From patchwork Mon May 22 10:20:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 13250814 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aib29ajc255.phx1.oracleemaildelivery.com (aib29ajc255.phx1.oracleemaildelivery.com [192.29.103.255]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 98115C7EE2E for ; Mon, 22 May 2023 16:27:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=oss-phx-1109; d=oss.oracle.com; h=Date:To:From:Subject:Message-Id:MIME-Version:Sender; bh=AeqmTnJIzrUl+X48tHiSzBcpWbBFu8ake0xjeoCLrJ8=; b=eHp3EhJURIeAqu7JSzeB1jLuiZlRd8Z5Hz3HKEtgy7KE9pdtZcV3T17ssTxkWJQgfh2HT2Rxxe/E K8HGKqfvO0oqw+M+BcPT8plv6IjbemjccMhbXGDJoHcx1bZLgaEOhkNj2wsmYsHc/nv8yVRL4drs x+L0NKVafmhX1Bstm+5ky7I2h0Xlme8p71lT1PVKOgBKH22BQlR10pLLC1yyU8y2E9lFFGAQ+5u8 5UVl7BYdVwfwsTH8BryF32jFLxLhzbZ/7yrYz+ibeoYnnum+WjBoSLT8BpkwPK0u66BblTLnkj1Y ASnMfc27tHWKqqV8EU5svUSUCUil2lXhx51A8Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=prod-phx-20191217; d=phx1.rp.oracleemaildelivery.com; h=Date:To:From:Subject:Message-Id:MIME-Version:Sender; bh=AeqmTnJIzrUl+X48tHiSzBcpWbBFu8ake0xjeoCLrJ8=; b=JQ9DMMpDF/urS1EUhde3L7oOwTIVVekBcD1onziVM8pA8tSLI41feH96pM6+6Wwz6h/WTGnNUZuJ YC0gOnGItEm8F9MfxrE1pURC3XKZ9QVbNbfsu86vhWhzpCXEIe5VdmLqrpA8HfkWOq5DN5Uew36E ov9FNkJvXOycwVqd8Dol5zKjpWjx9uNLWMLpQLkTWktSk5kwHchtLyH5wgyp7zRT0V8V7UGX2p7d fTXRQn/uUX9DNz8VucdL9HebP3CC2O38mcL0ehHiMVS0bOc27hI34opFPOEsDiFvUU1aTbX7hI4h viDwtWe0pifdBzPrB0IK0IxyT8N9TJyxtIbIzQ== Received: by omta-ad3-fd3-302-us-phoenix-1.omtaad3.vcndpphx.oraclevcn.com (Oracle Communications Messaging Server 8.1.0.1.20230420 64bit (built Apr 20 2023)) with ESMTPS id <0RV200GRWJ24WQ90@omta-ad3-fd3-302-us-phoenix-1.omtaad3.vcndpphx.oraclevcn.com> for ocfs2-devel@archiver.kernel.org; Mon, 22 May 2023 16:27:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1684751102; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dK4c6jVfMYUnhpgqtCzFKqCJo27Q90EX9O3znFNrfJ8=; b=Bvl8LjGnDdob6XfTE0O/H11rB3dYKccwcJ6uyd1JafLCpggtrml9xk39xpSj5ItgyfMvqk SyYVP7qE0Tvvn3KG8D1vrmLZq24iIInCW/0TLuAbIbmBryVj/Vqn6olLR1nCesBdiXmb6G 2COYy4tGtMqgJ6uqg713Z2FLcqbWxJg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1684751102; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dK4c6jVfMYUnhpgqtCzFKqCJo27Q90EX9O3znFNrfJ8=; b=A9h2RgHLuFWfdKBTk+jbIDMOJUsQzbr5CYAUmlsN7LI5ZoglaxpE8yLh4LJ1ApMCEObDHD pf0HpGp22yxlfuDA== To: Mark Fasheh , Joel Becker , Joseph Qi Date: Mon, 22 May 2023 11:20:30 +0100 Message-id: <20230522102030.8986-1-lhenriques@suse.de> MIME-version: 1.0 X-Source-IP: 195.135.220.28 X-Proofpoint-Virus-Version: vendor=nai engine=6500 definitions=10717 signatures=596816 X-Proofpoint-Spam-Details: rule=tap_notspam policy=tap score=0 bulkscore=0 clxscore=73 mlxscore=0 malwarescore=0 priorityscore=78 phishscore=0 spamscore=0 lowpriorityscore=0 suspectscore=0 mlxlogscore=826 adultscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305220088 Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, ocfs2-devel@oss.oracle.com Subject: [Ocfs2-devel] [PATCH] ocfs2: fix use-after-free when unmounting read-only filesystem X-BeenThere: ocfs2-devel@oss.oracle.com X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: =?utf-8?q?Lu=C3=ADs_Henriques?= via Ocfs2-devel Reply-to: =?utf-8?q?Lu=C3=ADs_Henriques?= Content-type: text/plain; charset="utf-8" Content-transfer-encoding: base64 Errors-to: ocfs2-devel-bounces@oss.oracle.com X-ServerName: smtp-out1.suse.de X-Proofpoint-SPF-Result: pass X-Proofpoint-SPF-Record: v=spf1 mx ip4:195.135.220.0/27 ip6:2001:67c:2178:6::/120 ~all X-Spam: Clean X-Proofpoint-GUID: 2622mmgYBqwwjVeeDzJteP48H4qgdknj X-Proofpoint-ORIG-GUID: 2622mmgYBqwwjVeeDzJteP48H4qgdknj X-Mailman-Approved-At: Mon, 22 May 2023 16:27:39 +0000 Reporting-Meta: AAFp10qswiJgHxnG6tlVl1IwC6nqZrnu753j6m1CkCNHywXzfkkE9WrAr/587d6j gsvuRMGZv/SFDPynBTx8BXrI4Dflttn+W68jMZo0cjRgIFgqt0vHAGtKyvO5XVH6 K/m3M1CNx1J6vHEDiGcAa76WQ8ujgvBdJ+iZyQ8Y0ZftO161YmMH6G3pTO/6JJJr T3bTHJxfgDHU5iWsStjjtyPlg5VbM2e4QLDwE7MYnl5icwOao33+mEamEqxWlz6T X/mqvl4JX/6TGCKVbKU4vNBAXlEcRFn5bvYGqMtS8M8dFvL8LxeSBjIsGDfn7e6Y vOCxjJ/F31bruLwhfdLqYmDl+CoWVpcxlNUTTGyFM35+lL8pfZ4WMkrKByDXwIZm Ka7ocMC8C7rfJqBOpZFHgXzxW47+C30+H0iFs7Owcnvefu3L3ZstaQzYdPI3mM0w iDEDfH6mrSHqfShP4a4fgOuIUKlokGiQyiysYcr2xctmqRp99+xuqDRMLFM/UlZm agDsfqOT5EFbQgTlSZaqG3lNNi/u+o+7YbS4I2EI/4E6 It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After mounting a filesystem as read-only, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. Cc: Signed-off-by: Luís Henriques --- fs/ocfs2/super.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c index 0b0e6a132101..988d1c076861 100644 --- a/fs/ocfs2/super.c +++ b/fs/ocfs2/super.c @@ -952,8 +952,10 @@ static void ocfs2_disable_quotas(struct ocfs2_super *osb) for (type = 0; type < OCFS2_MAXQUOTAS; type++) { if (!sb_has_quota_loaded(sb, type)) continue; - oinfo = sb_dqinfo(sb, type)->dqi_priv; - cancel_delayed_work_sync(&oinfo->dqi_sync_work); + if (!sb_has_quota_suspended(sb, type)) { + oinfo = sb_dqinfo(sb, type)->dqi_priv; + cancel_delayed_work_sync(&oinfo->dqi_sync_work); + } inode = igrab(sb->s_dquot.files[type]); /* Turn off quotas. This will remove all dquot structures from * memory and so they will be automatically synced to global