lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250109062216.GQ1977892@ZenIV>
Date: Thu, 9 Jan 2025 06:22:16 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Lizhi Xu <lizhi.xu@...driver.com>
Cc: syzbot+80e60df48923e1b7691d@...kaller.appspotmail.com,
	aivazian.tigran@...il.com, linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] bfs: put a inode if link count is 0

On Thu, Jan 09, 2025 at 11:49:46AM +0800, Lizhi Xu wrote:
> 
> The reproducer performs the rename operation on the file twice in succession
> and changes the file to the same file name.  After the first rename operation,
> the number of links in the inode is set to 0. In the second execution, the
> same inode is used, resulting in a 0 value warning for i_nlink. 
> 
> To avoid this issue, put the target inode before exiting the bfs_rename.

	This is completely insane - you get an extra drop of in-core inode
refcount, which *will* end up with dangling pointer and memory corruption.
Besides, there is a perfectly legitimate case when you open a file and
rename something on top of it.  It MUST remain open and alive until the
last in-core reference to inode goes away, which must not happen before
close().

	Frankly, if you do not understand why that is wrong, you should not
mess with anything filesystem-related until you learn the area enough.

NAK.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ