| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 31 May 2023 13:52:09 +0200 From: Miklos Szeredi <miklos@...redi.hu> To: Pradeep P V K <quic_pragalla@...cinc.com> Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH V1] fuse: Abort the requests under processing queue with a spin_lock On Wed, 31 May 2023 at 11:26, Pradeep P V K <quic_pragalla@...cinc.com> wrote: > > There is a potential race/timing issue while aborting the > requests on processing list between fuse_dev_release() and > fuse_abort_conn(). This is resulting into below warnings > and can even result into UAF issues. Okay, but... > > [22809.190255][T31644] refcount_t: underflow; use-after-free. > [22809.190266][T31644] WARNING: CPU: 2 PID: 31644 at lib/refcount.c:28 > refcount_warn_saturate+0x110/0x158 > ... > [22809.190567][T31644] Call trace: > [22809.190567][T31644] refcount_warn_saturate+0x110/0x158 > [22809.190569][T31644] fuse_file_put+0xfc/0x104 ...how can this cause the file refcount to underflow? That would imply that fuse_request_end() will be called for the same request twice. I can't see how that can happen with or without the locking change. Do you have a reproducer? Thanks, Miklos
Powered by blists - more mailing lists