mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-08 09:39:40 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs/overlayfs
History
yangerkun 4fd9f0509a ovl: fix use after free in struct ovl_aio_req 
commit 9a25440376 upstream.

Example for triggering use after free in a overlay on ext4 setup:

aio_read
  ovl_read_iter
    vfs_iter_read
      ext4_file_read_iter
        ext4_dio_read_iter
          iomap_dio_rw -> -EIOCBQUEUED
          /*
	   * Here IO is completed in a separate thread,
	   * ovl_aio_cleanup_handler() frees aio_req which has iocb embedded
	   */
          file_accessed(iocb->ki_filp); /**BOOM**/

Fix by introducing a refcount in ovl_aio_req similarly to aio_kiocb.  This
guarantees that iocb is only freed after vfs_read/write_iter() returns on
underlying fs.

Fixes: 2406a307ac ("ovl: implement async IO routines")
Signed-off-by: yangerkun <yangerkun@huawei.com>
Link: https://lore.kernel.org/r/20210930032228.3199690-3-yangerkun@huawei.com/
Cc: <stable@vger.kernel.org> # v5.6
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-18 14:03:49 +01:00
..
copy_up.c ovl: fix missing revert_creds() on error path 2021-05-14 09:50:05 +02:00
dir.c ovl: fix missing negative dentry check in ovl_rename() 2021-10-13 10:04:23 +02:00
export.c ovl: fix uninitialized pointer read in ovl_lookup_real_one() 2021-09-03 10:09:22 +02:00
file.c ovl: fix use after free in struct ovl_aio_req 2021-11-18 14:03:49 +01:00
inode.c ovl: perform vfs_getxattr() with mounter creds 2021-02-17 11:02:22 +01:00
Kconfig docs: fix broken references to text files 2020-04-20 15:35:59 -06:00
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
namei.c new helper: inode_wrong_type() 2021-09-08 08:49:01 +02:00
overlayfs.h ovl: invalidate readdir cache on changes to dir with origin 2021-05-14 09:50:35 +02:00
ovl_entry.h ovl: implement volatile-specific fsync error behaviour 2021-02-10 09:29:16 +01:00
readdir.c ovl: invalidate readdir cache on changes to dir with origin 2021-05-14 09:50:35 +02:00
super.c ovl: allow upperdir inside lowerdir 2021-05-07 11:04:33 +02:00
util.c ovl: invalidate readdir cache on changes to dir with origin 2021-05-14 09:50:35 +02:00