lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 24 Nov 2021 19:20:09 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Miklos Szeredi <mszeredi@...hat.com>
Cc:     lkml <linux-kernel@...r.kernel.org>,
        stable <stable@...r.kernel.org>,
        Frank Dinoff <fdinoff@...gle.com>
Subject: Re: [PATCH 4.4 109/162] fuse: fix page stealing

On Wed, Nov 24, 2021 at 05:21:26PM +0100, Miklos Szeredi wrote:
> On Wed, Nov 24, 2021 at 1:04 PM Greg Kroah-Hartman
> <gregkh@...uxfoundation.org> wrote:
> >
> > From: Miklos Szeredi <mszeredi@...hat.com>
> >
> > commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
> >
> > It is possible to trigger a crash by splicing anon pipe bufs to the fuse
> > device.
> >
> > The reason for this is that anon_pipe_buf_release() will reuse buf->page if
> > the refcount is 1, but that page might have already been stolen and its
> > flags modified (e.g. PG_lru added).
> >
> > This happens in the unlikely case of fuse_dev_splice_write() getting around
> > to calling pipe_buf_release() after a page has been stolen, added to the
> > page cache and removed from the page cache.
> >
> > Fix by calling pipe_buf_release() right after the page was inserted into
> > the page cache.  In this case the page has an elevated refcount so any
> > release function will know that the page isn't reusable.
> >
> > Reported-by: Frank Dinoff <fdinoff@...gle.com>
> > Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
> > Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
> > Cc: <stable@...r.kernel.org> # v2.6.35
> > Signed-off-by: Miklos Szeredi <mszeredi@...hat.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> 
> 
> Hi Greg,
> 
> This patch turned out to have a bug, so stable releases that didn't
> yet have it released might be better off backing it out for now and
> releasing only together with the fix to avoid regressions.

Good idea, now dropped from all of those queues.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ