| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Sep 2021 14:35:08 +0700
From: Dmitry Kadashev <dkadashev@...il.com>
To: Stephen Brennan <stephen.s.brennan@...cle.com>
Cc: Alexander Viro <viro@...iv.linux.org.uk>,
Jens Axboe <axboe@...nel.dk>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] namei: Fix use after free in kern_path_locked
On Wed, Sep 1, 2021 at 7:13 AM Stephen Brennan
<stephen.s.brennan@...cle.com> wrote:
>
> In 0ee50b47532a ("namei: change filename_parentat() calling
> conventions"), filename_parentat() was made to always put the struct
> filename before returning, and kern_path_locked() was migrated to this
> calling convention. However, kern_path_locked() uses the "last"
> parameter to lookup and potentially create a new dentry. The last
> parameter contains the last component of the path and points within the
> filename, which was recently freed at the end of filename_parentat().
> Thus, when kern_path_locked() calls __lookup_hash(), it is using the
> filename after it has already been freed.
>
> To avoid this, switch back to __filename_parentat() and place a putname
> at the end of the function, once all uses are completed.
Ouch. Thanks for taking care of this, Stephen. I guess
filename_parentat() should be killed, since kern_path_locked() was the
only place it's used in and it always results in danging "last",
provoking bugs just like this one. I can send a patch on top of this if
you prefer.
--
Dmitry
Powered by blists - more mailing lists