[PATCH] nbd: fix uaf in nbd_open

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Li Lingfeng <lilingfeng3@xxxxxxxxxx>

Commit 4af5f2e03013 ("nbd: use blk_mq_alloc_disk and
blk_cleanup_disk") cleans up disk by blk_cleanup_disk() and it won't set
disk->private_data as NULL as before. UAF may be triggered in nbd_open()
if someone tries to open nbd device right after nbd_put() since refcount
of nbd device is zero and private_data is not NULL.

Fixes: 4af5f2e03013 ("nbd: use blk_mq_alloc_disk and blk_cleanup_disk")
Signed-off-by: Li Lingfeng <lilingfeng3@xxxxxxxxxx>
---
 drivers/block/nbd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 800f131222fc..aab93b836e84 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -250,6 +250,7 @@ static void nbd_dev_remove(struct nbd_device *nbd)
 	struct gendisk *disk = nbd->disk;
 
 	del_gendisk(disk);
+	disk->private_data = NULL;
 	put_disk(disk);
 	blk_mq_free_tag_set(&nbd->tag_set);
 
-- 
2.31.1
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux