From: Al Viro <viro@zeniv.linux.org.uk>
To: Christian Brauner <brauner@kernel.org>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Dongliang Mu" <mudongliangabcd@gmail.com>,
"Dongliang Mu" <dzm91@hust.edu.cn>,
"Arve Hjønnevåg" <arve@android.com>,
"Todd Kjos" <tkjos@android.com>,
"Martijn Coenen" <maco@android.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Carlos Llamas" <cmllamas@google.com>,
"Suren Baghdasaryan" <surenb@google.com>,
"Kees Cook" <keescook@chromium.org>,
syzkaller <syzkaller@googlegroups.com>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] binderfs: rework superblock destruction
Date: Wed, 17 Aug 2022 16:21:11 +0100 [thread overview]
Message-ID: <Yv0HZ8lxn2m6sUut@ZenIV> (raw)
In-Reply-To: <20220817145144.mbcbvpepusdvrds4@wittgenstein>
On Wed, Aug 17, 2022 at 04:51:44PM +0200, Christian Brauner wrote:
> diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c
> index 5c97f48cea91..d7d275ef132f 100644
> --- a/arch/s390/hypfs/inode.c
> +++ b/arch/s390/hypfs/inode.c
> @@ -329,9 +329,8 @@ static void hypfs_kill_super(struct super_block *sb)
> hypfs_delete_tree(sb->s_root);
> if (sb_info && sb_info->update_file)
> hypfs_remove(sb_info->update_file);
> - kfree(sb->s_fs_info);
> - sb->s_fs_info = NULL;
> kill_litter_super(sb);
> + kfree(sb->s_fs_info);
UAF, that - *sb gets freed by the time you try to fetch sb->s_fs_info...
Fetch the pointer first, then destroy the object you've fetched it
from, then free what it points to...
> diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
> index 4f25015aa534..78a9095e1748 100644
> --- a/fs/devpts/inode.c
> +++ b/fs/devpts/inode.c
> @@ -509,10 +509,10 @@ static void devpts_kill_sb(struct super_block *sb)
> {
> struct pts_fs_info *fsi = DEVPTS_SB(sb);
>
> + kill_litter_super(sb);
> if (fsi)
> ida_destroy(&fsi->allocated_ptys);
> kfree(fsi);
> - kill_litter_super(sb);
> }
>
That one's fine.
> static struct file_system_type devpts_fs_type = {
> diff --git a/fs/ramfs/inode.c b/fs/ramfs/inode.c
> index bc66d0173e33..bff49294e037 100644
> --- a/fs/ramfs/inode.c
> +++ b/fs/ramfs/inode.c
> @@ -280,8 +280,10 @@ int ramfs_init_fs_context(struct fs_context *fc)
>
> static void ramfs_kill_sb(struct super_block *sb)
> {
> - kfree(sb->s_fs_info);
> + struct ramfs_fs_info *fsi = sb->s_fs_info;
> +
> kill_litter_super(sb);
> + kfree(fsi);
> }
Cosmetical, really - see another posting in the same thread.
> static struct file_system_type ramfs_fs_type =
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 8fcdd494af27..fb1dae422d93 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -96,9 +96,8 @@ static int selinux_fs_info_create(struct super_block *sb)
> return 0;
> }
>
> -static void selinux_fs_info_free(struct super_block *sb)
> +static void selinux_fs_info_free(struct selinux_fs_info *fsi)
> {
> - struct selinux_fs_info *fsi = sb->s_fs_info;
> int i;
>
> if (fsi) {
> @@ -107,8 +106,7 @@ static void selinux_fs_info_free(struct super_block *sb)
> kfree(fsi->bool_pending_names);
> kfree(fsi->bool_pending_values);
> }
> - kfree(sb->s_fs_info);
> - sb->s_fs_info = NULL;
> + kfree(fsi);
> }
>
> #define SEL_INITCON_INO_OFFSET 0x01000000
> @@ -2180,7 +2178,7 @@ static int sel_fill_super(struct super_block *sb, struct fs_context *fc)
> pr_err("SELinux: %s: failed while creating inodes\n",
> __func__);
>
> - selinux_fs_info_free(sb);
> + selinux_fs_info_free(fsi);
>
> return ret;
> }
> @@ -2202,8 +2200,10 @@ static int sel_init_fs_context(struct fs_context *fc)
>
> static void sel_kill_sb(struct super_block *sb)
> {
> - selinux_fs_info_free(sb);
> + struct selinux_fs_info *fsi = sb->s_fs_info;
> +
> kill_litter_super(sb);
> + selinux_fs_info_free(fsi);
> }
A real bug, but an incomplete fix - you've just gotten yourself a double-free;
failure in sel_fill_super() has no need to do selinux_fs_info_free() now.
next prev parent reply other threads:[~2022-08-17 15:21 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-12 13:21 [PATCH] drivers: binderfs: fix memory leak in binderfs_fill_super Dongliang Mu
2022-08-12 13:41 ` Christian Brauner
2022-08-12 13:48 ` Dongliang Mu
2022-08-12 14:18 ` Christian Brauner
2022-08-15 0:59 ` Dongliang Mu
2022-08-12 13:41 ` Greg Kroah-Hartman
2022-08-12 13:56 ` Dongliang Mu
2022-08-12 14:02 ` Dongliang Mu
2022-08-12 14:09 ` Greg Kroah-Hartman
2022-08-12 14:24 ` Christian Brauner
2022-08-12 14:32 ` Greg Kroah-Hartman
2022-08-15 1:46 ` Al Viro
2022-08-15 1:48 ` Al Viro
2022-08-15 8:47 ` Christian Brauner
2022-08-17 11:43 ` Greg Kroah-Hartman
2022-08-17 13:03 ` [PATCH] binderfs: rework superblock destruction Christian Brauner
2022-08-17 13:59 ` Al Viro
2022-08-17 14:01 ` Christian Brauner
2022-08-17 14:19 ` Al Viro
2022-08-17 14:32 ` Al Viro
2022-08-17 15:05 ` Christian Brauner
2022-08-17 14:51 ` Christian Brauner
2022-08-17 15:21 ` Al Viro [this message]
2022-08-17 15:24 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yv0HZ8lxn2m6sUut@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=arve@android.com \
--cc=brauner@kernel.org \
--cc=cmllamas@google.com \
--cc=dzm91@hust.edu.cn \
--cc=gregkh@linuxfoundation.org \
--cc=joel@joelfernandes.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=mudongliangabcd@gmail.com \
--cc=surenb@google.com \
--cc=syzkaller@googlegroups.com \
--cc=tkjos@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).