Re: [PATCH] binderfs: rework superblock destruction

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Al Viro <viro@zeniv.linux.org.uk>
To: Christian Brauner <brauner@kernel.org>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	"Dongliang Mu" <mudongliangabcd@gmail.com>,
	"Dongliang Mu" <dzm91@hust.edu.cn>,
	"Arve Hjønnevåg" <arve@android.com>,
	"Todd Kjos" <tkjos@android.com>,
	"Martijn Coenen" <maco@android.com>,
	"Joel Fernandes" <joel@joelfernandes.org>,
	"Carlos Llamas" <cmllamas@google.com>,
	"Suren Baghdasaryan" <surenb@google.com>,
	"Kees Cook" <keescook@chromium.org>,
	syzkaller <syzkaller@googlegroups.com>,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] binderfs: rework superblock destruction
Date: Wed, 17 Aug 2022 16:21:11 +0100	[thread overview]
Message-ID: <Yv0HZ8lxn2m6sUut@ZenIV> (raw)
In-Reply-To: <20220817145144.mbcbvpepusdvrds4@wittgenstein>

On Wed, Aug 17, 2022 at 04:51:44PM +0200, Christian Brauner wrote:

> diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c
> index 5c97f48cea91..d7d275ef132f 100644
> --- a/arch/s390/hypfs/inode.c
> +++ b/arch/s390/hypfs/inode.c
> @@ -329,9 +329,8 @@ static void hypfs_kill_super(struct super_block *sb)
>  		hypfs_delete_tree(sb->s_root);
>  	if (sb_info && sb_info->update_file)
>  		hypfs_remove(sb_info->update_file);
> -	kfree(sb->s_fs_info);
> -	sb->s_fs_info = NULL;
>  	kill_litter_super(sb);
> +	kfree(sb->s_fs_info);

UAF, that - *sb gets freed by the time you try to fetch sb->s_fs_info...
Fetch the pointer first, then destroy the object you've fetched it
from, then free what it points to...

> diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
> index 4f25015aa534..78a9095e1748 100644
> --- a/fs/devpts/inode.c
> +++ b/fs/devpts/inode.c
> @@ -509,10 +509,10 @@ static void devpts_kill_sb(struct super_block *sb)
>  {
>  	struct pts_fs_info *fsi = DEVPTS_SB(sb);
>  
> +	kill_litter_super(sb);
>  	if (fsi)
>  		ida_destroy(&fsi->allocated_ptys);
>  	kfree(fsi);
> -	kill_litter_super(sb);
>  }
>  

That one's fine.

>  static struct file_system_type devpts_fs_type = {
> diff --git a/fs/ramfs/inode.c b/fs/ramfs/inode.c
> index bc66d0173e33..bff49294e037 100644
> --- a/fs/ramfs/inode.c
> +++ b/fs/ramfs/inode.c
> @@ -280,8 +280,10 @@ int ramfs_init_fs_context(struct fs_context *fc)
>  
>  static void ramfs_kill_sb(struct super_block *sb)
>  {
> -	kfree(sb->s_fs_info);
> +	struct ramfs_fs_info *fsi = sb->s_fs_info;
> +
>  	kill_litter_super(sb);
> +	kfree(fsi);
>  }

Cosmetical, really - see another posting in the same thread.

>  static struct file_system_type ramfs_fs_type = 
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 8fcdd494af27..fb1dae422d93 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -96,9 +96,8 @@ static int selinux_fs_info_create(struct super_block *sb)
>  	return 0;
>  }
>  
> -static void selinux_fs_info_free(struct super_block *sb)
> +static void selinux_fs_info_free(struct selinux_fs_info *fsi)
>  {
> -	struct selinux_fs_info *fsi = sb->s_fs_info;
>  	int i;
>  
>  	if (fsi) {
> @@ -107,8 +106,7 @@ static void selinux_fs_info_free(struct super_block *sb)
>  		kfree(fsi->bool_pending_names);
>  		kfree(fsi->bool_pending_values);
>  	}
> -	kfree(sb->s_fs_info);
> -	sb->s_fs_info = NULL;
> +	kfree(fsi);
>  }
>  
>  #define SEL_INITCON_INO_OFFSET		0x01000000
> @@ -2180,7 +2178,7 @@ static int sel_fill_super(struct super_block *sb, struct fs_context *fc)
>  	pr_err("SELinux: %s:  failed while creating inodes\n",
>  		__func__);
>  
> -	selinux_fs_info_free(sb);
> +	selinux_fs_info_free(fsi);
>  
>  	return ret;
>  }
> @@ -2202,8 +2200,10 @@ static int sel_init_fs_context(struct fs_context *fc)
>  
>  static void sel_kill_sb(struct super_block *sb)
>  {
> -	selinux_fs_info_free(sb);
> +	struct selinux_fs_info *fsi = sb->s_fs_info;
> +
>  	kill_litter_super(sb);
> +	selinux_fs_info_free(fsi);
>  }

A real bug, but an incomplete fix - you've just gotten yourself a double-free;
failure in sel_fill_super() has no need to do selinux_fs_info_free() now.

next prev parent reply	other threads:[~2022-08-17 15:21 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-12 13:21 [PATCH] drivers: binderfs: fix memory leak in binderfs_fill_super Dongliang Mu
2022-08-12 13:41 ` Christian Brauner
2022-08-12 13:48   ` Dongliang Mu
2022-08-12 14:18     ` Christian Brauner
2022-08-15  0:59       ` Dongliang Mu
2022-08-12 13:41 ` Greg Kroah-Hartman
2022-08-12 13:56   ` Dongliang Mu
2022-08-12 14:02     ` Dongliang Mu
2022-08-12 14:09     ` Greg Kroah-Hartman
2022-08-12 14:24       ` Christian Brauner
2022-08-12 14:32         ` Greg Kroah-Hartman
2022-08-15  1:46           ` Al Viro
2022-08-15  1:48             ` Al Viro
2022-08-15  8:47             ` Christian Brauner
2022-08-17 11:43               ` Greg Kroah-Hartman
2022-08-17 13:03                 ` [PATCH] binderfs: rework superblock destruction Christian Brauner
2022-08-17 13:59                   ` Al Viro
2022-08-17 14:01                     ` Christian Brauner
2022-08-17 14:19                       ` Al Viro
2022-08-17 14:32                         ` Al Viro
2022-08-17 15:05                           ` Christian Brauner
2022-08-17 14:51                         ` Christian Brauner
2022-08-17 15:21                           ` Al Viro [this message]
2022-08-17 15:24                             ` Christian Brauner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Yv0HZ8lxn2m6sUut@ZenIV \
    --to=viro@zeniv.linux.org.uk \
    --cc=arve@android.com \
    --cc=brauner@kernel.org \
    --cc=cmllamas@google.com \
    --cc=dzm91@hust.edu.cn \
    --cc=gregkh@linuxfoundation.org \
    --cc=joel@joelfernandes.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maco@android.com \
    --cc=mudongliangabcd@gmail.com \
    --cc=surenb@google.com \
    --cc=syzkaller@googlegroups.com \
    --cc=tkjos@android.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.