| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200429024648.GA23230@ZenIV.linux.org.uk>
Date: Wed, 29 Apr 2020 03:46:48 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Jann Horn <jannh@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
Arve Hjønnevåg <arve@...roid.com>,
NeilBrown <neilb@...e.de>, "Rafael J . Wysocki" <rjw@...k.pl>
Subject: Re: [PATCH] epoll: Fix UAF dentry name access in wakeup source setup
On Wed, Apr 29, 2020 at 04:31:04AM +0200, Jann Horn wrote:
> I'm guessing this will go through akpm's tree?
>
> fs/eventpoll.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/fs/eventpoll.c b/fs/eventpoll.c
> index 8c596641a72b0..5052a41670479 100644
> --- a/fs/eventpoll.c
> +++ b/fs/eventpoll.c
> @@ -1450,7 +1450,7 @@ static int reverse_path_check(void)
>
> static int ep_create_wakeup_source(struct epitem *epi)
> {
> - const char *name;
> + struct name_snapshot name;
> struct wakeup_source *ws;
>
> if (!epi->ep->ws) {
> @@ -1459,8 +1459,9 @@ static int ep_create_wakeup_source(struct epitem *epi)
> return -ENOMEM;
> }
>
> - name = epi->ffd.file->f_path.dentry->d_name.name;
> - ws = wakeup_source_register(NULL, name);
> + take_dentry_name_snapshot(&name, epi->ffd.file->f_path.dentry);
> + ws = wakeup_source_register(NULL, name.name.name);
> + release_dentry_name_snapshot(&name);
I'm not sure I like it. Sure, it won't get freed under you that way; it still
can go absolutely stale by the time you return from wakeup_source_register().
What is it being used for?
Powered by blists - more mailing lists