Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3086933rwb; Mon, 15 Aug 2022 17:48:39 -0700 (PDT) X-Google-Smtp-Source: AA6agR6eXcwEa1WSt5so34T7FJlFFY4zCjBC/Kpuy1ZbS22A5gEortSVCL/KhPdNuQssoZV6uX15 X-Received: by 2002:aa7:d88a:0:b0:440:916e:706d with SMTP id u10-20020aa7d88a000000b00440916e706dmr16123824edq.167.1660610919404; Mon, 15 Aug 2022 17:48:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660610919; cv=none; d=google.com; s=arc-20160816; b=ujiTs7wK//1NKkuQvwLYgLkDeRnrkydzN5D5h/NZkAWClSZcIPJotIlv5Chz2CBpln GUgxjzm41iUdiWWz209Wmz2sjcx4mjpVLfFZWWRiwKPD6MFhhRpixN/Gl+/r1oN42RoF 8U33NJuqn1RwxhzSberMDXael2ETxEI9tc9iUpz497+ZTLQnq70X8I5ohlKhGZkDYNy6 U8FW0mxfADIvF/PGrebM5KBxuV76MTdXNYQd7JzLnaxATNZtsrZrNmOAUVQcbDP4pkTP PGxoYxiPpCwLRXYAg/a9QmWwtFeWDin1T6XPb/de/Qgz41U5szDVXUCtW/p7+9Rapm/1 COvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=edBKqiVnU84WIOC5Qmj5Rk7CwLqtESwhF2nX0tSKFBo=; b=QuFEwlTIduy/B12MGr3OpLQzqLQcVhT5av86DuWadC85VLUA0fSt/zyxQUV9AWKFQV cAzWfimilRUl6StsCR4S5upAf0f+p4kJ424ROhnqv2yPpIeRA9Qgaa4sjHZcQjzyWJc0 z2PiAiiTV8ttOnaW4FrZNPpKHW73jU9y8XMyJEJhc0hihdFwUh4OwjRsvsr6fpqX+gnQ 1N3ESIooc4A/ugWItInxpf8F5RV3k6a8mTqw4Iqj7jifwuA2lpcorM9SQyl5RparLTZg Iq0YXdUsh5Hb1H7E8hSRc4fcCC1eGL47v1dt5HH25GS7IbXxp3XVPUrYxJRByjMuJCTu 11ug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=qDe9CTka; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hb40-20020a170907162800b0072ab62adfe9si11214302ejc.237.2022.08.15.17.48.14; Mon, 15 Aug 2022 17:48:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=qDe9CTka; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350975AbiHPA2Y (ORCPT + 99 others); Mon, 15 Aug 2022 20:28:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56080 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355808AbiHPA0w (ORCPT ); Mon, 15 Aug 2022 20:26:52 -0400 Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8A35A924F; Mon, 15 Aug 2022 13:34:33 -0700 (PDT) Received: by mail-lf1-x12e.google.com with SMTP id a9so12088606lfm.12; Mon, 15 Aug 2022 13:34:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=edBKqiVnU84WIOC5Qmj5Rk7CwLqtESwhF2nX0tSKFBo=; b=qDe9CTkaYOZ8QfGGEZWgKVaU6v0Be3OJaGRxWiA/Gip12e6+QSOm7BQy8NHS99Vl8J kXXaVp08xA725DVH0WEKUkl78emxsl++Z3MJcrsXhCwFqS2RXGm/EtgApd0XVgzPAMoS oRI1c9StJ748f73evLhknd1xfoYVYNwDof8RD9eIwRyQLGtbT+aBz7JkFmqzuIF9yMTf IXBNbxmV7HGZ/v4REGo8UHR2FSjhqZM69UdtlwAXn3Gs0HEuFUvPZDs40ldPpnGMKard fqb4EQtz2g8ELtQt/xXaTs74RDZaMeOiBS88ZkTW3crVT6mod5gWWU7dXKcuK8KV+NSC Hghw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=edBKqiVnU84WIOC5Qmj5Rk7CwLqtESwhF2nX0tSKFBo=; b=llMdcaq1lQJ2uO9FU88lRPWunx0elrFuC79juaOTVKDNFr1UC4X3zU7/epQ5rZIe+z a2FoRiyeMX+HaT9m2RU1tN3AlSiQXshEqHEyXT7MFvco2IDEbcCDNh59n7LD2yxBf0IT 3lZLg9muyehdIxSJa2F6yf5dPm8RBmPWj2AVyYxAH2ts3im1zWnGCSMKNf7BcwJR/ckM EN7P415pbKzgYlzny1e04oPaUmtikBhj3Gt7+HGC7mNpqhFEcmRcA0/yZlw9puCY9HO8 SDOVat4l+Lha/xenwZQOxAmDR78oT57T3f/doTnx3csUVKbfDHR+1HGVQeq5LhMMkdJq ESXg== X-Gm-Message-State: ACgBeo2flfr1YucvyKzE4KYn3HsHN6C/Y07NWEYZ5ZC2aJZ4f/LhhYZo E0xT0K9QOTNq+UdSpyraVF5UsIFQQkRtkpUHnJU= X-Received: by 2002:a05:6512:308a:b0:48b:4dd:5362 with SMTP id z10-20020a056512308a00b0048b04dd5362mr6146081lfd.575.1660595670001; Mon, 15 Aug 2022 13:34:30 -0700 (PDT) MIME-Version: 1.0 References: <20220815175114.23576-1-konishi.ryusuke@gmail.com> In-Reply-To: From: Ryusuke Konishi Date: Tue, 16 Aug 2022 05:34:12 +0900 Message-ID: Subject: Re: [PATCH] nilfs2: fix use-after-free bug in nilfs_mdt_destroy() To: Al Viro Cc: Andrew Morton , linux-nilfs , LKML , Jiacheng Xu , Mudong Liang Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 16, 2022 at 3:27 AM Al Viro wrote: > > On Tue, Aug 16, 2022 at 02:51:14AM +0900, Ryusuke Konishi wrote: > > In alloc_inode(), inode_init_always() could return -ENOMEM if > > security_inode_alloc() fails. If this happens for nilfs2, > > nilfs_free_inode() is called without initializing inode->i_private and > > nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees > > uninitialized inode->i_private and can trigger a crash. > > > > Fix this bug by initializing inode->i_private in nilfs_alloc_inode(). > > > > Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com > > Link: https://lkml.kernel.org/r/20211011030956.2459172-1-mudongliangabcd@gmail.com > > Reported-by: butt3rflyh4ck > > Reported-by: Hao Sun > > Reported-by: Jiacheng Xu > > Reported-by: Mudong Liang > > Signed-off-by: Ryusuke Konishi > > Cc: Al Viro > > --- > > fs/nilfs2/super.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/fs/nilfs2/super.c b/fs/nilfs2/super.c > > index ba108f915391..aca5614f1b44 100644 > > --- a/fs/nilfs2/super.c > > +++ b/fs/nilfs2/super.c > > @@ -159,6 +159,7 @@ struct inode *nilfs_alloc_inode(struct super_block *sb) > > ii->i_cno = 0; > > ii->i_assoc_inode = NULL; > > ii->i_bmap = &ii->i_bmap_data; > > + ii->vfs_inode.i_private = NULL; > > return &ii->vfs_inode; > > } > > FWIW, I think it's better to deal with that in inode_init_always(), but > not just moving ->i_private initialization up - we ought to move > security_inode_alloc() to the very end. No sense playing whack-a-mole > with further possible bugs of that sort... Yes, I agree it's better if security_inode_alloc() is moved to the end as possible in the sense of avoiding similar issues. But, would that vfs change be safe to backport to stable trees? It looks like the error handling for security_inode_alloc() is in the middle of inode_init_always() for a very long time.. If you want to see the impact of the vfs change, I think it's one way to apply this one in advance. Or if you want to fix it in one step, I think it's good too. How do you feel about this ? Thanks, Ryusuke Konishi