korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-11 12:28:41 +08:00
Code Issues Packages Projects Releases Wiki Activity
9f13aacdd4
linux/fs/9p
History
Dominique Martinet cb299cdba0 9p: add missing locking around taking dentry fid list 
commit c898afdc15 upstream.

Fix a use-after-free on dentry's d_fsdata fid list when a thread
looks up a fid through dentry while another thread unlinks it:

UAF thread:
refcount_t: addition on 0; use-after-free.
 p9_fid_get linux/./include/net/9p/client.h:262
 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129
 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181
 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314
 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400
 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248

Freed by:
 p9_fid_destroy (inlined)
 p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456
 p9_fid_put linux/./include/net/9p/client.h:278
 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55
 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518
 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335

The problem is that d_fsdata was not accessed under d_lock, because
d_release() normally is only called once the dentry is otherwise no
longer accessible but since we also call it explicitly in v9fs_remove
that lock is required:
move the hlist out of the dentry under lock then unref its fids once
they are no longer accessible.

Fixes: 154372e67d ("fs/9p: fix create-unlink-getattr idiom")
Cc: stable@vger.kernel.org
Reported-by: Meysam Firouzi
Reported-by: Amirmohammad Eftekhar
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Message-ID: <20240521122947.1080227-1-asmadeus@codewreck.org>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-06-16 13:41:37 +02:00
..
acl.c 9p: fix a bunch of checkpatch warnings 2021-11-04 21:04:25 +09:00
acl.h 9p: fix a bunch of checkpatch warnings 2021-11-04 21:04:25 +09:00
cache.c mm, netfs, fscache: stop read optimisation when folio removed from pagecache 2024-01-10 17:10:31 +01:00
cache.h 9p: Use fscache indexing rewrite and reenable caching 2022-01-10 11:53:06 +00:00
fid.c 9p: Fix some kernel-doc comments 2022-07-02 18:52:21 +09:00
fid.h 9p fid refcount: cleanup p9_fid_put calls 2022-07-02 18:52:21 +09:00
Kconfig 9p: Use fscache indexing rewrite and reenable caching 2022-01-10 11:53:06 +00:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
v9fs_vfs.h 9p: Fix initialisation of netfs_inode for 9p 2024-02-05 20:12:59 +00:00
v9fs.c netfs: Fix gcc-12 warning by embedding vfs inode in netfs_i_context 2022-06-09 13:55:00 -07:00
v9fs.h netfs: Further cleanups after struct netfs_inode wrapper introduced 2022-06-10 20:55:21 +01:00
vfs_addr.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
vfs_dentry.c 9p: add missing locking around taking dentry fid list 2024-06-16 13:41:37 +02:00
vfs_dir.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
vfs_file.c 9p: explicitly deny setlease attempts 2024-05-17 11:56:09 +02:00
vfs_inode_dotl.c 9p: Fix initialisation of netfs_inode for 9p 2024-02-05 20:12:59 +00:00
vfs_inode.c fs/9p: translate O_TRUNC into OTRUNC 2024-05-17 11:56:08 +02:00
vfs_super.c fs/9p: drop inodes immediately on non-.L too 2024-05-17 11:56:09 +02:00
xattr.c 9p: v9fs_listxattr: fix %s null argument warning 2023-11-28 17:07:01 +00:00
xattr.h 9p: fix a bunch of checkpatch warnings 2021-11-04 21:04:25 +09:00