From: Luis Chamberlain <mcgrof@kernel.org>
To: Ming Lei <ming.lei@redhat.com>, yu kuai <yukuai3@huawei.com>
Cc: axboe@kernel.dk, viro@zeniv.linux.org.uk,
gregkh@linuxfoundation.org, rostedt@goodmis.org,
mingo@redhat.com, jack@suse.cz, nstange@suse.de, mhocko@suse.com,
linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, yukuai3@huawei.com
Subject: Re: [RFC 0/3] block: address blktrace use-after-free
Date: Fri, 3 Apr 2020 14:06:01 +0000 [thread overview]
Message-ID: <20200403140601.GP11244@42.do-not-panic.com> (raw)
In-Reply-To: <20200403081929.GC6887@ming.t460p>
On Fri, Apr 03, 2020 at 04:19:29PM +0800, Ming Lei wrote:
> On Wed, Apr 01, 2020 at 11:59:59PM +0000, Luis Chamberlain wrote:
> > Upstream kernel.org korg#205713 contends that there is a UAF in
> > the core debugfs debugfs_remove() function, and has gone through
> > pushing for a CVE for this, CVE-2019-19770.
> >
> > If correct then parent dentries are not positive, and this would
> > have implications far beyond this bug report. Thankfully, upon review
> > with Nicolai, he wasn't buying it. His suspicions that this was just
> > a blktrace issue were spot on, and this patch series demonstrates
> > that, provides a reproducer, and provides a solution to the issue.
> >
> > We there would like to contend CVE-2019-19770 as invalid. The
> > implications suggested are not correct, and this issue is only
> > triggerable with root, by shooting yourself on the foot by misuing
> > blktrace.
> >
> > If you want this on a git tree, you can get it from linux-next
> > 20200401-blktrace-fix-uaf branch [2].
> >
> > Wider review, testing, and rants are appreciated.
> >
> > [0] https://bugzilla.kernel.org/show_bug.cgi?id=205713
> > [1] https://nvd.nist.gov/vuln/detail/CVE-2019-19770
> > [2] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux-next.git/log/?h=20200401-blktrace-fix-uaf
> >
> > Luis Chamberlain (3):
> > block: move main block debugfs initialization to its own file
> > blktrace: fix debugfs use after free
> > block: avoid deferral of blk_release_queue() work
> >
> > block/Makefile | 1 +
> > block/blk-core.c | 9 +--------
> > block/blk-debugfs.c | 27 +++++++++++++++++++++++++++
> > block/blk-mq-debugfs.c | 5 -----
> > block/blk-sysfs.c | 21 ++++++++-------------
> > block/blk.h | 17 +++++++++++++++++
> > include/linux/blktrace_api.h | 1 -
> > kernel/trace/blktrace.c | 19 ++++++++-----------
> > 8 files changed, 62 insertions(+), 38 deletions(-)
> > create mode 100644 block/blk-debugfs.c
>
> BTW, Yu Kuai posted one patch for this issue, looks that approach
> is simpler:
>
> https://lore.kernel.org/linux-block/20200324132315.22133-1-yukuai3@huawei.com/
I cannot see how renaming the possible target directory to a temporary
directory instead of unifying it for both SQ and MQ could be any
simpler. IMHO this keeps the mess and fragile nature of the issue.
The approach taken here unifies the directory we should use for both SQ
and MQ and makes the deferral issue a completely separate issue
addressed in the last patch.
Luis
next prev parent reply other threads:[~2020-04-03 14:06 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-01 23:59 [RFC 0/3] block: address blktrace use-after-free Luis Chamberlain
2020-04-02 0:00 ` [RFC 1/3] block: move main block debugfs initialization to its own file Luis Chamberlain
2020-04-05 3:12 ` Bart Van Assche
2020-04-06 14:23 ` Luis Chamberlain
2020-04-02 0:00 ` [RFC 2/3] blktrace: fix debugfs use after free Luis Chamberlain
2020-04-02 1:57 ` Eric Sandeen
2020-04-02 16:14 ` Luis Chamberlain
2020-04-05 3:39 ` Bart Van Assche
2020-04-06 1:27 ` Eric Sandeen
2020-04-06 4:25 ` Bart Van Assche
2020-04-06 9:18 ` Nicolai Stange
2020-04-06 15:19 ` Luis Chamberlain
2020-04-07 8:15 ` Luis Chamberlain
2020-04-06 14:29 ` Eric Sandeen
2020-04-07 8:09 ` Luis Chamberlain
2020-04-06 15:14 ` Luis Chamberlain
2020-04-02 0:00 ` [RFC 3/3] block: avoid deferral of blk_release_queue() work Luis Chamberlain
2020-04-02 3:39 ` Bart Van Assche
2020-04-02 14:49 ` Nicolai Stange
2020-04-06 9:11 ` Nicolai Stange
2020-04-09 18:11 ` Luis Chamberlain
2020-04-02 7:44 ` [RFC 0/3] block: address blktrace use-after-free Greg KH
2020-04-03 8:19 ` Ming Lei
2020-04-03 14:06 ` Luis Chamberlain [this message]
2020-04-03 14:13 ` Bart Van Assche
2020-04-03 19:49 ` Luis Chamberlain
2020-04-07 2:47 ` yukuai (C)
2020-04-07 19:00 ` Luis Chamberlain
2020-04-09 20:59 ` Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200403140601.GP11244@42.do-not-panic.com \
--to=mcgrof@kernel.org \
--cc=axboe@kernel.dk \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
--cc=ming.lei@redhat.com \
--cc=mingo@redhat.com \
--cc=nstange@suse.de \
--cc=rostedt@goodmis.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).