From: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
To: Jiacheng Xu <578001344xu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org,
konishi.ryusuke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
linux-nilfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
Subject: Re: KASAN: use-after-free in nilfs_mdt_destroy
Date: Mon, 15 Aug 2022 19:23:51 +0100 [thread overview]
Message-ID: <YvqPN2T3Q8pfnCoV@ZenIV> (raw)
In-Reply-To: <YvqKJppIL4lVCn9+@ZenIV>
On Mon, Aug 15, 2022 at 07:02:14PM +0100, Al Viro wrote:
> On Mon, Aug 15, 2022 at 10:03:21PM +0800, Jiacheng Xu wrote:
>
> > Patch:
> > Fix this bug by moving the assignment of inode->i_private before
> > security_inode_alloc.
> > An ad-hoc patch is proposed:
> > https://patchwork.kernel.org/project/linux-fsdevel/patch/20211011030956.2459172-1-mudongliangabcd-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org/
>
> ... and that looks like utter bollocks. Why does security_inode_alloc()
> look at ->i_private? Which LSM is involved?
OK, I see... The role of security_inode_alloc() here is that it's
a possible cause of failure. And yes, dealing with that class of
bugs here might be better.
However, *IF* we go that way, why not move that thing to the
very end? Just prior to
this_cpu_inc(nr_inodes);
Sure, nilfs2 steps only into uninitialized ->i_private.
Who's to say that we won't run into somebody deciding that e.g.
inode->i_data.private_data is worth a look?
Just move the call of security_inode_alloc() down to immediately
before the nr_inode increment, with explanation along the lines
of
"In case of security_inode_alloc() failure the inode is passed to
->destroy_inode(); doing security_inode_alloc() last makes for
easier life for ->destroy_inode() instances - they can rely upon
the rest of inode_init_always() having been done. It's not
just a theoretical problem - nilfs2 has actually stepped into that
[reference to report]"
next prev parent reply other threads:[~2022-08-15 18:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-15 14:03 KASAN: use-after-free in nilfs_mdt_destroy Jiacheng Xu
[not found] ` <CAO4S-mficMz1mQW06EuCF+o11+mRDiCpufqVfoHkcRbQbs8kVw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2022-08-15 18:02 ` Al Viro
2022-08-15 18:23 ` Al Viro [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-03-22 9:05 butt3rflyh4ck
2021-03-22 14:45 ` Ryusuke Konishi
2021-03-22 15:05 ` butt3rflyh4ck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YvqPN2T3Q8pfnCoV@ZenIV \
--to=viro-rmsdqhl/ynmifsdqtta3olvcufugdwfn@public.gmane.org \
--cc=578001344xu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=konishi.ryusuke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-nilfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).