| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200201162645.GJ23230@ZenIV.linux.org.uk>
Date: Sat, 1 Feb 2020 16:26:45 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] fix do_last() regression
Brown paperbag time: fetching ->i_uid/->i_mode really should've been
done from nd->inode. I even suggested that, but the reason for that
has slipped through the cracks and I went for dir->d_inode instead -
made for more "obvious" patch.
Analysis:
at the entry into do_last() and all the way to step_into(): dir
(aka nd->path.dentry) is known not to have been freed; so's nd->inode
and it's equal to dir->d_inode unless we are already doomed to -ECHILD.
inode of the file to get opened is not known.
after step_into(): inode of the file to get opened is known;
dir might be pointing to freed memory/be negative/etc.
at the call of may_create_in_sticky(): guaranteed to be out of
RCU mode; inode of the file to get opened is known and pinned;
dir might be garbage.
The last was the reason for the original patch. Except that at the do_last()
entry we can be in RCU mode and it is possible that nd->path.dentry->d_inode
has already changed under us. In that case we are going to fail with -ECHILD,
but we need to be careful; nd->inode is pointing to valid struct inode and
it's the same as nd->path.dentry->d_inode in "won't fail with -ECHILD"
case, so we should use that.
Reported-by: "Rantala, Tommi T. (Nokia - FI/Espoo)" <tommi.t.rantala@...ia.com>
Reported-by: syzbot+190005201ced78a74ad6@...kaller.appspotmail.com
Wearing-brown-paperbag: Al Viro <viro@...iv.linux.org.uk>
Cc: stable@...nel.org
Fixes: d0cb50185ae9 (do_last(): fetch directory ->i_mode and ->i_uid before it's too late)
Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
---
diff --git a/fs/namei.c b/fs/namei.c
index 4167109297e0..db6565c99825 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3333,8 +3333,8 @@ static int do_last(struct nameidata *nd,
struct file *file, const struct open_flags *op)
{
struct dentry *dir = nd->path.dentry;
- kuid_t dir_uid = dir->d_inode->i_uid;
- umode_t dir_mode = dir->d_inode->i_mode;
+ kuid_t dir_uid = nd->inode->i_uid;
+ umode_t dir_mode = nd->inode->i_mode;
int open_flag = op->open_flag;
bool will_truncate = (open_flag & O_TRUNC) != 0;
bool got_write = false;
Powered by blists - more mailing lists