linux/fs
Baokun Li 99e9c5bd27 cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd()
[ Upstream commit de3e26f9e5 ]

We got the following issue in a fuzz test of randomly issuing the restore
command:

==================================================================
BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0
Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962

CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542
Call Trace:
 kasan_report+0x94/0xc0
 cachefiles_ondemand_daemon_read+0x609/0xab0
 vfs_read+0x169/0xb50
 ksys_read+0xf5/0x1e0

Allocated by task 626:
 __kmalloc+0x1df/0x4b0
 cachefiles_ondemand_send_req+0x24d/0x690
 cachefiles_create_tmpfile+0x249/0xb30
 cachefiles_create_file+0x6f/0x140
 cachefiles_look_up_object+0x29c/0xa60
 cachefiles_lookup_cookie+0x37d/0xca0
 fscache_cookie_state_machine+0x43c/0x1230
 [...]

Freed by task 626:
 kfree+0xf1/0x2c0
 cachefiles_ondemand_send_req+0x568/0x690
 cachefiles_create_tmpfile+0x249/0xb30
 cachefiles_create_file+0x6f/0x140
 cachefiles_look_up_object+0x29c/0xa60
 cachefiles_lookup_cookie+0x37d/0xca0
 fscache_cookie_state_machine+0x43c/0x1230
 [...]
==================================================================

Following is the process that triggers the issue:

     mount  |   daemon_thread1    |    daemon_thread2
------------------------------------------------------------
 cachefiles_ondemand_init_object
  cachefiles_ondemand_send_req
   REQ_A = kzalloc(sizeof(*req) + data_len)
   wait_for_completion(&REQ_A->done)

            cachefiles_daemon_read
             cachefiles_ondemand_daemon_read
              REQ_A = cachefiles_ondemand_select_req
              cachefiles_ondemand_get_fd
              copy_to_user(_buffer, msg, n)
            process_open_req(REQ_A)
                                  ------ restore ------
                                  cachefiles_ondemand_restore
                                  xas_for_each(&xas, req, ULONG_MAX)
                                   xas_set_mark(&xas, CACHEFILES_REQ_NEW);

                                  cachefiles_daemon_read
                                   cachefiles_ondemand_daemon_read
                                    REQ_A = cachefiles_ondemand_select_req

             write(devfd, ("copen %u,%llu", msg->msg_id, size));
             cachefiles_ondemand_copen
              xa_erase(&cache->reqs, id)
              complete(&REQ_A->done)
   kfree(REQ_A)
                                    cachefiles_ondemand_get_fd(REQ_A)
                                     fd = get_unused_fd_flags
                                     file = anon_inode_getfile
                                     fd_install(fd, file)
                                     load = (void *)REQ_A->msg.data;
                                     load->fd = fd;
                                     // load UAF !!!

This issue is caused by issuing a restore command when the daemon is still
alive, which results in a request being processed multiple times thus
triggering a UAF. So to avoid this problem, add an additional reference
count to cachefiles_req, which is held while waiting and reading, and then
released when the waiting and reading is over.

Note that since there is only one reference count for waiting, we need to
avoid the same request being completed multiple times, so we can only
complete the request if it is successfully removed from the xarray.

Fixes: e73fa11a35 ("cachefiles: add restore command to recover inflight ondemand read requests")
Suggested-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Link: https://lore.kernel.org/r/20240522114308.2402121-4-libaokun@huaweicloud.com
Acked-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com>
Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Stable-dep-of: 4b4391e77a ("cachefiles: defer exposing anon_fd until after copy_to_user() succeeds")
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-06-21 14:35:46 +02:00
..
9p 9p: add missing locking around taking dentry fid list 2024-06-16 13:41:37 +02:00
adfs
affs affs: initialize fsdata in affs_truncate() 2023-02-01 08:34:08 +01:00
afs afs: Don't cross .backup mountpoint from backup volume 2024-06-16 13:41:31 +02:00
autofs autofs: fix memory leak of waitqueues in autofs_catatonic_mode 2023-09-23 11:10:59 +02:00
befs
bfs
btrfs btrfs: fix leak of qgroup extent records after transaction abort 2024-06-21 14:35:42 +02:00
cachefiles cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() 2024-06-21 14:35:46 +02:00
ceph ceph: switch to corrected encoding of max_xattr_size in mdsmap 2024-03-15 10:48:13 -04:00
coda coda: Avoid partial allocation of sig_inputArgs 2023-03-10 09:33:52 +01:00
configfs configfs: fix possible memory leak in configfs_create_dir() 2022-12-31 13:32:22 +01:00
cramfs fs/cramfs/inode.c: initialize file_ra_state 2023-03-10 09:34:09 +01:00
crypto blk-crypto: add a blk_crypto_config_supported_natively helper 2023-05-11 23:03:00 +09:00
debugfs debugfs: fix automount d_fsdata usage 2024-01-20 11:50:04 +01:00
devpts
dlm fs: dlm: don't put dlm_local_addrs on heap 2024-02-16 19:06:29 +01:00
ecryptfs ecryptfs: Fix buffer size for tag 66 packet 2024-06-12 11:03:04 +02:00
efivarfs efivarfs: Request at most 512 bytes for variable names 2024-03-06 14:45:11 +00:00
efs
erofs erofs: apply proper VMA alignment for memory mapped files on THP 2024-03-15 10:48:16 -04:00
exfat exfat: support handle zero-size directory 2023-11-28 17:07:00 +00:00
exportfs exportfs: use pr_debug for unreachable debug statements 2024-03-06 14:45:15 +00:00
ext2 ext2: fix datatype of block number in ext2_xattr_set2() 2023-09-23 11:11:05 +02:00
ext4 ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() 2024-06-16 13:41:40 +02:00
f2fs f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() 2024-06-16 13:41:32 +02:00
fat fat: fix uninitialized field in nostale filehandles 2024-04-03 15:19:27 +02:00
freevxfs
fscache netfs, fscache: Prevent Oops in fscache_put_cache() 2024-01-31 16:17:04 -08:00
fuse fuse: don't unhash root 2024-04-03 15:19:30 +02:00
gfs2 gfs2: Fix "ignore unlock failures after withdraw" 2024-06-12 11:03:10 +02:00
hfs hfs: fix missing hfs_bnode_get() in __hfs_bnode_create 2023-03-10 09:34:07 +01:00
hfsplus fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() 2023-05-24 17:32:34 +01:00
hostfs hostfs: move from strlcpy with unused retval to strscpy 2022-09-19 22:46:25 +02:00
hpfs
hugetlbfs mm/hugetlb: add hugetlb_folio_subpool() helpers 2024-05-17 11:55:51 +02:00
iomap iomap: write iomap validity checks 2024-05-25 16:21:31 +02:00
isofs isofs: handle CDs with bad root inode but good Joliet root directory 2024-04-13 13:05:06 +02:00
jbd2 jbd2: fix soft lockup in journal_finish_inode_data_buffers() 2024-01-20 11:50:07 +01:00
jffs2 jffs2: prevent xattr node from overflowing the eraseblock 2024-06-12 11:03:06 +02:00
jfs jfs: xattr: fix buffer overflow for invalid xattr 2024-06-21 14:35:43 +02:00
kernfs fs/kernfs/dir: obey S_ISGID 2024-02-05 20:12:58 +00:00
lockd lockd: fix file selection in nlmsvc_cancel_blocked 2024-03-06 14:45:16 +00:00
minix vfs: open inside ->tmpfile() 2022-09-24 07:00:00 +02:00
netfs netfs: Only call folio_start_fscache() one time for each folio 2023-10-06 14:56:32 +02:00
nfs NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS 2024-06-16 13:41:41 +02:00
nfs_common
nfsd nfsd: don't allow nfsd threads to be signalled. 2024-05-25 16:21:30 +02:00
nilfs2 nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors 2024-06-21 14:35:42 +02:00
nls fs/nls: make load_nls() take a const parameter 2023-09-13 09:42:22 +02:00
notify fanotify: disallow mount/sb marks on kernel internal pseudo fs 2023-07-19 16:22:05 +02:00
ntfs - hfs and hfsplus kmap API modernization from Fabio Francesco 2022-10-12 11:00:22 -07:00
ntfs3 fs/ntfs3: Use variable length array instead of fixed size 2024-06-12 11:03:46 +02:00
ocfs2 fs: ocfs2: namei: check return value of ocfs2_add_entry() 2023-09-13 09:42:33 +02:00
omfs
openpromfs openpromfs: finish conversion to the new mount API 2024-06-12 11:03:03 +02:00
orangefs Julia Lawall reported this null pointer dereference, this should fix it. 2024-04-13 13:05:08 +02:00
overlayfs ovl: remove upper umask handling from ovl_create_upper() 2024-06-12 11:03:39 +02:00
proc fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats 2024-03-15 10:48:22 -04:00
pstore pstore/zone: Add a null pointer check to the psz_kmsg_read 2024-04-13 13:04:57 +02:00
qnx4
qnx6 fs/qnx6: delete unnecessary checks before brelse() 2022-09-11 21:55:07 -07:00
quota quota: Fix rcu annotations of inode dquot pointers 2024-03-26 18:20:47 -04:00
ramfs shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs 2023-07-19 16:22:11 +02:00
reiserfs reiserfs: Check the return value from __getblk() 2023-09-13 09:42:27 +02:00
romfs
smb smb: client: fix deadlock in smb2_find_smb_tcon() 2024-06-16 13:41:42 +02:00
squashfs revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" 2023-02-22 12:59:50 +01:00
sysfs fs: sysfs: Fix reference leak in sysfs_break_active_protection() 2024-04-27 17:07:16 +02:00
sysv sysv: don't call sb_bread() with pointers_lock held 2024-04-13 13:05:05 +02:00
tracefs tracefs: Add missing lockdown check to tracefs_create_dir() 2023-09-23 11:11:12 +02:00
ubifs ubifs: Set page uptodate in the correct place 2024-04-03 15:19:27 +02:00
udf udf: initialize newblock to 0 2023-09-13 09:43:05 +02:00
ufs ufs: replace ll_rw_block() 2022-09-11 20:26:07 -07:00
unicode
vboxsf vboxsf: Avoid an spurious warning if load_nls_xxx() fails 2024-04-10 16:28:25 +02:00
verity fsverity: skip PKCS#7 parser when keyring is empty 2023-09-13 09:43:03 +02:00
xfs xfs: short circuit xfs_growfs_data_private() if delta is zero 2024-05-25 16:21:34 +02:00
zonefs zonefs: Improve error handling 2024-02-23 09:12:45 +01:00
aio.c fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion 2024-04-03 15:19:42 +02:00
anon_inodes.c dynamic_dname(): drop unused dentry argument 2022-08-20 11:34:04 -04:00
attr.c attr: block mode changes of symlinks 2023-09-23 11:11:10 +02:00
bad_inode.c vfs: open inside ->tmpfile() 2022-09-24 07:00:00 +02:00
binfmt_elf_fdpic.c fs: binfmt_elf_efpic: fix personality for ELF-FDPIC 2023-10-06 14:57:06 +02:00
binfmt_elf_test.c
binfmt_elf.c mm: always expand the stack with the mmap write lock held 2023-07-01 13:16:25 +02:00
binfmt_flat.c
binfmt_misc.c binfmt_misc: fix shift-out-of-bounds in check_special_flags 2022-12-31 13:32:57 +01:00
binfmt_script.c
buffer.c - hfs and hfsplus kmap API modernization from Fabio Francesco 2022-10-12 11:00:22 -07:00
char_dev.c chardev: fix error handling in cdev_device_add() 2022-12-31 13:32:41 +01:00
compat_binfmt_elf.c
coredump.c coredump: Move dump_emit_page() to kill unused warning 2023-02-22 12:59:50 +01:00
d_path.c d_path.c: typo fix... 2022-08-20 11:34:33 -04:00
dax.c Merge branch 'for-6.0/dax' into libnvdimm-fixes 2022-09-24 18:14:12 -07:00
dcache.c fast_dput(): handle underflows gracefully 2024-02-05 20:12:54 +00:00
direct-io.c block: remove PSI accounting from the bio layer 2022-09-20 08:24:38 -06:00
drop_caches.c
eventfd.c eventfd: prevent underflow for eventfd semaphores 2023-09-13 09:42:27 +02:00
eventpoll.c epoll: be better about file lifetimes 2024-06-12 11:03:03 +02:00
exec.c exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() 2024-04-03 15:19:48 +02:00
fcntl.c fs: Fix rw_hint validation 2024-03-26 18:20:28 -04:00
fhandle.c do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 2024-03-26 18:20:27 -04:00
file_table.c locks: fix TOCTOU race when granting write lease 2022-08-16 10:59:54 -04:00
file.c file: reinstate f_pos locking optimization for regular files 2023-08-11 12:08:23 +02:00
filesystems.c
fs_context.c vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing 2023-09-13 09:42:28 +02:00
fs_parser.c ext4: journal_path mount options should follow links 2023-01-07 11:11:59 +01:00
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c writeback, cgroup: switch inodes with dirty timestamps to release dying cgwbs 2023-11-20 11:51:50 +01:00
fsopen.c
init.c
inode.c filemap: add a per-mapping stable writes flag 2024-01-10 17:10:32 +01:00
internal.h nfs: use vfs setgid helper 2023-08-30 16:11:10 +02:00
ioctl.c lsm: new security_file_ioctl_compat() hook 2024-01-31 16:17:00 -08:00
Kconfig smb: move client and server files to common directory fs/smb 2023-06-28 11:12:40 +02:00
Kconfig.binfmt Xtensa updates for v6.1 2022-10-10 14:21:11 -07:00
kernel_read_file.c
libfs.c libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value 2022-12-31 13:31:58 +01:00
locks.c filelock: add a new locks_inode_context accessor function 2024-03-06 14:45:16 +00:00
Makefile smb: move client and server files to common directory fs/smb 2023-06-28 11:12:40 +02:00
mbcache.c ext4: fix deadlock due to mbcache entry corruption 2023-01-07 11:12:02 +01:00
mount.h
mpage.c
namei.c rename(): fix the locking of subdirectories 2024-01-31 16:17:02 -08:00
namespace.c fs: relax mount_setattr() permission checks 2024-02-23 09:12:46 +01:00
no-block.c
nsfs.c dynamic_dname(): drop unused dentry argument 2022-08-20 11:34:04 -04:00
open.c open: make RESOLVE_CACHED correctly test for O_TMPFILE 2023-08-11 12:08:22 +02:00
pipe.c fs/pipe: Fix lockdep false-positive in watchqueue pipe_write() 2024-04-10 16:28:30 +02:00
pnode.c pnode: terminate at peers of source 2023-01-04 11:29:01 +01:00
pnode.h
posix_acl.c - Yu Zhao's Multi-Gen LRU patches are here. They've been under test in 2022-10-10 17:53:04 -07:00
proc_namespace.c
read_write.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
readdir.c Change calling conventions for filldir_t 2022-08-17 17:25:04 -04:00
remap_range.c
select.c fs/select: rework stack allocation hack for clang 2024-03-26 18:20:28 -04:00
seq_file.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
signalfd.c
splice.c mm: merge folio_has_private()/filemap_release_folio() call pairs 2024-01-10 17:10:31 +01:00
stack.c
stat.c vfs: support STATX_DIOALIGN on block devices 2022-09-11 19:47:12 -05:00
statfs.c statfs: enforce statfs[64] structure initialization 2023-05-24 17:32:51 +01:00
super.c fs: Protect reconfiguration of sb read-write from racing writes 2023-08-11 12:08:24 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c Revert "userfaultfd: don't fail on unrecognized features" 2023-04-26 14:28:37 +02:00
utimes.c
xattr.c fs: don't audit the capability check in simple_xattr_list() 2022-12-31 13:31:55 +01:00