Kernel/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-01-07 13:53:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a71248b1ac
linux/fs/ext4
History
Baokun Li a71248b1ac ext4: fix use-after-free in ext4_orphan_cleanup 
I caught a issue as follows:
==================================================================
 BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0
 Read of size 8 at addr ffff88814b13f378 by task mount/710

 CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370
 Call Trace:
  <TASK>
  dump_stack_lvl+0x73/0x9f
  print_report+0x25d/0x759
  kasan_report+0xc0/0x120
  __asan_load8+0x99/0x140
  __list_add_valid+0x28/0x1a0
  ext4_orphan_cleanup+0x564/0x9d0 [ext4]
  __ext4_fill_super+0x48e2/0x5300 [ext4]
  ext4_fill_super+0x19f/0x3a0 [ext4]
  get_tree_bdev+0x27b/0x450
  ext4_get_tree+0x19/0x30 [ext4]
  vfs_get_tree+0x49/0x150
  path_mount+0xaae/0x1350
  do_mount+0xe2/0x110
  __x64_sys_mount+0xf0/0x190
  do_syscall_64+0x35/0x80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
  </TASK>
 [...]
==================================================================

Above issue may happen as follows:
-------------------------------------
ext4_fill_super
  ext4_orphan_cleanup
   --- loop1: assume last_orphan is 12 ---
    list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)
    ext4_truncate --> return 0
      ext4_inode_attach_jinode --> return -ENOMEM
    iput(inode) --> free inode<12>
   --- loop2: last_orphan is still 12 ---
    list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);
    // use inode<12> and trigger UAF

To solve this issue, we need to propagate the return value of
ext4_inode_attach_jinode() appropriately.

Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221102080633.1630225-1-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
2022-12-08 21:49:24 -05:00
..
.kunitconfig ext4: add .kunitconfig fragment to enable ext4-specific tests 2021-02-11 23:16:30 -05:00
acl.c fs/ext4: fix comments mentioning i_mutex 2022-02-03 10:57:53 -05:00
acl.h vfs: add rcu argument to ->get_acl() callback 2021-08-18 22:08:24 +02:00
balloc.c ext4: use ext4_debug() instead of jbd_debug() 2022-08-02 23:52:19 -04:00
bitmap.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
block_validity.c ext4: add ext4_sb_block_valid() refactored out of ext4_inode_block_valid() 2022-02-25 21:34:56 -05:00
crypto.c ext4: refactor and move ext4_ioctl_get_encryption_pwsalt() 2022-05-21 22:24:24 -04:00
dir.c ext4: fix spelling errors in comments 2022-05-11 15:19:06 -04:00
ext4_extents.h ext4: fix sparse warnings 2021-08-30 23:36:50 -04:00
ext4_jbd2.c ext4: split ext4_journal_start trace for debug 2022-12-01 10:46:54 -05:00
ext4_jbd2.h ext4: split ext4_journal_start trace for debug 2022-12-01 10:46:54 -05:00
ext4.h ext4: fix undefined behavior in bit shift for ext4_check_flag_values 2022-12-08 21:49:23 -05:00
extents_status.c ext4: factor out ext4_free_ext_path() 2022-09-30 23:46:54 -04:00
extents_status.h ext4: fix extent_status trace points 2020-01-25 02:03:03 -05:00
extents.c fs/ext4: replace ternary operator with min()/max() and min_t() 2022-11-29 16:10:49 -05:00
fast_commit.c ext4: fix fortify warning in fs/ext4/fast_commit.c:1551 2022-11-06 01:07:59 -04:00
fast_commit.h ext4: introduce EXT4_FC_TAG_BASE_LEN helper 2022-09-30 23:46:54 -04:00
file.c The first two changes that involve files outside of fs/ext4: 2022-10-06 17:45:53 -07:00
fsmap.c treewide: Change list_sort to use const pointers 2021-04-08 16:04:22 -07:00
fsmap.h ext4: fsmap: fix the block/inode bitmap comment 2021-06-24 09:48:29 -04:00
fsync.c block: use an on-stack bio in blkdev_issue_flush 2021-01-27 09:51:48 -07:00
hash.c unicode: clean up the Kconfig symbol confusion 2022-01-20 19:57:24 -05:00
ialloc.c ext4: split ext4_journal_start trace for debug 2022-12-01 10:46:54 -05:00
indirect.c ext4: use ext4_debug() instead of jbd_debug() 2022-08-02 23:52:19 -04:00
inline.c fs/ext4: replace ternary operator with min()/max() and min_t() 2022-11-29 16:10:49 -05:00
inode-test.c fs: ext4: Modify inode-test.c to use KUnit parameterized testing feature 2020-12-02 16:07:25 -07:00
inode.c ext4: fix use-after-free in ext4_orphan_cleanup 2022-12-08 21:49:24 -05:00
ioctl.c ext4: fix bug_on in __es_tree_search caused by bad boot loader inode 2022-12-08 21:49:23 -05:00
Kconfig ext: EXT4_KUNIT_TESTS should depend on EXT4_FS instead of selecting it 2021-02-11 23:12:59 -05:00
Makefile ext4: move ext4 crypto code to its own file crypto.c 2022-05-21 22:24:24 -04:00
mballoc.c ext4: fixup possible uninitialized variable access in ext4_mb_choose_next_group_cr1() 2022-09-26 13:21:05 -04:00
mballoc.h ext4: use buckets for cr 1 block scan instead of rbtree 2022-09-21 22:12:03 -04:00
migrate.c ext4: fix warning in 'ext4_da_release_space' 2022-11-06 01:07:59 -04:00
mmp.c treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
move_extent.c ext4: factor out ext4_free_ext_path() 2022-09-30 23:46:54 -04:00
namei.c Fix a number of bug fixes, including some regressions, the most 2022-11-06 10:30:29 -08:00
orphan.c ext4: remove trailing newline from ext4_msg() message 2022-12-08 21:49:23 -05:00
page-io.c ext4: fix incorrect comment in ext4_bio_write_page() 2022-06-16 11:03:16 -04:00
readpage.c fscrypt: stop using PG_error to track error status 2022-09-06 15:15:56 -07:00
resize.c ext4: remove redundant variable err 2022-12-01 10:46:54 -05:00
super.c ext4: don't allow journal inode to have encrypt flag 2022-12-08 21:49:24 -05:00
symlink.c ext4: fix reading leftover inlined symlinks 2022-08-02 23:37:50 -04:00
sysfs.c unicode: clean up the Kconfig symbol confusion 2022-01-20 19:57:24 -05:00
truncate.h ext4: Convert to use mapping->invalidate_lock 2021-07-13 14:29:00 +02:00
verity.c - Alistair Popple has a series which addresses a race which causes page 2022-10-14 12:28:43 -07:00
xattr_hurd.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr_security.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr_trusted.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr_user.c acl: handle idmapped mounts 2021-01-24 14:27:17 +01:00
xattr.c ext4: check the return value of ext4_xattr_inode_dec_ref() 2022-12-01 10:46:54 -05:00
xattr.h ext4: remove EA inode entry from mbcache on inode eviction 2022-08-02 23:56:25 -04:00