* [PATCH] btrfs: Fix UAF
@ 2018-01-26 13:20 Nikolay Borisov
2018-01-29 2:38 ` Anand Jain
2018-01-30 14:07 ` [RESEND PATCH] btrfs: Fix UAF when cleaning up fs_devs with a single stale device Nikolay Borisov
0 siblings, 2 replies; 6+ messages in thread
From: Nikolay Borisov @ 2018-01-26 13:20 UTC (permalink / raw)
To: linux-btrfs; +Cc: dsterba, anand.jain, Nikolay Borisov
Commit 4fde46f0cc71 ("Btrfs: free the stale device") introduced
btrfs_free_stale_device which iterates the device lists for all
registered btrfs filesystems and deletes those devices which aren't
mounted. In a btrfs_devices structure has only 1 device attached to it
and it is unused then btrfs_free_stale_devices will proceed to also
free the btrfs_fs_devices struct itself. Currently this leads to a UAF
since list_for_each_entry will try to perform a check on the already-
freed memory to see if it has to terminated the loop.
The fix is to use 'break' when we know we are freeing the current
fs_devs.
Fixes: 4fde46f0cc71 ("Btrfs: free the stale device")
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
---
fs/btrfs/volumes.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index f7147740b68e..c3ab55336ee0 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -645,6 +645,7 @@ static void btrfs_free_stale_devices(const char *path,
btrfs_sysfs_remove_fsid(fs_devs);
list_del(&fs_devs->list);
free_fs_devices(fs_devs);
+ break;
} else {
fs_devs->num_devices--;
list_del(&dev->dev_list);
--
2.7.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] btrfs: Fix UAF
2018-01-26 13:20 [PATCH] btrfs: Fix UAF Nikolay Borisov
@ 2018-01-29 2:38 ` Anand Jain
2018-01-29 7:01 ` Nikolay Borisov
2018-01-30 14:07 ` [RESEND PATCH] btrfs: Fix UAF when cleaning up fs_devs with a single stale device Nikolay Borisov
1 sibling, 1 reply; 6+ messages in thread
From: Anand Jain @ 2018-01-29 2:38 UTC (permalink / raw)
To: Nikolay Borisov, linux-btrfs; +Cc: dsterba
On 01/26/2018 09:20 PM, Nikolay Borisov wrote:
> Commit 4fde46f0cc71 ("Btrfs: free the stale device") introduced
> btrfs_free_stale_device which iterates the device lists for all
> registered btrfs filesystems and deletes those devices which aren't
> mounted. In a btrfs_devices structure has only 1 device attached to it
> and it is unused then btrfs_free_stale_devices will proceed to also
> free the btrfs_fs_devices struct itself. Currently this leads to a UAF
> since list_for_each_entry will try to perform a check on the already-
> freed memory to see if it has to terminated the loop.
>
> The fix is to use 'break' when we know we are freeing the current
> fs_devs.
No break is needed as we need to iterate all stale devices and delete
the found stale entry, so commit [1] used list_for_each_entry_safe()
and removed the break,
[1]
commit 38cf665d338fca33af4b16f9ec7cad6637fc0fec
Author: Anand Jain <Anand.Jain@oracle.com>
btrfs: make btrfs_free_stale_device() to iterate all stales
I am guessing UAF might be in[2], instead ?
[2]
free_fs_devices(fs_devs)
::
while (!list_empty(&fs_devices->devices)) {
device = list_entry(fs_devices->devices.next,
struct btrfs_device, dev_list);
Thanks, Anand
> Fixes: 4fde46f0cc71 ("Btrfs: free the stale device")
> Signed-off-by: Nikolay Borisov <nborisov@suse.com>
>
> ---
> fs/btrfs/volumes.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
> index f7147740b68e..c3ab55336ee0 100644
> --- a/fs/btrfs/volumes.c
> +++ b/fs/btrfs/volumes.c
> @@ -645,6 +645,7 @@ static void btrfs_free_stale_devices(const char *path,
> btrfs_sysfs_remove_fsid(fs_devs);
> list_del(&fs_devs->list);
> free_fs_devices(fs_devs);
> + break;
> } else {
> fs_devs->num_devices--;
> list_del(&dev->dev_list);
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] btrfs: Fix UAF
2018-01-29 2:38 ` Anand Jain
@ 2018-01-29 7:01 ` Nikolay Borisov
2018-01-29 12:55 ` Anand Jain
0 siblings, 1 reply; 6+ messages in thread
From: Nikolay Borisov @ 2018-01-29 7:01 UTC (permalink / raw)
To: Anand Jain, linux-btrfs; +Cc: dsterba
On 29.01.2018 04:38, Anand Jain wrote:
>
>
> On 01/26/2018 09:20 PM, Nikolay Borisov wrote:
>> Commit 4fde46f0cc71 ("Btrfs: free the stale device") introduced
>> btrfs_free_stale_device which iterates the device lists for all
>> registered btrfs filesystems and deletes those devices which aren't
>> mounted. In a btrfs_devices structure has only 1 device attached to it
>> and it is unused then btrfs_free_stale_devices will proceed to also
>> free the btrfs_fs_devices struct itself. Currently this leads to a UAF
>> since list_for_each_entry will try to perform a check on the already-
>> freed memory to see if it has to terminated the loop.
>>
>> The fix is to use 'break' when we know we are freeing the current
>> fs_devs.
>
> No break is needed as we need to iterate all stale devices and delete
> the found stale entry, so commit [1] used list_for_each_entry_safe()
> and removed the break,
We only do the break if we know we have a single device in the current
fs_devs struct. And executing free_fs_devices would have already freed
the device + fs_devs.
>
> [1]
> commit 38cf665d338fca33af4b16f9ec7cad6637fc0fec
> Author: Anand Jain <Anand.Jain@oracle.com>
> btrfs: make btrfs_free_stale_device() to iterate all stales
>
>
> I am guessing UAF might be in[2], instead ?
>
> [2]
> free_fs_devices(fs_devs)
> ::
> while (!list_empty(&fs_devices->devices)) {
> device = list_entry(fs_devices->devices.next,
> struct btrfs_device, dev_list);
It's not that, I thought so at first. But here using list_empty you are
awlays accessing the head the of the list, which is guaranteed to be
valid since you do the freeing of fs_devices outside of the while loop.
>
> Thanks, Anand
>
>> Fixes: 4fde46f0cc71 ("Btrfs: free the stale device")
>> Signed-off-by: Nikolay Borisov <nborisov@suse.com>
>>
>> ---
>> fs/btrfs/volumes.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
>> index f7147740b68e..c3ab55336ee0 100644
>> --- a/fs/btrfs/volumes.c
>> +++ b/fs/btrfs/volumes.c
>> @@ -645,6 +645,7 @@ static void btrfs_free_stale_devices(const char
>> *path,
>> btrfs_sysfs_remove_fsid(fs_devs);
>> list_del(&fs_devs->list);
>> free_fs_devices(fs_devs);
>> + break;
>> } else {
>> fs_devs->num_devices--;
>> list_del(&dev->dev_list);
>>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] btrfs: Fix UAF
2018-01-29 7:01 ` Nikolay Borisov
@ 2018-01-29 12:55 ` Anand Jain
0 siblings, 0 replies; 6+ messages in thread
From: Anand Jain @ 2018-01-29 12:55 UTC (permalink / raw)
To: Nikolay Borisov, linux-btrfs; +Cc: dsterba
On 01/29/2018 03:01 PM, Nikolay Borisov wrote:
>
>
> On 29.01.2018 04:38, Anand Jain wrote:
>>
>>
>> On 01/26/2018 09:20 PM, Nikolay Borisov wrote:
>>> Commit 4fde46f0cc71 ("Btrfs: free the stale device") introduced
>>> btrfs_free_stale_device which iterates the device lists for all
>>> registered btrfs filesystems and deletes those devices which aren't
>>> mounted. In a btrfs_devices structure has only 1 device attached to it
>>> and it is unused then btrfs_free_stale_devices will proceed to also
>>> free the btrfs_fs_devices struct itself. Currently this leads to a UAF
>>> since list_for_each_entry will try to perform a check on the already-
>>> freed memory to see if it has to terminated the loop.
>>>
>>> The fix is to use 'break' when we know we are freeing the current
>>> fs_devs.
>>
>> No break is needed as we need to iterate all stale devices and delete
>> the found stale entry, so commit [1] used list_for_each_entry_safe()
>> and removed the break,
>
> We only do the break if we know we have a single device in the current
> fs_devs struct. And executing free_fs_devices would have already freed
> the device + fs_devs.
>
>>
>> [1]
>> commit 38cf665d338fca33af4b16f9ec7cad6637fc0fec
>> Author: Anand Jain <Anand.Jain@oracle.com>
>> btrfs: make btrfs_free_stale_device() to iterate all stales
>>
>>
>> I am guessing UAF might be in[2], instead ?
>>
>> [2]
>> free_fs_devices(fs_devs)
>> ::
>> while (!list_empty(&fs_devices->devices)) {
>> device = list_entry(fs_devices->devices.next,
>> struct btrfs_device, dev_list);
>
> It's not that, I thought so at first. But here using list_empty you are
> awlays accessing the head the of the list, which is guaranteed to be
> valid since you do the freeing of fs_devices outside of the while loop.
break when num_devices == 1 is fine;
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Thanks, Anand
>>
>> Thanks, Anand
>>
>>> Fixes: 4fde46f0cc71 ("Btrfs: free the stale device")
>>> Signed-off-by: Nikolay Borisov <nborisov@suse.com>
>>>
>>> ---
>>> fs/btrfs/volumes.c | 1 +
>>> 1 file changed, 1 insertion(+)
>>>
>>> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
>>> index f7147740b68e..c3ab55336ee0 100644
>>> --- a/fs/btrfs/volumes.c
>>> +++ b/fs/btrfs/volumes.c
>>> @@ -645,6 +645,7 @@ static void btrfs_free_stale_devices(const char
>>> *path,
>>> btrfs_sysfs_remove_fsid(fs_devs);
>>> list_del(&fs_devs->list);
>>> free_fs_devices(fs_devs);
>>> + break;
>>> } else {
>>> fs_devs->num_devices--;
>>> list_del(&dev->dev_list);
>>>
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [RESEND PATCH] btrfs: Fix UAF when cleaning up fs_devs with a single stale device
2018-01-26 13:20 [PATCH] btrfs: Fix UAF Nikolay Borisov
2018-01-29 2:38 ` Anand Jain
@ 2018-01-30 14:07 ` Nikolay Borisov
2018-02-02 16:03 ` David Sterba
1 sibling, 1 reply; 6+ messages in thread
From: Nikolay Borisov @ 2018-01-30 14:07 UTC (permalink / raw)
To: dsterba; +Cc: linux-btrfs, Nikolay Borisov
Commit 4fde46f0cc71 ("Btrfs: free the stale device") introduced
btrfs_free_stale_device which iterates the device lists for all
registered btrfs filesystems and deletes those devices which aren't
mounted. In a btrfs_devices structure has only 1 device attached to it
and it is unused then btrfs_free_stale_devices will proceed to also
free the btrfs_fs_devices struct itself. Currently this leads to a UAF
since list_for_each_entry will try to perform a check on the already-
freed memory to see if it has to terminated the loop.
The fix is to use 'break' when we know we are freeing the current
fs_devs.
Fixes: 4fde46f0cc71 ("Btrfs: free the stale device")
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
---
Changed the subject to make it more descriptive
fs/btrfs/volumes.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index f7147740b68e..c3ab55336ee0 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -645,6 +645,7 @@ static void btrfs_free_stale_devices(const char *path,
btrfs_sysfs_remove_fsid(fs_devs);
list_del(&fs_devs->list);
free_fs_devices(fs_devs);
+ break;
} else {
fs_devs->num_devices--;
list_del(&dev->dev_list);
--
2.7.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [RESEND PATCH] btrfs: Fix UAF when cleaning up fs_devs with a single stale device
2018-01-30 14:07 ` [RESEND PATCH] btrfs: Fix UAF when cleaning up fs_devs with a single stale device Nikolay Borisov
@ 2018-02-02 16:03 ` David Sterba
0 siblings, 0 replies; 6+ messages in thread
From: David Sterba @ 2018-02-02 16:03 UTC (permalink / raw)
To: Nikolay Borisov; +Cc: dsterba, linux-btrfs
On Tue, Jan 30, 2018 at 04:07:37PM +0200, Nikolay Borisov wrote:
> Commit 4fde46f0cc71 ("Btrfs: free the stale device") introduced
> btrfs_free_stale_device which iterates the device lists for all
> registered btrfs filesystems and deletes those devices which aren't
> mounted. In a btrfs_devices structure has only 1 device attached to it
> and it is unused then btrfs_free_stale_devices will proceed to also
> free the btrfs_fs_devices struct itself. Currently this leads to a UAF
> since list_for_each_entry will try to perform a check on the already-
> freed memory to see if it has to terminated the loop.
>
> The fix is to use 'break' when we know we are freeing the current
> fs_devs.
>
> Fixes: 4fde46f0cc71 ("Btrfs: free the stale device")
> Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Added to next, thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-02-02 16:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-26 13:20 [PATCH] btrfs: Fix UAF Nikolay Borisov
2018-01-29 2:38 ` Anand Jain
2018-01-29 7:01 ` Nikolay Borisov
2018-01-29 12:55 ` Anand Jain
2018-01-30 14:07 ` [RESEND PATCH] btrfs: Fix UAF when cleaning up fs_devs with a single stale device Nikolay Borisov
2018-02-02 16:03 ` David Sterba
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.