lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 20 Jan 2020 07:45:58 +0000
From:   Al Viro <viro@...iv.linux.org.uk>
To:     OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
Cc:     Pali Rohár <pali.rohar@...il.com>,
        linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        "Theodore Y. Ts'o" <tytso@....edu>,
        Namjae Jeon <linkinjeon@...il.com>,
        Gabriel Krisman Bertazi <krisman@...labora.com>
Subject: Re: vfat: Broken case-insensitive support for UTF-8

On Mon, Jan 20, 2020 at 07:30:40AM +0000, Al Viro wrote:

> <checks ext4>
> Yup, that bug is there as well, all right.  Look:
> #ifdef CONFIG_UNICODE
> static int ext4_d_compare(const struct dentry *dentry, unsigned int len,
>                           const char *str, const struct qstr *name)
> {
>         struct qstr qstr = {.name = str, .len = len };
>         struct inode *inode = dentry->d_parent->d_inode;
> 
>         if (!IS_CASEFOLDED(inode) || !EXT4_SB(inode->i_sb)->s_encoding) {
> 
> Guess what happens if your (lockless) call of ->d_compare() runs
> into the following sequence:
> CPU1:	ext4_d_compare() fetches ->d_parent
> CPU1:	takes a hardware interrupt
> CPU2:	dentry gets evicted by memory pressure; so is its parent, since
> it was the only thing that used to keep it pinned.  Eviction of the parent
> calls dentry_unlink_inode() on the parent, which zeroes its ->d_inode.
> CPU1:	comes back
> CPU1:	fetches parent's ->d_inode and gets NULL
> CPU1:	oopses on null pointer dereference.
> 
> It's not impossible to hit.  Note that e.g. vfat_cmpi() is not vulnerable
> to that problem - ->d_sb is stable and both the superblock and ->nls_io
> freeing is RCU-delayed.
> 
> I hadn't checked ->d_compare() instances for a while; somebody needs to
> do that again, by the look of it.  The above definitely is broken;
> no idea how many other instaces had grown such bugs...

f2fs one also has the same bug.  Anyway, I'm going down right now, will
check the rest tomorrow morning...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ