lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 27 Mar 2024 12:02:08 -0700
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Eric Van Hensbergen <eric.vanhensbergen@...ux.dev>, asmadeus@...ewreck.org, 
	Lizhi Xu <lizhi.xu@...driver.com>, 
	syzbot+7a3d75905ea1a830dbe5@...kaller.appspotmail.com, 
	Linux-Fsdevel <linux-fsdevel@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, 
	linux_oss@...debyte.com, lucho@...kov.net, 
	syzkaller-bugs <syzkaller-bugs@...glegroups.com>, v9fs@...ts.linux.dev, 
	Linux Regressions <regressions@...ts.linux.dev>, Network Development <netdev@...r.kernel.org>, 
	Alexei Starovoitov <ast@...nel.org>, bpf <bpf@...r.kernel.org>
Subject: Re: [PATCH next] fs/9p: fix uaf in in v9fs_stat2inode_dotl

On Wed, Mar 27, 2024 at 11:53 AM Jakub Kicinski <kuba@...nel.org> wrote:
>
> On Fri, 22 Mar 2024 08:13:12 -0700 Jakub Kicinski wrote:
> > On Fri, 22 Mar 2024 14:26:07 +0000 Eric Van Hensbergen wrote:
> > > Patch is in the unapplied portion of my for-next tree along with
> > > another one.  I was hoping to hear some feedback on the other one
> > > before i did a pull request and was torn on whether or not I wait on
> > > -rc1 to send since we are so close.
> >
> > My guess would be that quite a few folks use 9p for in-VM kernel
> > testing. Real question is how many actually update their work tree
> > before -rc1 or even -rc2, given the anticipated merge window code
> > instability.. so maybe there's no extreme urgency?
> >
> > From netdev's perspective, FWIW, it'd be great if the fix reached
> > Linux before Thursday, which is when we will forward our tree again.
>
> Any progress on getting the fix to Linus? I didn't spot it getting
> merged.
>
> I'm a bit surprised there aren't more people complaining TBH
> I'd have thought any CI setup with KASAN enabled has a good
> chance of hitting this..

The proposed fix is no brainer:
https://lore.kernel.org/all/20240202121531.2550018-1-lizhi.xu@windriver.com/

+ v9fs_stat2inode_dotl(st, inode, 0);
  kfree(st);
  if (retval)
    goto error;

- v9fs_stat2inode_dotl(st, inode, 0);

Please ship it to Linus asap.
I'm surprised this bug slipped through.

It does affect bpf developers and our CI, since we run with KASAN and use 9P.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ