| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Nov 2022 17:26:02 +0800
From: Chen Zhongjin <chenzhongjin@...wei.com>
To: <syzbot+a4055c78774bbf3498bb@...kaller.appspotmail.com>,
<linux-unionfs@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC: <chenzhongjin@...wei.com>, <miklos@...redi.hu>
Subject: [PATCH] ovl: Fix use inode directly in rcu-walk mode
syzkaller reported a null-ptr-deref error:
https://syzkaller.appspot.com/bug?id=bb281e89381b9ed55728c274447a575e69a96c35
ovl_dentry_revalidate_common() can be called in rcu-walk mode.
As document said, "in rcu-walk mode, d_parent and d_inode should not be
used without care". Check inode here to protect access under rcu-walk
mode.
Fixes: bccece1ead36 ("ovl: allow remote upper")
Reported-by: syzbot+a4055c78774bbf3498bb@...kaller.appspotmail.com
Signed-off-by: Chen Zhongjin <chenzhongjin@...wei.com>
---
fs/overlayfs/super.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index a29a8afe9b26..d61ab192dfd9 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -139,11 +139,19 @@ static int ovl_dentry_revalidate_common(struct dentry *dentry,
unsigned int flags, bool weak)
{
struct ovl_entry *oe = dentry->d_fsdata;
+ struct inode *inode;
struct dentry *upper;
unsigned int i;
int ret = 1;
- upper = ovl_dentry_upper(dentry);
+ if (flags & LOOKUP_RCU) {
+ inode = d_inode_rcu(dentry);
+ if (!inode)
+ return -ECHILD;
+ upper = ovl_upperdentry_dereference(OVL_I(inode));
+ } else
+ upper = ovl_dentry_upper(dentry);
+
if (upper)
ret = ovl_revalidate_real(upper, flags, weak);
--
2.17.1
Powered by blists - more mailing lists