APPLIED [K/HWE-5.17]: Re: [SRU Bionic/Focal/Jammy/HWE-5.17/Kinetic/Unstable] UBUNTU: SAUCE: fs: fix UAF/GPF bug in nilfs_mdt_destroy
Paolo Pisati
paolo.pisati at canonical.com
Tue Sep 20 10:47:50 UTC 2022
On Mon, Sep 19, 2022 at 05:05:01PM -0300, Thadeu Lima de Souza Cascardo wrote:
> From: Dongliang Mu <mudongliangabcd at gmail.com>
>
> In alloc_inode, inode_init_always() could return -ENOMEM if
> security_inode_alloc() fails, which causes inode->i_private
> uninitialized. Then nilfs_is_metadata_file_inode() returns
> true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),
> which frees the uninitialized inode->i_private
> and leads to crashes(e.g., UAF/GPF).
>
> Fix this by moving security_inode_alloc just prior to
> this_cpu_inc(nr_inodes)
>
> Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com
> Reported-by: butt3rflyh4ck <butterflyhuangxx at gmail.com>
> Reported-by: Hao Sun <sunhao.th at gmail.com>
> Reported-by: Jiacheng Xu <stitch at zju.edu.cn>
> Reviewed-by: Christian Brauner (Microsoft) <brauner at kernel.org>
> Signed-off-by: Dongliang Mu <mudongliangabcd at gmail.com>
> Cc: Al Viro <viro at zeniv.linux.org.uk>
> Cc: stable at vger.kernel.org
> Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
> (cherry picked from commit dcd684c9aafe2ba01264c9f9d7480e16c89a3a4b linux-next.git)
> CVE-2022-2978
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
--
bye,
p.
More information about the kernel-team
mailing list