lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200515205621.GH23230@ZenIV.linux.org.uk>
Date:   Fri, 15 May 2020 21:56:21 +0100
From:   Al Viro <viro@...iv.linux.org.uk>
To:     Olga Kornievskaia <kolga@...app.com>
Cc:     Alexey Gladkov <gladkov.alexey@...il.com>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        syzbot <syzbot+c1af344512918c61362c@...kaller.appspotmail.com>,
        jmorris@...ei.org, linux-kernel@...r.kernel.org,
        linux-next@...r.kernel.org, linux-security-module@...r.kernel.org,
        serge@...lyn.com, sfr@...b.auug.org.au,
        syzkaller-bugs@...glegroups.com,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        ".Tetsuo Handa" <penguin-kernel@...ove.sakura.ne.jp>
Subject: Re: linux-next boot error: general protection fault in
 tomoyo_get_local_path

On Fri, May 15, 2020 at 09:13:57PM +0100, Al Viro wrote:
> On Sat, May 16, 2020 at 12:36:28AM +0900, Tetsuo Handa wrote:
> > On 2020/05/16 0:18, Tetsuo Handa wrote:
[snip]
> > A similar bug (racing inode destruction with open() on proc filesystem) was fixed as
> > commit 6f7c41374b62fd80 ("tomoyo: Don't use nifty names on sockets."). Then, it might
> > not be safe to replace dentry->d_sb->s_fs_info with dentry->d_inode->i_sb->s_fs_info .
> 
> Could you explain why do you want to bother with d_inode() anyway?  Anything that
> does dentry->d_inode->i_sb can bloody well use dentry->d_sb.  And that's never
> changed over the struct dentry lifetime - ->d_sb is set on allocation and never
> modified afterwards.

Incidentally, this
        r_ino = nfs_fhget(ss_mnt->mnt_root->d_inode->i_sb, src_fh, &fattr,
                        NULL);
(in nfs42_ssc_open()) is just plain weird.

	1) d->d_inode->i_sb is equal to d->d_sb
	2) m->mnt_root->d_sb is equal to m->mnt_sb
IOW, the whole thing should be 
        r_ino = nfs_fhget(ss_mnt->mnt_sb, src_fh, &fattr, NULL);

Moreover,
	server = NFS_SERVER(ss_mnt->mnt_root->d_inode);
in the same function is again too convoluted for no good reason, seeing that
NFS_SERVER(inode) is NFS_SB(inode->i_sb).

Something along the lines of

nfs: don't obfuscate ->mnt_sb as ->mnt_root->d_inode->i_sb

Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
---
diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c
index 8e5d6223ddd3..1e8ca45bc806 100644
--- a/fs/nfs/nfs4file.c
+++ b/fs/nfs/nfs4file.c
@@ -317,15 +317,14 @@ nfs42_ssc_open(struct vfsmount *ss_mnt, struct nfs_fh *src_fh,
 {
 	struct nfs_fattr fattr;
 	struct file *filep, *res;
-	struct nfs_server *server;
+	struct super_block *sb = ss_mnt->mnt_sb;
+	struct nfs_server *server = NFS_SB(sb);
 	struct inode *r_ino = NULL;
 	struct nfs_open_context *ctx;
 	struct nfs4_state_owner *sp;
 	char *read_name = NULL;
 	int len, status = 0;
 
-	server = NFS_SERVER(ss_mnt->mnt_root->d_inode);
-
 	nfs_fattr_init(&fattr);
 
 	status = nfs4_proc_getattr(server, src_fh, &fattr, NULL, NULL);
@@ -341,8 +340,7 @@ nfs42_ssc_open(struct vfsmount *ss_mnt, struct nfs_fh *src_fh,
 		goto out;
 	snprintf(read_name, len, SSC_READ_NAME_BODY, read_name_gen++);
 
-	r_ino = nfs_fhget(ss_mnt->mnt_root->d_inode->i_sb, src_fh, &fattr,
-			NULL);
+	r_ino = nfs_fhget(sb, src_fh, &fattr, NULL);
 	if (IS_ERR(r_ino)) {
 		res = ERR_CAST(r_ino);
 		goto out_free_name;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ