Hi,
my name is David, I work as a research assistant at TU Darmstadt,
Germany.
We are currently developing a static analysis tool to find dangling
pointer
vulnerabilities automatically in large code bases, based on LLVM.
We think we found a potential use-after-return in move_expired_inodes in
the
file fs/fs-writeback.c. This is the relevant code (at least 3.11-4.8):
static long wb_writeback(struct bdi_writeback *wb,
struct wb_writeback_work *work)
{
unsigned long oldest_jif;
...
work->older_than_this = &oldest_jif;
...
}
static int move_expired_inodes(struct list_head *delaying_queue,
struct list_head *dispatch_queue,
int flags,
struct wb_writeback_work *work)
{
unsigned long *older_than_this = NULL;
...
older_than_this = work->older_than_this;
...
if (older_than_this &&
inode_dirtied_after(inode, *older_than_this))
break;
...
}
The address of a local stack element is written to the wb_writeback_work
object
retrieved from the work list in wb_do_writeback. If the auto_free
property of
the object is not set, it will not be freed upon returning from the
calling
function, which results in our tool reporting the situation as a
vulnerability.
The pointer is dereferenced in move_expired_inodes, and passed as an
argument to
inode_dirtied_after. Currently, this does not appear to be exploitable.
We
investigated the issue, but were unable to falsify our report, hence
this email.
Apologies, if we overlooked something trivial or failed to adhere to the
code of
conduct on this mailing list.
Best wishes,
David Gens
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
