Re: KASAN: use-after-free Read in userfaultfd_release (2)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/20/20 9:00 AM, Al Viro wrote:
On Mon, Jul 13, 2020 at 04:45:12PM +0800, Hillf Danton wrote:

Bridge the gap between slab free and the fput in task work wrt
file's private data.

No.  This

@@ -2048,6 +2055,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
  	if (fd < 0) {
+		file->private_data = NULL;
  		fput(file);
  		goto out;
  	}


is fundamentally wrong; you really shouldn't take over the cleanups
if you ever do fput().

Yep. I don't recall how the O_CLOEXEC got in there: that's indeed wrong, and probably the result of patch-editing butchery. As for the exit cleanup: yes, that's a bug. I was trying to keep the exit paths together. We could fix it forward (which seems simple enough) or re-submit.



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux