| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220816104642.qmjegdtthyzy5xbv@wittgenstein>
Date: Tue, 16 Aug 2022 12:46:42 +0200
From: Christian Brauner <brauner@...nel.org>
To: Dongliang Mu <dzm91@...t.edu.cn>
Cc: Alexander Viro <viro@...iv.linux.org.uk>,
Dongliang Mu <mudongliangabcd@...il.com>,
butt3rflyh4ck <butterflyhuangxx@...il.com>,
Hao Sun <sunhao.th@...il.com>, Jiacheng Xu <stitch@....edu.cn>,
stable@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] fs: fix UAF/GPF bug in nilfs_mdt_destroy
On Tue, Aug 16, 2022 at 12:08:58PM +0800, Dongliang Mu wrote:
> From: Dongliang Mu <mudongliangabcd@...il.com>
>
> In alloc_inode, inode_init_always() could return -ENOMEM if
> security_inode_alloc() fails, which causes inode->i_private
> uninitialized. Then nilfs_is_metadata_file_inode() returns
> true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),
> which frees the uninitialized inode->i_private
> and leads to crashes(e.g., UAF/GPF).
>
> Fix this by moving security_inode_alloc just prior to
> this_cpu_inc(nr_inodes)
>
> Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com
> Reported-by: butt3rflyh4ck <butterflyhuangxx@...il.com>
> Reported-by: Hao Sun <sunhao.th@...il.com>
> Reported-by: Jiacheng Xu <stitch@....edu.cn>
> Signed-off-by: Dongliang Mu <mudongliangabcd@...il.com>
> Cc: Al Viro <viro@...iv.linux.org.uk>
> Cc: stable@...r.kernel.org
> ---
Looks good to me,
Reviewed-by: Christian Brauner (Microsoft) <brauner@...nel.org>
Powered by blists - more mailing lists