lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240722201125.3fa6314b@gandalf.local.home>
Date: Mon, 22 Jul 2024 20:11:25 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Mathias Krause <minipli@...ecurity.net>
Cc: Masami Hiramatsu <mhiramat@...nel.org>, Ajay Kaher
 <ajay.kaher@...adcom.com>, Ilkka Naulapää
 <digirigawa@...il.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Al
 Viro <viro@...iv.linux.org.uk>, linux-trace-kernel@...r.kernel.org,
 linux-kernel@...r.kernel.org, regressions@...mhuis.info, Dan Carpenter
 <dan.carpenter@...aro.org>
Subject: Re: tracing: user events UAF crash report

On Fri, 19 Jul 2024 22:47:01 +0200
Mathias Krause <minipli@...ecurity.net> wrote:

> Subject: [PATCH] eventfs: Don't return NULL in eventfs_create_dir()
> 
> Commit 77a06c33a22d ("eventfs: Test for ei->is_freed when accessing
> ei->dentry") added another check, testing if the parent was freed after
> we released the mutex. If so, the function returns NULL. However, all
> callers expect it to either return a valid pointer or an error pointer,
> at least since commit 5264a2f4bb3b ("tracing: Fix a NULL vs IS_ERR() bug
> in event_subsystem_dir()"). Returning NULL will therefore fail the error
> condition check in the caller.
> 
> Fix this by substituting the NULL return value with a fitting error
> pointer.
> 
> Fixes: 77a06c33a22d ("eventfs: Test for ei->is_freed when accessing ei->dentry")
> Cc: Dan Carpenter <dan.carpenter@...aro.org>
> Signed-off-by: Mathias Krause <minipli@...ecurity.net>

This will not get into the workflow without being sent as a normal patch.

Please send it and Cc those listed in MAINTAINERS (see get_maintainers.pl).

-- Steve


> ---
>  fs/tracefs/event_inode.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c
> index 5d88c184f0fc..a9c28a1d5dc8 100644
> --- a/fs/tracefs/event_inode.c
> +++ b/fs/tracefs/event_inode.c
> @@ -736,7 +736,7 @@ struct eventfs_inode *eventfs_create_dir(const char *name, struct eventfs_inode
>  	/* Was the parent freed? */
>  	if (list_empty(&ei->list)) {
>  		cleanup_ei(ei);
> -		ei = NULL;
> +		ei = ERR_PTR(-EBUSY);
>  	}
>  	return ei;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ