Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp3537453rwb; Tue, 16 Aug 2022 05:02:28 -0700 (PDT) X-Google-Smtp-Source: AA6agR7JAeBQNa8SWh+GRxIXt/ghz1Q2LvkrYfb2KFzo7jgsXdDFzWRNLx0dYnxqEppNPMOcrNPs X-Received: by 2002:a17:902:d58b:b0:16d:c9ff:3c26 with SMTP id k11-20020a170902d58b00b0016dc9ff3c26mr3160619plh.10.1660651347667; Tue, 16 Aug 2022 05:02:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660651347; cv=none; d=google.com; s=arc-20160816; b=M37St66BAm4pxUh+KM4x/C4jS7yi89jC00+wV7A/HUMy6REjY3qaxOrvPjab/eOsxw d5U2ZZ4Eys//H0LzVYyzeHXj+2WoVizQKfR5nsWWxjf4HW4enccqWfhQnRPKCMMXw+VW ZLQ+rDRZ/caXAjgVbHMsm3wHASSGjO5mgp7PYEs1Yg3sI9wTnCP93keIgrwkj+cwq4Dk cR0tkugqPkW9Zl8x8ubFmMDfbPWRIiNMm9C3vEWVH5OPOfeG6YT+/Gu//g7if4RfH7TB OoPg4eZ03+kYlpqqJtMs8R8hg1mLG9wQen2ARwjt+5lmEfqfazbo10NYKncby2REnxHg BbPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=OR6MDzEaKFTb8UJStUuEHQ7koUMAM5AUpfFo9JXcZyI=; b=TMdNYI55YprEvLJ1mWNWs1PhHsnoV0Y7Cs75I/wIFD+ibpaKJjTIZbnffSD9OkjE2q iFBb3yyIZXwJCqmOnGCt9Q+FErgxhoL2e9dhMb60dg4MGWjcD/4JaR4V8IEPjcxHozCH XQXJii7tz2q1qk3vLsqmAcN3Sik7JY7oxoP+PWidtVv3rt2ECRUGF7BGY6QIbvbXBGDT 0cPdE68PlW9qtmI37TsB5ePewJqkkmj4FZr0OkYI2EsJ3K6a0QZl7a8mIWwpmgt2Q/iI 2fHT7WzUCBxhD8UFSBqwBt43RwJId0JrYz4W6heIpoRNfAy77O5D9e39QRVLYOAJPqIR 1pOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fOIjjW1Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x2-20020a656aa2000000b0041bbbf2eb5asi14027395pgu.139.2022.08.16.05.01.51; Tue, 16 Aug 2022 05:02:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fOIjjW1Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234060AbiHPLaH (ORCPT + 99 others); Tue, 16 Aug 2022 07:30:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59280 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234827AbiHPL3a (ORCPT ); Tue, 16 Aug 2022 07:29:30 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 052D1D31DB; Tue, 16 Aug 2022 03:46:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 2E85CB8169E; Tue, 16 Aug 2022 10:46:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AC9CAC433C1; Tue, 16 Aug 2022 10:46:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1660646807; bh=qTgkAUd/vi2DE12y645WmWS69rJJiMlcQOUJOELNr/o=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=fOIjjW1Yqm4cTqTpyRsnRW3lWfVjjJwTxpyTo7LRNDNe5hSLt8b9/0BAjmYquA79q l9ZOUb1oVHb8JpwDUg8Jjfo91bZOTuYeSvdAfskaraN+s+VAEfQINbn0t/6RnKpMxT ZIDeHm3ccKD9C9E+b4feK0rgRxLRTyM/ilNYo/r7ZRpHQcYZAC7MEiRYig4IZmN7dx QNHSXCvpwORccOR739Z1brNpB6GzviQ7wJDGnURXv4EMth+DCA/gmegw+//qJH+7zK wYcwgb2kFeOPywg5lPjOe2QNJYMq7hM7tTq1LdZHzFDcW05Ld7fqDKElU6nD/xlpnu Yvbgnmg6KtlNQ== Date: Tue, 16 Aug 2022 12:46:42 +0200 From: Christian Brauner To: Dongliang Mu Cc: Alexander Viro , Dongliang Mu , butt3rflyh4ck , Hao Sun , Jiacheng Xu , stable@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] fs: fix UAF/GPF bug in nilfs_mdt_destroy Message-ID: <20220816104642.qmjegdtthyzy5xbv@wittgenstein> References: <20220816040859.659129-1-dzm91@hust.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220816040859.659129-1-dzm91@hust.edu.cn> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 16, 2022 at 12:08:58PM +0800, Dongliang Mu wrote: > From: Dongliang Mu > > In alloc_inode, inode_init_always() could return -ENOMEM if > security_inode_alloc() fails, which causes inode->i_private > uninitialized. Then nilfs_is_metadata_file_inode() returns > true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), > which frees the uninitialized inode->i_private > and leads to crashes(e.g., UAF/GPF). > > Fix this by moving security_inode_alloc just prior to > this_cpu_inc(nr_inodes) > > Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com > Reported-by: butt3rflyh4ck > Reported-by: Hao Sun > Reported-by: Jiacheng Xu > Signed-off-by: Dongliang Mu > Cc: Al Viro > Cc: stable@vger.kernel.org > --- Looks good to me, Reviewed-by: Christian Brauner (Microsoft)