lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <C2554121-109E-450A-965F-B8DFE2B0E528@lca.pw>
Date:   Wed, 25 Mar 2020 15:43:06 -0400
From:   Qian Cai <cai@....pw>
To:     Al Viro <viro@...iv.linux.org.uk>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        linux-fsdevel@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: Re: Null-ptr-deref due to "sanitized pathwalk machinery (v4)"



> On Mar 25, 2020, at 1:58 AM, Al Viro <viro@...iv.linux.org.uk> wrote:
> 
> On Wed, Mar 25, 2020 at 04:03:59AM +0000, Al Viro wrote:
> 
>> Lovely.  So
>> 	* we really do get NULL nd->path.dentry there; I've not misread the
>> trace.
>> 	* on the entry into link_path_walk() nd->path.dentry is non-NULL.
>> 	* *ALL* components should've been LAST_NORM ones
>> 	* not a single symlink in sight, unless the setup is rather unusual
>> 	* possibly not even a single mountpoint along the way (depending
>> upon the userland used)
> 
> OK, I see one place where that could occur, but I really don't see how that
> could be triggered on this pathname, short of very odd symlink layout in
> the filesystem on the testbox.  Does the following fix your reproducer?
> 
> diff --git a/fs/namei.c b/fs/namei.c
> index 311e33dbac63..4082b70f32ff 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -1805,6 +1805,8 @@ static const char *handle_dots(struct nameidata *nd, int type)
> 			error = step_into(nd, WALK_NOFOLLOW,
> 					 parent, inode, seq);
> 		}
> +		if (unlikely(error))
> +			return ERR_PTR(error);
> 
> 		if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) {
> 			/*

Since that one has a compilation warning, I have tested this patch and seen no crash so far.

diff --git a/fs/namei.c b/fs/namei.c
index 311e33dbac63..73851acdbf3a 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1806,6 +1806,9 @@ static const char *handle_dots(struct nameidata *nd, int type)
                                         parent, inode, seq);
                }
 
+               if (unlikely(error))
+                       return error;
+
                if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) {
                        /*
                         * If there was a racing rename or mount along our

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ