lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20230515-hilfreich-zeilen-d4a8cf469896@brauner>
Date:   Mon, 15 May 2023 13:08:23 +0200
From:   Christian Brauner <brauner@...nel.org>
To:     Zhihao Cheng <chengzhihao1@...wei.com>
Cc:     miklos@...redi.hu, amir73il@...il.com,
        linux-unionfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] ovl: get_acl: Fix null pointer dereference at
 realinode in rcu-walk mode

On Fri, May 05, 2023 at 08:24:51PM +0800, Zhihao Cheng wrote:
> Following process:
>          P1                     P2
>  path_openat
>   link_path_walk
>    may_lookup
>     inode_permission(rcu)
>      ovl_permission
>       acl_permission_check
>        check_acl
>         get_cached_acl_rcu
> 	 ovl_get_inode_acl
> 	  realinode = ovl_inode_real(ovl_inode)
> 	                      drop_cache
> 		               __dentry_kill(ovl_dentry)
> 				iput(ovl_inode)
> 		                 ovl_destroy_inode(ovl_inode)
> 		                  dput(oi->__upperdentry)
> 		                   dentry_kill(upperdentry)
> 		                    dentry_unlink_inode
> 				     upperdentry->d_inode = NULL
> 	    ovl_inode_upper
> 	     upperdentry = ovl_i_dentry_upper(ovl_inode)
> 	     d_inode(upperdentry) // returns NULL
> 	  IS_POSIXACL(realinode) // NULL pointer dereference
> , will trigger an null pointer dereference at realinode:
>   [  205.472797] BUG: kernel NULL pointer dereference, address:
>                  0000000000000028
>   [  205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted
>                  6.3.0-12064-g2edfa098e750-dirty #1216
>   [  205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300
>   [  205.489584] Call Trace:
>   [  205.489812]  <TASK>
>   [  205.490014]  ovl_get_inode_acl+0x26/0x30
>   [  205.490466]  get_cached_acl_rcu+0x61/0xa0
>   [  205.490908]  generic_permission+0x1bf/0x4e0
>   [  205.491447]  ovl_permission+0x79/0x1b0
>   [  205.491917]  inode_permission+0x15e/0x2c0
>   [  205.492425]  link_path_walk+0x115/0x550
>   [  205.493311]  path_lookupat.isra.0+0xb2/0x200
>   [  205.493803]  filename_lookup+0xda/0x240
>   [  205.495747]  vfs_fstatat+0x7b/0xb0
> 
> Fetch a reproducer in [Link].
> 
> Fix it by checking realinode whether to be NULL before accessing it.
> 
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=217404
> Fixes: 332f606b32b6 ("ovl: enable RCU'd ->get_acl()")
> Signed-off-by: Zhihao Cheng <chengzhihao1@...wei.com>
> ---
>  fs/overlayfs/inode.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
> index 541cf3717fc2..38cfdf9e2b44 100644
> --- a/fs/overlayfs/inode.c
> +++ b/fs/overlayfs/inode.c
> @@ -563,16 +563,16 @@ struct posix_acl *do_ovl_get_acl(struct mnt_idmap *idmap,
>  	struct posix_acl *acl;
>  	struct path realpath;
>  
> -	if (!IS_POSIXACL(realinode))
> -		return NULL;
> -
>  	/* Careful in RCU walk mode */
>  	ovl_i_path_real(inode, &realpath);
> -	if (!realpath.dentry) {
> +	if (!realpath.dentry || !realinode) {
>  		WARN_ON(!rcu);
>  		return ERR_PTR(-ECHILD);
>  	}

I think the logic here is now a bit strange. I would just not bother
calling ovl_inode_real() anymore and simply use the same logic as in
ovl_permission() (Thus my comment about using a tiny helper.).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ