lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20221124092602.259809-1-chenzhongjin@huawei.com>
Date:   Thu, 24 Nov 2022 17:26:02 +0800
From:   Chen Zhongjin <chenzhongjin@...wei.com>
To:     <syzbot+a4055c78774bbf3498bb@...kaller.appspotmail.com>,
        <linux-unionfs@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC:     <chenzhongjin@...wei.com>, <miklos@...redi.hu>
Subject: [PATCH] ovl: Fix use inode directly in rcu-walk mode

syzkaller reported a null-ptr-deref error:
https://syzkaller.appspot.com/bug?id=bb281e89381b9ed55728c274447a575e69a96c35

ovl_dentry_revalidate_common() can be called in rcu-walk mode.
As document said, "in rcu-walk mode, d_parent and d_inode should not be
used without care". Check inode here to protect access under rcu-walk
mode.

Fixes: bccece1ead36 ("ovl: allow remote upper")
Reported-by: syzbot+a4055c78774bbf3498bb@...kaller.appspotmail.com
Signed-off-by: Chen Zhongjin <chenzhongjin@...wei.com>
---
 fs/overlayfs/super.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index a29a8afe9b26..d61ab192dfd9 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -139,11 +139,19 @@ static int ovl_dentry_revalidate_common(struct dentry *dentry,
 					unsigned int flags, bool weak)
 {
 	struct ovl_entry *oe = dentry->d_fsdata;
+	struct inode *inode;
 	struct dentry *upper;
 	unsigned int i;
 	int ret = 1;
 
-	upper = ovl_dentry_upper(dentry);
+	if (flags & LOOKUP_RCU) {
+		inode = d_inode_rcu(dentry);
+		if (!inode)
+			return -ECHILD;
+		upper = ovl_upperdentry_dereference(OVL_I(inode));
+	} else
+		upper = ovl_dentry_upper(dentry);
+
 	if (upper)
 		ret = ovl_revalidate_real(upper, flags, weak);
 
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ