Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp474323imu;
        Tue, 27 Nov 2018 01:22:07 -0800 (PST)
X-Google-Smtp-Source: AFSGD/Uu7csHEkkqyE6CmDWXVD1cDBOo8kjfLL/CsUA/RZ9WQoKCh9MJEuUqkWAjiKtt0uIUM5oy
X-Received: by 2002:a17:902:8e8b:: with SMTP id bg11mr32034316plb.332.1543310527142;
        Tue, 27 Nov 2018 01:22:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543310527; cv=none;
        d=google.com; s=arc-20160816;
        b=pBkQapeNQE2nDr4K0sMWVP2WNEe0KXm6nm4dShKF4VMvmBhDX2Q2QFcW6yArm0pSXz
         ++uiOuQvUnl36T0lHnU/FFRim4r/3YtaX8l7M1s2ww1ql3Z3qSS8DYrvMp+rSfcfPWig
         3jcLojuCOP8eMbB0I39gGd1dmF7Wpevcmee8Nc+5PXKOWiOqsDgvH6KOl2FbpZZI0NZg
         UROd3ZkpJje6GYDcNYxncXXyQAZNAYoLp89Ft8EsvHti4IiG8sFNPmVjLwgH7Qq7GyD9
         /Z7/2zGGxU6DZJzWg/uV4crARutuDHoiY6AFIR5NWj0rYLQcxnZUh2/sbpVDo6hcHOym
         nX+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=pmvV+yqssP2v/Rw1jPciL3QjYtIvDSwl8v5ry9U5oPc=;
        b=cPYzj0NmMgWXCFZrqXGJqFMwFxaM6tGd9BIsKNanoBkUAfKIyx1Yv7FaJSTXVD7BLv
         vCjZr8uRozd1wwx3MfRaZFSQxwDF+xCEEQy+DjJU+sPYSQ7cx7Oxz//iwyjqYHw7vmGH
         YmD81ZmntooWcT21YmTL40TOIzgnVdM/XUXxIKYXOYLxwJuCIIwK1xWofSfAJ77q9UIf
         6d3jHLzFsao0HMMopOtXBVrY/f812BIKbg4Q0Oz6BC0w4Swx2xtym2pSa+ebA6dcRAD/
         PNWDqHOMulhLZrGpwoHKAOVS4UHvtIYrIg1vqMjTTzBtv/UOwl435JLjVV4rZfr5S67B
         xqTw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g13si3178090pgk.165.2018.11.27.01.21.52;
        Tue, 27 Nov 2018 01:22:07 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730158AbeK0URA (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Tue, 27 Nov 2018 15:17:00 -0500
Received: from mx2.suse.de ([195.135.220.15]:44890 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1730087AbeK0URA (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Nov 2018 15:17:00 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.220.254])
        by mx1.suse.de (Postfix) with ESMTP id 03D2FAF5A;
        Tue, 27 Nov 2018 09:19:44 +0000 (UTC)
Received: by quack2.suse.cz (Postfix, from userid 1000)
        id B0D8E1E07ED; Tue, 27 Nov 2018 10:19:43 +0100 (CET)
Date:   Tue, 27 Nov 2018 10:19:43 +0100
From:   Jan Kara <jack@suse.cz>
To:     Pan Bian <bianpan2016@163.com>
Cc:     Jan Kara <jack@suse.com>, linux-ext4@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ext2: fix potential use after free
Message-ID: <20181127091943.GB16301@quack2.suse.cz>
References: <1543107482-97334-1-git-send-email-bianpan2016@163.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1543107482-97334-1-git-send-email-bianpan2016@163.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun 25-11-18 08:58:02, Pan Bian wrote:
> The function ext2_xattr_set calls brelse(bh) to drop the reference count
> of bh. After that, bh may be freed. However, following brelse(bh),
> it reads bh->b_data via macro HDR(bh). This may result in a
> use-after-free bug. This patch moves brelse(bh) after reading field.
> 
> Signed-off-by: Pan Bian <bianpan2016@163.com>

Thanks for the fix! I've added the patch to my tree.

								Honza

> ---
>  fs/ext2/xattr.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
> index 62d9a659a..dd8f10d 100644
> --- a/fs/ext2/xattr.c
> +++ b/fs/ext2/xattr.c
> @@ -612,9 +612,9 @@ bad_block:		ext2_error(sb, "ext2_xattr_set",
>  	}
>  
>  cleanup:
> -	brelse(bh);
>  	if (!(bh && header == HDR(bh)))
>  		kfree(header);
> +	brelse(bh);
>  	up_write(&EXT2_I(inode)->xattr_sem);
>  
>  	return error;
> -- 
> 2.7.4
> 
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR