From: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
To: Jiacheng Xu <578001344xu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org,
konishi.ryusuke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
linux-nilfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
Subject: Re: KASAN: use-after-free in nilfs_mdt_destroy
Date: Mon, 15 Aug 2022 19:23:51 +0100 [thread overview]
Message-ID: <YvqPN2T3Q8pfnCoV@ZenIV> (raw)
In-Reply-To: <YvqKJppIL4lVCn9+@ZenIV>
On Mon, Aug 15, 2022 at 07:02:14PM +0100, Al Viro wrote:
> On Mon, Aug 15, 2022 at 10:03:21PM +0800, Jiacheng Xu wrote:
>
> > Patch:
> > Fix this bug by moving the assignment of inode->i_private before
> > security_inode_alloc.
> > An ad-hoc patch is proposed:
> > https://patchwork.kernel.org/project/linux-fsdevel/patch/20211011030956.2459172-1-mudongliangabcd-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org/
>
> ... and that looks like utter bollocks. Why does security_inode_alloc()
> look at ->i_private? Which LSM is involved?
OK, I see... The role of security_inode_alloc() here is that it's
a possible cause of failure. And yes, dealing with that class of
bugs here might be better.
However, *IF* we go that way, why not move that thing to the
very end? Just prior to
this_cpu_inc(nr_inodes);
Sure, nilfs2 steps only into uninitialized ->i_private.
Who's to say that we won't run into somebody deciding that e.g.
inode->i_data.private_data is worth a look?
Just move the call of security_inode_alloc() down to immediately
before the nr_inode increment, with explanation along the lines
of
"In case of security_inode_alloc() failure the inode is passed to
->destroy_inode(); doing security_inode_alloc() last makes for
easier life for ->destroy_inode() instances - they can rely upon
the rest of inode_init_always() having been done. It's not
just a theoretical problem - nilfs2 has actually stepped into that
[reference to report]"
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@zeniv.linux.org.uk>
To: Jiacheng Xu <578001344xu@gmail.com>
Cc: linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org,
konishi.ryusuke@gmail.com, linux-nilfs@vger.kernel.org,
security@kernel.org
Subject: Re: KASAN: use-after-free in nilfs_mdt_destroy
Date: Mon, 15 Aug 2022 19:23:51 +0100 [thread overview]
Message-ID: <YvqPN2T3Q8pfnCoV@ZenIV> (raw)
In-Reply-To: <YvqKJppIL4lVCn9+@ZenIV>
On Mon, Aug 15, 2022 at 07:02:14PM +0100, Al Viro wrote:
> On Mon, Aug 15, 2022 at 10:03:21PM +0800, Jiacheng Xu wrote:
>
> > Patch:
> > Fix this bug by moving the assignment of inode->i_private before
> > security_inode_alloc.
> > An ad-hoc patch is proposed:
> > https://patchwork.kernel.org/project/linux-fsdevel/patch/20211011030956.2459172-1-mudongliangabcd@gmail.com/
>
> ... and that looks like utter bollocks. Why does security_inode_alloc()
> look at ->i_private? Which LSM is involved?
OK, I see... The role of security_inode_alloc() here is that it's
a possible cause of failure. And yes, dealing with that class of
bugs here might be better.
However, *IF* we go that way, why not move that thing to the
very end? Just prior to
this_cpu_inc(nr_inodes);
Sure, nilfs2 steps only into uninitialized ->i_private.
Who's to say that we won't run into somebody deciding that e.g.
inode->i_data.private_data is worth a look?
Just move the call of security_inode_alloc() down to immediately
before the nr_inode increment, with explanation along the lines
of
"In case of security_inode_alloc() failure the inode is passed to
->destroy_inode(); doing security_inode_alloc() last makes for
easier life for ->destroy_inode() instances - they can rely upon
the rest of inode_init_always() having been done. It's not
just a theoretical problem - nilfs2 has actually stepped into that
[reference to report]"
next prev parent reply other threads:[~2022-08-15 18:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-15 14:03 KASAN: use-after-free in nilfs_mdt_destroy Jiacheng Xu
2022-08-15 14:03 ` Jiacheng Xu
[not found] ` <CAO4S-mficMz1mQW06EuCF+o11+mRDiCpufqVfoHkcRbQbs8kVw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2022-08-15 18:02 ` Al Viro
2022-08-15 18:02 ` Al Viro
2022-08-15 18:23 ` Al Viro [this message]
2022-08-15 18:23 ` Al Viro
-- strict thread matches above, loose matches on Subject: below --
2021-03-22 9:05 butt3rflyh4ck
2021-03-22 9:05 ` butt3rflyh4ck
2021-03-22 14:45 ` Ryusuke Konishi
2021-03-22 15:05 ` butt3rflyh4ck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YvqPN2T3Q8pfnCoV@ZenIV \
--to=viro-rmsdqhl/ynmifsdqtta3olvcufugdwfn@public.gmane.org \
--cc=578001344xu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=konishi.ryusuke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-nilfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.