lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y69IaMqZvnGk5skX@mit.edu>
Date:   Fri, 30 Dec 2022 15:22:00 -0500
From:   "Theodore Ts'o" <tytso@....edu>
To:     Tudor Ambarus <tudor.ambarus@...aro.org>
Cc:     Eric Biggers <ebiggers@...nel.org>, adilger.kernel@...ger.ca,
        linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
        joneslee@...gle.com,
        syzbot+0827b4b52b5ebf65f219@...kaller.appspotmail.com,
        stable@...r.kernel.org
Subject: Re: [PATCH v2] ext4: Fix possible use-after-free in ext4_find_extent

On Fri, Dec 30, 2022 at 01:42:45PM +0200, Tudor Ambarus wrote:
> > This is (incompletely) validating the extent header in the inode.  Isn't that
> > supposed to happen when the inode is loaded?  See how __ext4_iget() calls
> > ext4_ext_check_inode().  Why isn't that working here?
> > 
> 
> Seems that __ext4_iget() is not called on writes. You can find below the
> sequence of calls that leads to the bug. The debug was done on v6.2-rc1.
> I assume the extents check is no longer done on writes since
> commit 7a262f7c69163cd4811f2f838faef5c5b18439c9. The commit doesn't
> specify the reason though.

Commit 7a262f7c6916 no longer does the check if the inode is already
in memory (which is the case when there is an open file descriptor).
That's because it should have been checked when it was first read into
memory.

So the the question is, did the inode get corrupted somehow after it
was read in from disk?  If so that's the real problem, and that's what
needs to be root caused and fixed.  It's not sufficient to just to
make the syzbot reproducer only longer reproduce.  The question is
understanding what is fundamentally going on and fixing the real root
problem.

Regards,

						- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ