On Fri, Jan 31, 2020 at 09:06:01PM -0800, Zubin Mithra wrote:
From: Theodore Ts'o tytso@mit.edu
commit 9803387c55f7d2ce69aa64340c5fdc6b3027dbc8 upstream.
Instead of setting s_want_extra_size and then making sure that it is a valid value afterwards, validate the field before we set it. This avoids races and other problems when remounting the file system.
Link: https://lore.kernel.org/r/20191215063020.GA11512@mit.edu Cc: stable@kernel.org Signed-off-by: Theodore Ts'o tytso@mit.edu Reported-and-tested-by: syzbot+4a39a025912b265cacef@syzkaller.appspotmail.com Signed-off-by: Zubin Mithra zsm@chromium.org
Notes:
- Syzkaller triggered a UAF on 4.19 kernels with the following
stacktrace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc8/0x129 lib/dump_stack.c:113 print_address_description+0x67/0x22a mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report+0x251/0x28f mm/kasan/report.c:396 ext4_xattr_set_entry+0x45e/0x2222 fs/ext4/xattr.c:1604 ext4_xattr_ibody_set+0x7d/0x226 fs/ext4/xattr.c:2240 ext4_xattr_set_handle+0x553/0xa92 fs/ext4/xattr.c:2396 ext4_xattr_set+0x16a/0x200 fs/ext4/xattr.c:2508 __vfs_setxattr+0xfc/0x13d fs/xattr.c:149 __vfs_setxattr_noperm+0xf5/0x19c fs/xattr.c:180 vfs_setxattr+0x9c/0xca fs/xattr.c:223 setxattr+0x20e/0x275 fs/xattr.c:450 path_setxattr+0xca/0x144 fs/xattr.c:469 __do_sys_lsetxattr fs/xattr.c:491 [inline] __se_sys_lsetxattr fs/xattr.c:487 [inline] __x64_sys_lsetxattr+0xd7/0xe1 fs/xattr.c:487 do_syscall_64+0xfe/0x137 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe
- This commit is present in linux-5.4.y. A backport for 4.14.y has been
sent separately.
Many thanks for this and the 4.14.y backport, now both applied.
greg k-h