linux-block.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [RFC 0/3] block: address blktrace use-after-free
@ 2020-04-01 23:59 Luis Chamberlain
  2020-04-02  0:00 ` [RFC 1/3] block: move main block debugfs initialization to its own file Luis Chamberlain
                   ` (4 more replies)
  0 siblings, 5 replies; 29+ messages in thread
From: Luis Chamberlain @ 2020-04-01 23:59 UTC (permalink / raw)
  To: axboe, viro, gregkh, rostedt, mingo, jack, ming.lei, nstange
  Cc: mhocko, linux-block, linux-fsdevel, linux-kernel, Luis Chamberlain

Upstream kernel.org korg#205713 contends that there is a UAF in
the core debugfs debugfs_remove() function, and has gone through
pushing for a CVE for this, CVE-2019-19770.

If correct then parent dentries are not positive, and this would
have implications far beyond this bug report. Thankfully, upon review
with Nicolai, he wasn't buying it. His suspicions that this was just
a blktrace issue were spot on, and this patch series demonstrates
that, provides a reproducer, and provides a solution to the issue.

We there would like to contend CVE-2019-19770 as invalid. The
implications suggested are not correct, and this issue is only
triggerable with root, by shooting yourself on the foot by misuing
blktrace.

If you want this on a git tree, you can get it from linux-next
20200401-blktrace-fix-uaf branch [2].

Wider review, testing, and rants are appreciated.

[0] https://bugzilla.kernel.org/show_bug.cgi?id=205713
[1] https://nvd.nist.gov/vuln/detail/CVE-2019-19770
[2] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux-next.git/log/?h=20200401-blktrace-fix-uaf

Luis Chamberlain (3):
  block: move main block debugfs initialization to its own file
  blktrace: fix debugfs use after free
  block: avoid deferral of blk_release_queue() work

 block/Makefile               |  1 +
 block/blk-core.c             |  9 +--------
 block/blk-debugfs.c          | 27 +++++++++++++++++++++++++++
 block/blk-mq-debugfs.c       |  5 -----
 block/blk-sysfs.c            | 21 ++++++++-------------
 block/blk.h                  | 17 +++++++++++++++++
 include/linux/blktrace_api.h |  1 -
 kernel/trace/blktrace.c      | 19 ++++++++-----------
 8 files changed, 62 insertions(+), 38 deletions(-)
 create mode 100644 block/blk-debugfs.c

-- 
2.25.1


^ permalink raw reply	[flat|nested] 29+ messages in thread

end of thread, other threads:[~2020-04-09 20:59 UTC | newest]

Thread overview: 29+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-01 23:59 [RFC 0/3] block: address blktrace use-after-free Luis Chamberlain
2020-04-02  0:00 ` [RFC 1/3] block: move main block debugfs initialization to its own file Luis Chamberlain
2020-04-05  3:12   ` Bart Van Assche
2020-04-06 14:23     ` Luis Chamberlain
2020-04-02  0:00 ` [RFC 2/3] blktrace: fix debugfs use after free Luis Chamberlain
2020-04-02  1:57   ` Eric Sandeen
2020-04-02 16:14     ` Luis Chamberlain
2020-04-05  3:39   ` Bart Van Assche
2020-04-06  1:27     ` Eric Sandeen
2020-04-06  4:25       ` Bart Van Assche
2020-04-06  9:18         ` Nicolai Stange
2020-04-06 15:19           ` Luis Chamberlain
2020-04-07  8:15             ` Luis Chamberlain
2020-04-06 14:29         ` Eric Sandeen
2020-04-07  8:09           ` Luis Chamberlain
2020-04-06 15:14     ` Luis Chamberlain
2020-04-02  0:00 ` [RFC 3/3] block: avoid deferral of blk_release_queue() work Luis Chamberlain
2020-04-02  3:39   ` Bart Van Assche
2020-04-02 14:49     ` Nicolai Stange
2020-04-06  9:11       ` Nicolai Stange
2020-04-09 18:11       ` Luis Chamberlain
2020-04-02  7:44 ` [RFC 0/3] block: address blktrace use-after-free Greg KH
2020-04-03  8:19 ` Ming Lei
2020-04-03 14:06   ` Luis Chamberlain
2020-04-03 14:13   ` Bart Van Assche
2020-04-03 19:49     ` Luis Chamberlain
2020-04-07  2:47   ` yukuai (C)
2020-04-07 19:00     ` Luis Chamberlain
2020-04-09 20:59       ` Luis Chamberlain

This is a public inbox, see mirroring instructions
on how to clone and mirror all data and code used for this inbox