| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1030308.1607468099@warthog.procyon.org.uk>
Date: Tue, 08 Dec 2020 22:54:59 +0000
From: David Howells <dhowells@...hat.com>
To: Randy Dunlap <rdunlap@...radead.org>
Cc: dhowells@...hat.com,
syzbot <syzbot+86dc6632faaca40133ab@...kaller.appspotmail.com>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk
Subject: Re: memory leak in generic_parse_monolithic [+PATCH]
Randy Dunlap <rdunlap@...radead.org> wrote:
> > Now the backtrace only shows what the state was when the string was allocated;
> > it doesn't show what happened to it after that, so another possibility is that
> > the filesystem being mounted nicked what vfs_parse_fs_param() had rightfully
> > stolen, transferring fc->source somewhere else and then failed to release it -
> > most likely on mount failure (ie. it's an error handling bug in the
> > filesystem).
> >
> > Do we know what filesystem it was?
>
> Yes, it's call AFS (or kAFS).
Hmmm... afs parses the string in afs_parse_source() without modifying it,
then moves the pointer to fc->source (parallelling vfs_parse_fs_param()) and
doesn't touch it again. fc->source should be cleaned up by do_new_mount()
calling put_fs_context() at the end of the function.
As far as I can tell with the attached print-insertion patch, it works, called
by the following commands, some of which are correct and some which aren't:
# mount -t afs none /xfstest.test/ -o dyn
# umount /xfstest.test
# mount -t afs "" /xfstest.test/ -o foo
mount: /xfstest.test: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.
# umount /xfstest.test
umount: /xfstest.test: not mounted.
# mount -t afs %xfstest.test20 /xfstest.test/ -o foo
mount: /xfstest.test: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.
# umount /xfstest.test
umount: /xfstest.test: not mounted.
# mount -t afs %xfstest.test20 /xfstest.test/
# umount /xfstest.test
Do you know if the mount was successful and what the mount parameters were?
David
---
diff --git a/fs/afs/super.c b/fs/afs/super.c
index 6c5900df6aa5..4c44ec0196c9 100644
--- a/fs/afs/super.c
+++ b/fs/afs/super.c
@@ -299,7 +299,7 @@ static int afs_parse_source(struct fs_context *fc, struct fs_parameter *param)
ctx->cell = cell;
}
- _debug("CELL:%s [%p] VOLUME:%*.*s SUFFIX:%s TYPE:%d%s",
+ kdebug("CELL:%s [%p] VOLUME:%*.*s SUFFIX:%s TYPE:%d%s",
ctx->cell->name, ctx->cell,
ctx->volnamesz, ctx->volnamesz, ctx->volname,
suffix ?: "-", ctx->type, ctx->force ? " FORCE" : "");
@@ -318,6 +318,8 @@ static int afs_parse_param(struct fs_context *fc, struct fs_parameter *param)
struct afs_fs_context *ctx = fc->fs_private;
int opt;
+ kenter("%s,%p '%s'", param->key, param->string, param->string);
+
opt = fs_parse(fc, afs_fs_parameters, param, &result);
if (opt < 0)
return opt;
diff --git a/fs/fs_context.c b/fs/fs_context.c
index 2834d1afa6e8..f530a33876ce 100644
--- a/fs/fs_context.c
+++ b/fs/fs_context.c
@@ -450,6 +450,8 @@ void put_fs_context(struct fs_context *fc)
put_user_ns(fc->user_ns);
put_cred(fc->cred);
put_fc_log(fc);
+ if (strcmp(fc->fs_type->name, "afs") == 0)
+ printk("PUT %p '%s'\n", fc->source, fc->source);
put_filesystem(fc->fs_type);
kfree(fc->source);
kfree(fc);
@@ -671,6 +673,8 @@ void vfs_clean_context(struct fs_context *fc)
fc->s_fs_info = NULL;
fc->sb_flags = 0;
security_free_mnt_opts(&fc->security);
+ if (strcmp(fc->fs_type->name, "afs") == 0)
+ printk("CLEAN %p '%s'\n", fc->source, fc->source);
kfree(fc->source);
fc->source = NULL;
Powered by blists - more mailing lists