lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 8 Aug 2023 18:35:04 +0200
From:   Christian Brauner <brauner@...nel.org>
To:     Christoph Hellwig <hch@....de>
Cc:     clm@...com, dsterba@...e.com, josef@...icpanda.com,
        linux-btrfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        syzbot <syzbot+26860029a4d562566231@...kaller.appspotmail.com>
Subject: Re: [syzbot] [btrfs?] KASAN: slab-use-after-free Read in
 btrfs_open_devices

On Tue, Aug 08, 2023 at 06:01:41PM +0200, Christoph Hellwig wrote:
> Yes, probably.  The lifetimes looked fishy to me to start with, but
> this might have made things worse.

It looks like we should be able to just drop that patch.
Ok, are you fixing this or should I drop this patch?

> 
> On Tue, Aug 08, 2023 at 05:50:02PM +0200, Christian Brauner wrote:
> > On Mon, Aug 07, 2023 at 08:24:36PM -0700, syzbot wrote:
> > > syzbot has bisected this issue to:
> > > 
> > > commit 066d64b26a21a5b5c500a30f27f3e4b1959aac9e
> > > Author: Christoph Hellwig <hch@....de>
> > > Date:   Wed Aug 2 15:41:23 2023 +0000
> > > 
> > >     btrfs: open block devices after superblock creation
> > > 
> > > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15493371a80000
> > > start commit:   f7dc24b34138 Add linux-next specific files for 20230807
> > > git tree:       linux-next
> > > final oops:     https://syzkaller.appspot.com/x/report.txt?x=17493371a80000
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=13493371a80000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=179704c9a80000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17868ba9a80000
> > > 
> > > Reported-by: syzbot+26860029a4d562566231@...kaller.appspotmail.com
> > > Fixes: 066d64b26a21 ("btrfs: open block devices after superblock creation")
> > > 
> > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> > 
> > I think the issue might be that before your patch the lifetime of:
> > @device was aligned with @device->s_fs_info but now that you're dropping
> > the uuid mutex after btrfs_scan_one_device() that isn't true anymore. So
> > it feels like:
> > 
> > P1                                       P2
> > lock_uuid_mutex;
> > device = btrfs_scan_one_device();
> > fs_devices = device->fs_devices;
> > unlock_uuid_mutex;
> >                                          // earlier mount that gets cleaned up
> >                                          lock_uuid_mutex; 
> > 					 btrfs_close_devices(fs_devices);
> >                                          unlock_uuid_mutex;
> > 
> > lock_uuid_mutex;
> > btrfs_open_devices(fs_devices); // UAF
> > unlock_uuid_mutex;
> > 
> > But I'm not entirely sure.
> ---end quoted text---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ