Potential use-after-return in fs/fs-writeback.c

Potential use-after-return in fs/fs-writeback.c

[David Gens]

Hi,

my name is David, I work as a research assistant at TU Darmstadt, 
Germany.
We are currently developing a static analysis tool to find dangling 
pointer
vulnerabilities automatically in large code bases, based on LLVM.

We think we found a potential use-after-return in move_expired_inodes in 
the
file fs/fs-writeback.c. This is the relevant code (at least 3.11-4.8):

    static long wb_writeback(struct bdi_writeback *wb,
                             struct wb_writeback_work *work)
    {
         unsigned long oldest_jif;
         ...
         work->older_than_this = &oldest_jif;
         ...
    }

    static int move_expired_inodes(struct list_head *delaying_queue,
                                   struct list_head *dispatch_queue,
                                   int flags,
                                   struct wb_writeback_work *work)
    {
         unsigned long *older_than_this = NULL;
         ...
         older_than_this = work->older_than_this;
         ...
         if (older_than_this &&
             inode_dirtied_after(inode, *older_than_this))
             break;
         ...
    }

The address of a local stack element is written to the wb_writeback_work 
object
retrieved from the work list in wb_do_writeback. If the auto_free 
property of
the object is not set, it will not be freed upon returning from the 
calling
function, which results in our tool reporting the situation as a 
vulnerability.

The pointer is dereferenced in move_expired_inodes, and passed as an 
argument to
inode_dirtied_after. Currently, this does not appear to be exploitable. 
We
investigated the issue, but were unable to falsify our report, hence 
this email.
Apologies, if we overlooked something trivial or failed to adhere to the 
code of
conduct on this mailing list.

Best wishes,
David Gens