lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <tencent_0EBF9E731B704B091B022578BA9EBB8E3308@qq.com>
Date: Tue, 15 Oct 2024 20:26:46 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+c3a3a153f0190dca5be9@...kaller.appspotmail.com
Cc: clm@...com,
	dsterba@...e.com,
	josef@...icpanda.com,
	linux-btrfs@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: [PATCH next] btrfs: Accessing head_ref within delayed_refs lock

This is because the thread routine btrfs_work_helper released head_def after
exiting delayed_refs->lock in add_delayed_ref.
Causing add_delayed_ref to encounter uaf when accessing head_def->bytenr
outside the delayed_refs->lock.

Move head_ref->bytenr into the protection range of delayed_refs->lock 
to avoid uaf in add_delayed_ref.

Fixes: a3aad8f4f5d9 ("btrfs: qgroups: remove bytenr field from struct btrfs_qgroup_extent_record")
Reported-and-tested-by: syzbot+c3a3a153f0190dca5be9@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c3a3a153f0190dca5be9
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
 fs/btrfs/delayed-ref.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c
index 13c2e00d1270..f50fc05847a1 100644
--- a/fs/btrfs/delayed-ref.c
+++ b/fs/btrfs/delayed-ref.c
@@ -1012,6 +1012,7 @@ static int add_delayed_ref(struct btrfs_trans_handle *trans,
 	int action = generic_ref->action;
 	bool merged;
 	int ret;
+	u64 bytenr;
 
 	node = kmem_cache_alloc(btrfs_delayed_ref_node_cachep, GFP_NOFS);
 	if (!node)
@@ -1056,6 +1057,7 @@ static int add_delayed_ref(struct btrfs_trans_handle *trans,
 		goto free_record;
 	}
 	head_ref = new_head_ref;
+	bytenr = head_ref->bytenr;
 
 	merged = insert_delayed_ref(trans, head_ref, node);
 	spin_unlock(&delayed_refs->lock);
@@ -1074,7 +1076,7 @@ static int add_delayed_ref(struct btrfs_trans_handle *trans,
 		kmem_cache_free(btrfs_delayed_ref_node_cachep, node);
 
 	if (qrecord_inserted)
-		return btrfs_qgroup_trace_extent_post(trans, record, head_ref->bytenr);
+		return btrfs_qgroup_trace_extent_post(trans, record, bytenr);
 	return 0;
 
 free_record:
-- 
2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ