lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOQ4uxi+4-jyNY6jzNt1wG5xcYSZiSfU0AtCWtF71PSW160zRw@mail.gmail.com>
Date: Sun, 17 Dec 2023 11:32:16 +0200
From: Amir Goldstein <amir73il@...il.com>
To: Edward Adam Davis <eadavis@...com>, viro@...iv.linux.org.uk
Cc: syzbot+8608bb4553edb8c78f41@...kaller.appspotmail.com, chao@...nel.org, 
	jaegeuk@...nel.org, linux-f2fs-devel@...ts.sourceforge.net, 
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, 
	phillip@...ashfs.org.uk, reiserfs-devel@...r.kernel.org, 
	squashfs-devel@...ts.sourceforge.net, syzkaller-bugs@...glegroups.com, 
	terrelln@...com, overlayfs <linux-unionfs@...r.kernel.org>, 
	Miklos Szeredi <miklos@...redi.hu>
Subject: Re: [PATCH] ovl: fix BUG: Dentry still in use in unmount

Hi Edward,

Thanks for the quick fix, but it is incorrect.

On Sun, Dec 17, 2023 at 10:11 AM Edward Adam Davis <eadavis@...com> wrote:
>
> workdir and destdir could be the same when copying up to indexdir.

This is not the reason for the bug, the reason is:

    syzbot exercised the forbidden practice of moving the workdir under
    lowerdir while overlayfs is mounted and tripped a dentry reference leak.

>
> Fixes: c63e56a4a652 ("ovl: do not open/llseek lower file with upper sb_writers held")
> Reported-and-tested-by: syzbot+8608bb4553edb8c78f41@...kaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@...com>
> ---
>  fs/overlayfs/copy_up.c | 20 +++++++++++++-------
>  1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> index 4382881b0709..ae5eb442025d 100644
> --- a/fs/overlayfs/copy_up.c
> +++ b/fs/overlayfs/copy_up.c
> @@ -731,10 +731,14 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
>                 .rdev = c->stat.rdev,
>                 .link = c->link
>         };
> +       err = -EIO;
> +       /* workdir and destdir could be the same when copying up to indexdir */
> +       if (lock_rename(c->workdir, c->destdir) != NULL)
> +               goto unlock;

You can't do that. See comment below ovl_copy_up_data().

>
>         err = ovl_prep_cu_creds(c->dentry, &cc);
>         if (err)
> -               return err;
> +               goto unlock;
>
>         ovl_start_write(c->dentry);
>         inode_lock(wdir);
> @@ -743,8 +747,9 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
>         ovl_end_write(c->dentry);
>         ovl_revert_cu_creds(&cc);
>
> +       err = PTR_ERR(temp);
>         if (IS_ERR(temp))
> -               return PTR_ERR(temp);
> +               goto unlock;
>
>         /*
>          * Copy up data first and then xattrs. Writing data after
> @@ -760,10 +765,9 @@ static int ovl_copy_up_workdir(struct ovl_copy_up_ctx *c)
>          * If temp was moved, abort without the cleanup.
>          */
>         ovl_start_write(c->dentry);
> -       if (lock_rename(c->workdir, c->destdir) != NULL ||
> -           temp->d_parent != c->workdir) {
> +       if (temp->d_parent != c->workdir) {

                  dput(temp);

here is all that should be needed to fix the leak.


>                 err = -EIO;
> -               goto unlock;
> +               goto unlockcd;
>         } else if (err) {
>                 goto cleanup;
>         }

See my suggested fix at https://github.com/amir73il/linux/commits/ovl-fixes

Al,

Heads up.
This fix will have a minor conflict with a8b0026847b8 ("rename(): avoid
a deadlock in the case of parents having no common ancestor")
on your work.rename branch.

I plan to push my fix to linux-next soon, but I see that work.rename
is not in linux-next yet.

Thanks,
Amir.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ