lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200427025752.GA3979@hsiangkao-HP-ZHAN-66-Pro-G1>
Date:   Mon, 27 Apr 2020 10:58:02 +0800
From:   Gao Xiang <hsiangkao@....com>
To:     Dave Chinner <david@...morbit.com>
Cc:     Guoqing Jiang <guoqing.jiang@...ud.ionos.com>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        hch@...radead.org, willy@...radead.org,
        Mike Marshall <hubcap@...ibond.com>,
        Martin Brandenburg <martin@...ibond.com>,
        devel@...ts.orangefs.org
Subject: Re: [RFC PATCH 8/9] orangefs: use set/clear_fs_page_private

On Mon, Apr 27, 2020 at 08:24:55AM +1000, Dave Chinner wrote:
> On Sun, Apr 26, 2020 at 11:49:24PM +0200, Guoqing Jiang wrote:
> > Since the new pair function is introduced, we can call them to clean the
> > code in orangefs.
> > 
> > Cc: Mike Marshall <hubcap@...ibond.com>
> > Cc: Martin Brandenburg <martin@...ibond.com>
> > Cc: devel@...ts.orangefs.org
> > Signed-off-by: Guoqing Jiang <guoqing.jiang@...ud.ionos.com>
> > ---
> >  fs/orangefs/inode.c | 24 ++++++------------------
> >  1 file changed, 6 insertions(+), 18 deletions(-)
> > 
> > diff --git a/fs/orangefs/inode.c b/fs/orangefs/inode.c
> > index 12ae630fbed7..893099d36e20 100644
> > --- a/fs/orangefs/inode.c
> > +++ b/fs/orangefs/inode.c
> > @@ -64,9 +64,7 @@ static int orangefs_writepage_locked(struct page *page,
> >  	}
> >  	if (wr) {
> >  		kfree(wr);
> > -		set_page_private(page, 0);
> > -		ClearPagePrivate(page);
> > -		put_page(page);
> > +		clear_fs_page_private(page);
> 
> THis is a pre-existing potential use-after-free vector. The wr
> pointer held in the page->private needs to be cleared from the page
> before it is freed.

I'm not familar with orangefs. In my opinion, generally all temporary
page->private access (r/w) should be properly protected by some locks,
most of time I think it could be at least page lock since .migratepage,
.invalidatepage, .releasepage, .. (such paths) are already called with
page locked (honestly I'm interested in this topic, please correct me
if I'm wrong).

I agree that the suggested modification is more clear and easy to read.

Thanks,
Gao Xiang


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ