>
> 
> commit e72b9dd6a5f17d0fb51f16f8685f3004361e83d0 upstream.
> 
> lower_dentry can't go from positive to negative (we have it pinned),
> but it *can* go from negative to positive.  So fetching ->d_inode
> into a local variable, doing a blocking allocation, checking that
> now ->d_inode is non-NULL and feeding the value we'd fetched
> earlier to a function that won't accept NULL is not a good idea.
> 
> Cc: stable@...r.kernel.org
> --- a/fs/ecryptfs/inode.c
> +++ b/fs/ecryptfs/inode.c
> @@ -345,7 +345,15 @@ static struct dentry *ecryptfs_lookup_in
>  	dentry_info->lower_path.mnt = lower_mnt;
>  	dentry_info->lower_path.dentry = lower_dentry;
>  
> -	if (d_really_is_negative(lower_dentry)) {
> +	/*
> +	 * negative dentry can go positive under us here - its parent is not
> +	 * locked.  That's OK and that could happen just as we return from
> +	 * ecryptfs_lookup() anyway.  Just need to be careful and fetch
> +	 * ->d_inode only once - it's not stable here.
> +	 */
> +	lower_inode = READ_ONCE(lower_dentry->d_inode);

Should this use d_inode_rcu() function, to keep the abstraction
provided by the header file?

Best regards,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ