linux

mirror of https://github.com/hardkernel/linux.git synced 2026-06-08 03:40:35 +09:00

Go to file

Zhe Li 2524bb04d8 jffs2: fix UAF problem

[ Upstream commit 798b7347e4 ]

The log of UAF problem is listed below.
BUG: KASAN: use-after-free in jffs2_rmdir+0xa4/0x1cc [jffs2] at addr c1f165fc
Read of size 4 by task rm/8283
=============================================================================
BUG kmalloc-32 (Tainted: P    B      O   ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in 0xbbbbbbbb age=3054364 cpu=0 pid=0
        0xb0bba6ef
        jffs2_write_dirent+0x11c/0x9c8 [jffs2]
        __slab_alloc.isra.21.constprop.25+0x2c/0x44
        __kmalloc+0x1dc/0x370
        jffs2_write_dirent+0x11c/0x9c8 [jffs2]
        jffs2_do_unlink+0x328/0x5fc [jffs2]
        jffs2_rmdir+0x110/0x1cc [jffs2]
        vfs_rmdir+0x180/0x268
        do_rmdir+0x2cc/0x300
        ret_from_syscall+0x0/0x3c
INFO: Freed in 0x205b age=3054364 cpu=0 pid=0
        0x2e9173
        jffs2_add_fd_to_list+0x138/0x1dc [jffs2]
        jffs2_add_fd_to_list+0x138/0x1dc [jffs2]
        jffs2_garbage_collect_dirent.isra.3+0x21c/0x288 [jffs2]
        jffs2_garbage_collect_live+0x16bc/0x1800 [jffs2]
        jffs2_garbage_collect_pass+0x678/0x11d4 [jffs2]
        jffs2_garbage_collect_thread+0x1e8/0x3b0 [jffs2]
        kthread+0x1a8/0x1b0
        ret_from_kernel_thread+0x5c/0x64
Call Trace:
[c17ddd20] [c02452d4] kasan_report.part.0+0x298/0x72c (unreliable)
[c17ddda0] [d2509680] jffs2_rmdir+0xa4/0x1cc [jffs2]
[c17dddd0] [c026da04] vfs_rmdir+0x180/0x268
[c17dde00] [c026f4e4] do_rmdir+0x2cc/0x300
[c17ddf40] [c001a658] ret_from_syscall+0x0/0x3c

The root cause is that we don't get "jffs2_inode_info.sem" before
we scan list "jffs2_inode_info.dents" in function jffs2_rmdir.
This patch add codes to get "jffs2_inode_info.sem" before we scan
"jffs2_inode_info.dents" to slove the UAF problem.

Signed-off-by: Zhe Li <lizhe67@huawei.com>
Reviewed-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>

2020-08-26 10:40:56 +02:00

arch

m68knommu: fix overwriting of bits in ColdFire V3 cache control

2020-08-26 10:40:55 +02:00

block

iocost: Fix check condition of iocg abs_vdebt

2020-08-19 08:15:58 +02:00

certs

PKCS#7: Refactor verify_pkcs7_signature()

2019-08-05 18:40:18 -04:00

crypto

crypto: algif_aead - fix uninitialized ctx->init

2020-08-21 13:05:38 +02:00

Documentation

kbuild: support LLVM=1 to switch the default tools to Clang/LLVM

2020-08-26 10:40:47 +02:00

drivers

drm/ttm: fix offset in VMAs with a pg_offs in ttm_bo_vm_access

2020-08-26 10:40:56 +02:00

jffs2: fix UAF problem

2020-08-26 10:40:56 +02:00

include

iommu/vt-d: Enforce PASID devTLB field mask

2020-08-21 13:05:34 +02:00

init

x86: Fix early boot crash on gcc-10, third try

2020-05-20 08:20:34 +02:00

ipc

ipc/util.c: sysvipc_find_ipc() incorrectly updates position index

2020-05-20 08:20:16 +02:00

kernel

kthread: Do not preempt current task if it is going to call schedule()

2020-08-26 10:40:53 +02:00

lib

test_kmod: avoid potential double free in trigger_config_run_type()

2020-08-21 13:05:37 +02:00

LICENSES

LICENSES: Rename other to deprecated

2019-05-03 06:34:32 -06:00

mm, page_alloc: fix core hung in free_pcppages_bulk()

2020-08-26 10:40:51 +02:00

net

svcrdma: Fix another Receive buffer leak

2020-08-26 10:40:55 +02:00

samples

bpf: Fix fds_example SIGSEGV error

2020-08-19 08:16:03 +02:00

scripts

recordmcount: Fix build failure on non arm64

2020-08-21 13:05:36 +02:00

security

Smack: prevent underflow in smk_set_cipso()

2020-08-19 08:16:16 +02:00

sound

ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion

2020-08-26 10:40:50 +02:00

tools

perf probe: Fix memory leakage when the probe point is not found

2020-08-26 10:40:48 +02:00

usr

initramfs: restore default compression behavior

2020-04-08 09:08:38 +02:00

virt

KVM: arm64: Don't inherit exec permission across page-table levels

2020-08-05 09:59:51 +02:00

.clang-format

clang-format: Update with the latest for_each macro list

2019-08-31 10:00:51 +02:00

.cocciconfig

…

.get_maintainer.ignore

Opt out of scripts/get_maintainer.pl

2019-05-16 10:53:40 -07:00

.gitattributes

.gitattributes: set git diff driver for C source code files

2016-10-07 18:46:30 -07:00

.gitignore

Merge tag 'modules-for-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux

2019-09-22 10:34:46 -07:00

.mailmap

Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

2019-11-10 13:41:59 -08:00

COPYING

COPYING: use the new text with points to the license files

2018-03-23 12:41:45 -06:00

CREDITS

MAINTAINERS: Remove Simon as Renesas SoC Co-Maintainer

2019-10-10 08:12:51 -07:00

Kbuild

kbuild: do not descend to ./Kbuild when cleaning

2019-08-21 21:03:58 +09:00

Kconfig

docs: kbuild: convert docs to ReST and rename to *.rst

2019-06-14 14:21:21 -06:00

MAINTAINERS

Documentation/llvm: add documentation on building w/ Clang/LLVM

2020-08-26 10:40:46 +02:00

Makefile

kbuild: support LLVM=1 to switch the default tools to Clang/LLVM

2020-08-26 10:40:47 +02:00

README

Drop all 00-INDEX files from Documentation/

2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.