From: Al Viro <viro@ZenIV.linux.org.uk>
To: "Dae R. Jeong" <threeearcat@gmail.com>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
byoungyoung@purdue.edu, kt0755@gmail.com, bammanag@purdue.edu
Subject: Re: KASAN: use-after-free Read in link_path_walk
Date: Tue, 24 Jul 2018 06:29:29 +0100 [thread overview]
Message-ID: <20180724052929.GI30522@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20180724051726.GH30522@ZenIV.linux.org.uk>
On Tue, Jul 24, 2018 at 06:17:26AM +0100, Al Viro wrote:
> On Tue, Jul 24, 2018 at 12:45:42PM +0900, Dae R. Jeong wrote:
> > Diagnosis:
> > We think that it is possible that link_path_walk() dereferences a
> > freed pointer when cleanup_mnt() is executed between path_init() and
> > link_path_walk().
> >
> > Since I'm not an expert on a file system and don't fully understand
> > the crash, please see a executed program and a crash log below in
> > case that my understanding is wrong.
> >
> >
> > Executed Program:
> > Thread0 Thread1
> > mkdir("./file0")
> > |--------------------------|
> > | mount("./file0", "./file0", "devpts", 0x0, "")
> > | |
> > openat(AT_FDCWD, chroot("./file0")
> > "/dev/vcs", 0x200, 0x0) umount("./file0", 0x2)
> >
> > openat(), chroot(), umount() syscalls are executed after mount() syscall.
> > We think a race occurs between openat() and chroot() because RaceFuzzer
> > executed openat() and chroot() concurrently.
> >
> >
> > (Possible) Thread interleaving:
> > CPU0 (path_openat) CPU1 (cleanup_mnt)
Wait a bloody minute. Where does cleanup_mnt() come from in that thing?
You are doing lazy-umount of the thing you've chrooted into; if it ends
up with zero refcount on that mount, we are already in deep, deep trouble,
races with open() on not. Simply following that with stat / (in thread 1,
without thread0 at all) would end up accessing the same vfsmount. And
if it's been freed, we are well and truly fucked, race or no race.
I really want details. *Is* cleanup_mnt() called by thread 1 in your
reproducer before the use-after-free hits? And what's the root of
thread 0 at that point?
next prev parent reply other threads:[~2018-07-24 6:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-24 3:45 KASAN: use-after-free Read in link_path_walk Dae R. Jeong
2018-07-24 4:08 ` DaeRyong Jeong
2018-07-24 5:17 ` Al Viro
2018-07-24 5:29 ` Al Viro [this message]
2018-07-24 5:54 ` DaeRyong Jeong
2018-08-06 13:01 ` Al Viro
-- strict thread matches above, loose matches on Subject: below --
2018-11-28 17:40 syzbot
2019-03-25 4:52 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180724052929.GI30522@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=bammanag@purdue.edu \
--cc=byoungyoung@purdue.edu \
--cc=kt0755@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=threeearcat@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.