| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 Apr 2021 15:48:51 +0800
From: Du Cheng <ducheng2@...il.com>
To: Christian Brauner <christian.brauner@...ntu.com>
Cc: linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
gregkh@...uxfoundation.org, Du Cheng <ducheng2@...il.com>,
syzbot+651ca866e5e2b4b5095b@...kaller.appspotmail.com
Subject: [PATCH] fs:minix: catch inode->i_nlink == 0 in minix_rename()
If the destination inode has i_nlink==0, it is invalid. Hence we should
return an error instead of proceeding with drop_nlink() which causes
WARN_ON().
Reported by syzkaller:
https://syzkaller.appspot.com/bug?id=0b1ac5e39c478b05355e189451b5379dc925fd2e
Reported-by: syzbot+651ca866e5e2b4b5095b@...kaller.appspotmail.com
Signed-off-by: Du Cheng <ducheng2@...il.com>
---
This patch fixed the kernel panic on my testing envionment with the syzbot
reproducer.
This patch works in a similar spirit with the following patch on bad inode:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=facb03dddec04e4aac1bb2139accdceb04deb1f3
fs/minix/namei.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 937fa5fae2b8..96761536b8d4 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -215,6 +215,10 @@ static int minix_rename(struct user_namespace *mnt_userns,
struct page * new_page;
struct minix_dir_entry * new_de;
+ err = -EINVAL;
+ if (new_inode->i_nlink == 0)
+ goto out_dir;
+
err = -ENOTEMPTY;
if (dir_de && !minix_empty_dir(new_inode))
goto out_dir;
--
2.30.2
Powered by blists - more mailing lists