lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAOQ4uxiTOJNk-Sy6RFezv=_kpsM9AqMSej=9DxfKtO53-vqXqA@mail.gmail.com>
Date: Fri, 27 Sep 2024 14:41:14 +0200
From: Amir Goldstein <amir73il@...il.com>
To: Leo Stone <leocstone@...il.com>, Linus Torvalds <torvalds@...ux-foundation.org>
Cc: syzbot+d9efec94dcbfa0de1c07@...kaller.appspotmail.com, 
	linux-kernel@...r.kernel.org, linux-unionfs@...r.kernel.org, 
	miklos@...redi.hu, syzkaller-bugs@...glegroups.com, skhan@...uxfoundation.org, 
	anupnewsmail@...il.com, Christian Brauner <brauner@...nel.org>, 
	Al Viro <viro@...iv.linux.org.uk>, linux-fsdevel <linux-fsdevel@...r.kernel.org>
Subject: Re: [syzbot] [overlayfs?] general protection fault in ovl_llseek

On Fri, Sep 27, 2024 at 2:03 PM Amir Goldstein <amir73il@...il.com> wrote:
>
> On Fri, Sep 27, 2024 at 9:10 AM Leo Stone <leocstone@...il.com> wrote:
> >
> > Add a check to avoid using an invalid pointer if ovl_open_realfile fails.
> >
> > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> >
> > diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> > index 2b7a5a3a7a2f..67f75eeb1e51 100644
> > --- a/fs/overlayfs/file.c
> > +++ b/fs/overlayfs/file.c
> > @@ -117,7 +117,11 @@ static int ovl_real_fdget_meta(const struct file *file, struct fd *real,
> >                 struct file *f = ovl_open_realfile(file, &realpath);
> >                 if (IS_ERR(f))
> >                         return PTR_ERR(f);
> > -               real->word = (unsigned long)ovl_open_realfile(file, &realpath) | FDPUT_FPUT;
> > +               f = ovl_open_realfile(file, &realpath);
> > +               if (IS_ERR(f))
> > +                       return PTR_ERR(f);
> > +               real->word = (unsigned long)f;
> > +               real->word |= FDPUT_FPUT;
> >                 return 0;
> >         }
> >
> >
>
> No, that's the wrong fix.
> There is a braino and a file leak in this code.
>
> Linus,
>
> Could you apply this braino fix manually before releasing rc1.
>

Too quick to send. I messed up the Fixes: tag.
Now fixed.

Thanks,
Amir.

View attachment "0001-ovl-fix-file-leak-in-ovl_real_fdget_meta.patch" of type "text/x-patch" (1043 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ