Upstream kernel.org korg#205713 contends that there is a UAF in the core debugfs debugfs_remove() function, and has gone through pushing for a CVE for this, CVE-2019-19770. If correct then parent dentries are not positive, and this would have implications far beyond this bug report. Thankfully, upon review with Nicolai, he wasn't buying it. His suspicions that this was just a blktrace issue were spot on, and this patch series demonstrates that, provides a reproducer, and provides a solution to the issue. We there would like to contend CVE-2019-19770 as invalid. The implications suggested are not correct, and this issue is only triggerable with root, by shooting yourself on the foot by misuing blktrace. If you want this on a git tree, you can get it from linux-next 20200401-blktrace-fix-uaf branch [2]. Wider review, testing, and rants are appreciated. [0] https://bugzilla.kernel.org/show_bug.cgi?id=205713 [1] https://nvd.nist.gov/vuln/detail/CVE-2019-19770 [2] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux-next.git/log/?h=20200401-blktrace-fix-uaf Luis Chamberlain (3): block: move main block debugfs initialization to its own file blktrace: fix debugfs use after free block: avoid deferral of blk_release_queue() work block/Makefile | 1 + block/blk-core.c | 9 +-------- block/blk-debugfs.c | 27 +++++++++++++++++++++++++++ block/blk-mq-debugfs.c | 5 ----- block/blk-sysfs.c | 21 ++++++++------------- block/blk.h | 17 +++++++++++++++++ include/linux/blktrace_api.h | 1 - kernel/trace/blktrace.c | 19 ++++++++----------- 8 files changed, 62 insertions(+), 38 deletions(-) create mode 100644 block/blk-debugfs.c -- 2.25.1
