Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp873296pxb; Wed, 1 Sep 2021 11:48:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxxwuoXPnGrXKKY0pK6dSoMo5RMR56TJrDCBkc22AQFfIvWTCJS2yD98v9i/1uTo6ERZ158 X-Received: by 2002:a6b:b586:: with SMTP id e128mr832501iof.37.1630522131878; Wed, 01 Sep 2021 11:48:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630522131; cv=none; d=google.com; s=arc-20160816; b=glkAxRJqqIeBs1udwJt7fGxjnBVR0MBrNnLCmfWwZt7Pil6V9sNB8eGylLc/+pK+QA pt5/pCXyPATyZ7AkFeEtDETib2JY4cp/JZYystQQ/7pXr1qqlRhHZAc0+hG9/iikFUzi nK00ai70pr2Yg0mn1od1bmCwL6wx4j4rLO7/eSi4fyyauSe79V7Fivqkp4KGa4qiqjq2 fQGKPqrRDf+V+88aEiGJia8v/NehaA515FNgEoPrb4ofCs7cRr1n5jb2DjUnAAYM1unO A1muQ1RjffxTifB349Fy9GdMQXkUINpSzZ/WbHPbAx2motcErIfFIIj7avEuepbsHzC9 zxLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Ss4FzlPtnVLRv0fqBuwBlG8fQGDQUymwfyyxVn4e3sk=; b=Vqz1aI90W9wK3txethGO+G5blUKZt/vfGLtuhrdd5KHt2HHAKd/ztZs3KAgBGg6f7c iG1HEtxsVu+6aYJy0fTynSvQrPpKGtK7P0UzR2J1IbR0xVcLzdYVTOeiI+4pZdOb2i2n dNmcwuplL6XdB616UwVYrV++8VBeGc4D2L+mFSwhyvPdUGB5AJWv58yktqZuj+F7KvJ/ ZB3OL/o6ocPQHKO2wu2BcuK1fqZtxN6xJ0VlgYTUQmME/gv7w+bUMsWg8wkOObSbYlG+ WnIVLlhnbYSvf8UHrnvuBnpjTRNKZQBKIQLSPoUBXLAVLCtOzzHr1o1+gDDCdLZYfJnT 6fLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ubY+ha8x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z11si364153ilb.65.2021.09.01.11.48.40; Wed, 01 Sep 2021 11:48:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ubY+ha8x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242624AbhIAHgR (ORCPT + 99 others); Wed, 1 Sep 2021 03:36:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45242 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242556AbhIAHgQ (ORCPT ); Wed, 1 Sep 2021 03:36:16 -0400 Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 27A5DC061575; Wed, 1 Sep 2021 00:35:20 -0700 (PDT) Received: by mail-yb1-xb31.google.com with SMTP id z5so3418063ybj.2; Wed, 01 Sep 2021 00:35:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ss4FzlPtnVLRv0fqBuwBlG8fQGDQUymwfyyxVn4e3sk=; b=ubY+ha8xta8St2WWD+fhlkbjRwCDrnFvLSzM1q1KbyQyEI5Mf634Is0cQN/sU2OsCg Xx0FSPFFptEHW9p4NL1+JVKHxfM7dPl0KB2+5tYjEVoe/+ISps84EeyOdRZFN9B4ubOC Rf1INJfBaYF1dBj9Y3OuGUfX64J3GIEF2U7rEIJe3iLil3WjzLgeG9cnbSiIfEEMRKT2 k7o4o/4Pwg8gGud7CvY5Nkp0OGHMT7H4vnbXnkEROc6OzyxuQbTJVtLk4sJZpYp1C6FJ PTehxRAa05WdjtfRKLN477y5DWuGgRA6y7qVIKFJTujuAXwqPoS/A6oJFJjM1RROkpL6 ZuyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ss4FzlPtnVLRv0fqBuwBlG8fQGDQUymwfyyxVn4e3sk=; b=ILct5qGL2gG3EtDo/fU2mrCd4p2ADejjqkYJeCM6nRAfu5+YeLc8htIUEyhXqvvKEy WQXe1tXD4DDmtzp+QVaWn9gHwBoMxw8NwhXVRJizCWmoG7rIWWY7ODXjy+ATxDMphC45 AaGzHrhOrIG+QHBq+sib0OQSamZ2X+/DSvj4RGdA2AutFvj2VJQEcnu0PCsGtO+t4bwl /SI1Tfe92RcO4cnbnjpYQoDC2cC2HyhGulEei6AuqZtZtrURxOH0bGs4fwU/QIcYj/WU FPULe946Zj+h2XNvaXoM78149DgtjMHNe0j/frQAQyUA7r79S43xgYyVyiiJJMLfUDkG +5Dg== X-Gm-Message-State: AOAM532UpE5CKZc5tfuDzhyYuYbu/n9N9Ii52ktXfG6mhKFFtge/KVdP 5lyLzdwcOpWR9YduGtUNi9MMCoDAiGEXqtgbfLA= X-Received: by 2002:a25:c005:: with SMTP id c5mr33638480ybf.168.1630481719475; Wed, 01 Sep 2021 00:35:19 -0700 (PDT) MIME-Version: 1.0 References: <20210901001341.79887-1-stephen.s.brennan@oracle.com> In-Reply-To: <20210901001341.79887-1-stephen.s.brennan@oracle.com> From: Dmitry Kadashev Date: Wed, 1 Sep 2021 14:35:08 +0700 Message-ID: Subject: Re: [PATCH] namei: Fix use after free in kern_path_locked To: Stephen Brennan Cc: Alexander Viro , Jens Axboe , linux-fsdevel , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 1, 2021 at 7:13 AM Stephen Brennan wrote: > > In 0ee50b47532a ("namei: change filename_parentat() calling > conventions"), filename_parentat() was made to always put the struct > filename before returning, and kern_path_locked() was migrated to this > calling convention. However, kern_path_locked() uses the "last" > parameter to lookup and potentially create a new dentry. The last > parameter contains the last component of the path and points within the > filename, which was recently freed at the end of filename_parentat(). > Thus, when kern_path_locked() calls __lookup_hash(), it is using the > filename after it has already been freed. > > To avoid this, switch back to __filename_parentat() and place a putname > at the end of the function, once all uses are completed. Ouch. Thanks for taking care of this, Stephen. I guess filename_parentat() should be killed, since kern_path_locked() was the only place it's used in and it always results in danging "last", provoking bugs just like this one. I can send a patch on top of this if you prefer. -- Dmitry