lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <163694306800.229789.11812765289669370510.stgit@mickey.themaw.net>
Date:   Mon, 15 Nov 2021 10:24:28 +0800
From:   Ian Kent <raven@...maw.net>
To:     xfs <linux-xfs@...r.kernel.org>,
        "Darrick J. Wong" <djwong@...nel.org>,
        Christoph Hellwig <hch@....de>
Cc:     Miklos Szeredi <miklos@...redi.hu>,
        Brian Foster <bfoster@...hat.com>,
        Al Viro <viro@...IV.linux.org.uk>,
        David Howells <dhowells@...hat.com>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: [PATCH 2 2/2] xfs: make sure link path does not go away at access

When following an inline symlink in rcu-walk mode it's possible to
succeed in getting the ->get_link() method pointer but the link path
string be deallocated while it's being used.

This is becuase of the xfs inode reclaim mechanism. While rcu freeing
the link path can prevent it from being freed during use the inode
reclaim could assign a new value to the field at any time outside of
the path walk and result in an invalid link path pointer being
returned. Admittedly a very small race window but possible.

The best way to mitigate this risk is to return -ECHILD to the VFS
if the inline symlink method, ->get_link(), is called in rcu-walk mode
so the VFS can switch to ref-walk mode or redo the walk if the inode
has become invalid.

If it's discovered that staying in rcu-walk mode gives a worth while
performance improvement (unlikely) then the link path could be freed
under rcu once potential side effects of the xfs inode reclaim
sub-system have been analysed and dealt with if needed.

Signed-off-by: Ian Kent <raven@...maw.net>
---
 fs/xfs/xfs_iops.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index a607d6aca5c4..0a96183c5381 100644
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -520,6 +520,9 @@ xfs_vn_get_link_inline(
 	struct xfs_inode	*ip = XFS_I(inode);
 	char			*link;
 
+	if (!dentry)
+		return ERR_PTR(-ECHILD);
+
 	ASSERT(ip->i_df.if_format == XFS_DINODE_FMT_LOCAL);
 
 	/*


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ