[PATCH] ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link

linux-unionfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
@ 2025-02-14 21:51 Vasiliy Kovalev
  2025-02-15  9:30 ` Amir Goldstein
  2025-02-19 17:07 ` Christian Brauner
  0 siblings, 2 replies; 3+ messages in thread
From: Vasiliy Kovalev @ 2025-02-14 21:51 UTC (permalink / raw)
  To: Miklos Szeredi, Amir Goldstein, Gao Xiang, linux-unionfs
  Cc: linux-kernel, lvc-project, kovalev, syzbot+316db8a1191938280eb6

The issue was caused by dput(upper) being called before
ovl_dentry_update_reval(), while upper->d_flags was still
accessed in ovl_dentry_remote().

Move dput(upper) after its last use to prevent use-after-free.

BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167

Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
 ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
 ovl_link_up fs/overlayfs/copy_up.c:610 [inline]
 ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170
 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223
 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136
 vfs_rename+0xf84/0x20a0 fs/namei.c:4893
...
 </TASK>

Fixes: b07d5cc93e1b ("ovl: update of dentry revalidate flags after copy up")
Reported-by: syzbot+316db8a1191938280eb6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=316db8a1191938280eb6
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
 fs/overlayfs/copy_up.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index 0c28e5fa34077..d7310fcf38881 100644
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -618,7 +618,6 @@ static int ovl_link_up(struct ovl_copy_up_ctx *c)
 	err = PTR_ERR(upper);
 	if (!IS_ERR(upper)) {
 		err = ovl_do_link(ofs, ovl_dentry_upper(c->dentry), udir, upper);
-		dput(upper);

 		if (!err) {
 			/* Restore timestamps on parent (best effort) */
@@ -626,6 +625,7 @@ static int ovl_link_up(struct ovl_copy_up_ctx *c)
 			ovl_dentry_set_upper_alias(c->dentry);
 			ovl_dentry_update_reval(c->dentry, upper);
 		}
+		dput(upper);
 	}
 	inode_unlock(udir);
 	if (err)
-- 
2.42.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
  2025-02-14 21:51 [PATCH] ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up Vasiliy Kovalev
@ 2025-02-15  9:30 ` Amir Goldstein
  2025-02-19 17:07 ` Christian Brauner
  1 sibling, 0 replies; 3+ messages in thread
From: Amir Goldstein @ 2025-02-15  9:30 UTC (permalink / raw)
  To: Vasiliy Kovalev, Christian Brauner
  Cc: Miklos Szeredi, Gao Xiang, linux-unionfs, linux-kernel,
	lvc-project, syzbot+316db8a1191938280eb6

On Fri, Feb 14, 2025 at 10:51 PM Vasiliy Kovalev <kovalev@altlinux.org> wrote:
>
> The issue was caused by dput(upper) being called before
> ovl_dentry_update_reval(), while upper->d_flags was still
> accessed in ovl_dentry_remote().
>
> Move dput(upper) after its last use to prevent use-after-free.
>
> BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
> BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
>
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
>  print_address_description mm/kasan/report.c:377 [inline]
>  print_report+0xc3/0x620 mm/kasan/report.c:488
>  kasan_report+0xd9/0x110 mm/kasan/report.c:601
>  ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
>  ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
>  ovl_link_up fs/overlayfs/copy_up.c:610 [inline]
>  ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170
>  ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223
>  ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136
>  vfs_rename+0xf84/0x20a0 fs/namei.c:4893
> ...
>  </TASK>
>
> Fixes: b07d5cc93e1b ("ovl: update of dentry revalidate flags after copy up")
> Reported-by: syzbot+316db8a1191938280eb6@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=316db8a1191938280eb6
> Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>

Reviewed-by: Amir Goldstein <amir73il@gmail.com>

Christian,

Could you pick this up via vfs.fixes?

Thanks,
Amir.

> ---
>  fs/overlayfs/copy_up.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
> index 0c28e5fa34077..d7310fcf38881 100644
> --- a/fs/overlayfs/copy_up.c
> +++ b/fs/overlayfs/copy_up.c
> @@ -618,7 +618,6 @@ static int ovl_link_up(struct ovl_copy_up_ctx *c)
>         err = PTR_ERR(upper);
>         if (!IS_ERR(upper)) {
>                 err = ovl_do_link(ofs, ovl_dentry_upper(c->dentry), udir, upper);
> -               dput(upper);
>
>                 if (!err) {
>                         /* Restore timestamps on parent (best effort) */
> @@ -626,6 +625,7 @@ static int ovl_link_up(struct ovl_copy_up_ctx *c)
>                         ovl_dentry_set_upper_alias(c->dentry);
>                         ovl_dentry_update_reval(c->dentry, upper);
>                 }
> +               dput(upper);
>         }
>         inode_unlock(udir);
>         if (err)
> --
> 2.42.2
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
  2025-02-14 21:51 [PATCH] ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up Vasiliy Kovalev
  2025-02-15  9:30 ` Amir Goldstein
@ 2025-02-19 17:07 ` Christian Brauner
  1 sibling, 0 replies; 3+ messages in thread
From: Christian Brauner @ 2025-02-19 17:07 UTC (permalink / raw)
  To: Vasiliy Kovalev
  Cc: Christian Brauner, linux-kernel, lvc-project,
	syzbot+316db8a1191938280eb6, Miklos Szeredi, Amir Goldstein,
	Gao Xiang, linux-unionfs

On Sat, 15 Feb 2025 00:51:48 +0300, Vasiliy Kovalev wrote:
> The issue was caused by dput(upper) being called before
> ovl_dentry_update_reval(), while upper->d_flags was still
> accessed in ovl_dentry_remote().
> 
> Move dput(upper) after its last use to prevent use-after-free.
> 
> BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
> BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
> 
> [...]

Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes

[1/1] ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
      https://git.kernel.org/vfs/vfs/c/c84e125fff26

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-02-19 17:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-14 21:51 [PATCH] ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up Vasiliy Kovalev
2025-02-15  9:30 ` Amir Goldstein
2025-02-19 17:07 ` Christian Brauner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).