| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20221117115323.1718-1-thunder.leizhen@huawei.com>
Date: Thu, 17 Nov 2022 19:53:23 +0800
From: Zhen Lei <thunder.leizhen@...wei.com>
To: Alexander Viro <viro@...iv.linux.org.uk>,
Matthew Wilcox <willy@...radead.org>,
<linux-fsdevel@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC: Zhen Lei <thunder.leizhen@...wei.com>,
David Howells <dhowells@...hat.com>
Subject: [PATCH] pipe: fix potential use-after-free in pipe_read()
Accessing buf->flags after pipe_buf_release(pipe, buf) is unsafe, because
the 'buf' memory maybe freed.
In fact, pipe->note_loss does not need the protection of spinlock
pipe->rd_wait.lock, it only needs the protection of __pipe_lock(pipe). So
make the assignment of pipe->note_loss complete before releasing 'buf' to
eliminate the risk.
Fixes: e7d553d69cf6 ("pipe: Add notification lossage handling")
Signed-off-by: Zhen Lei <thunder.leizhen@...wei.com>
---
fs/pipe.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index 42c7ff41c2dba29..0f873949337ed28 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -321,12 +321,12 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to)
}
if (!buf->len) {
- pipe_buf_release(pipe, buf);
- spin_lock_irq(&pipe->rd_wait.lock);
#ifdef CONFIG_WATCH_QUEUE
if (buf->flags & PIPE_BUF_FLAG_LOSS)
pipe->note_loss = true;
#endif
+ pipe_buf_release(pipe, buf);
+ spin_lock_irq(&pipe->rd_wait.lock);
tail++;
pipe->tail = tail;
spin_unlock_irq(&pipe->rd_wait.lock);
--
2.25.1
Powered by blists - more mailing lists