Hi me,
Here's a pull request to fix that attr fork UAF problem and preparing
for a future where files always have xattrs by making the forks
permanent installations.
--D
------
The following changes since commit 0f38063d7a38015a47ca1488406bf21e0effe80e:
xfs: removed useless condition in function xfs_attr_node_get (2022-07-09 10:56:02 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfs-linux.git tags/make-attr-fork-permanent-5.20_2022-07-14
for you to fetch changes up to c01147d929899f02a0a8b15e406d12784768ca72:
xfs: replace inode fork size macros with functions (2022-07-12 11:17:27 -0700)
----------------------------------------------------------------
xfs: make attr forks permanent
This series fixes a use-after-free bug that syzbot uncovered. The UAF
itself is a result of a race condition between getxattr and removexattr
because callers to getxattr do not necessarily take any sort of locks
before calling into the filesystem.
Although the race condition itself can be fixed through clever use of a
memory barrier, further consideration of the use cases of extended
attributes shows that most files always have at least one attribute, so
we might as well make them permanent.
v2: Minor tweaks suggested by Dave, and convert some more macros to
helper functions.
Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
----------------------------------------------------------------
Darrick J. Wong (5):
xfs: convert XFS_IFORK_PTR to a static inline helper
xfs: make inode attribute forks a permanent part of struct xfs_inode
xfs: use XFS_IFORK_Q to determine the presence of an xattr fork
xfs: replace XFS_IFORK_Q with a proper predicate function
xfs: replace inode fork size macros with functions
fs/xfs/libxfs/xfs_attr.c | 20 +++++-----
fs/xfs/libxfs/xfs_attr.h | 10 ++---
fs/xfs/libxfs/xfs_attr_leaf.c | 29 +++++++-------
fs/xfs/libxfs/xfs_bmap.c | 81 +++++++++++++++++++-------------------
fs/xfs/libxfs/xfs_bmap_btree.c | 10 ++---
fs/xfs/libxfs/xfs_btree.c | 4 +-
fs/xfs/libxfs/xfs_dir2.c | 2 +-
fs/xfs/libxfs/xfs_dir2_block.c | 6 +--
fs/xfs/libxfs/xfs_dir2_sf.c | 8 ++--
fs/xfs/libxfs/xfs_inode_buf.c | 7 ++--
fs/xfs/libxfs/xfs_inode_fork.c | 65 ++++++++++++++++--------------
fs/xfs/libxfs/xfs_inode_fork.h | 27 ++-----------
fs/xfs/libxfs/xfs_symlink_remote.c | 2 +-
fs/xfs/scrub/bmap.c | 14 +++----
fs/xfs/scrub/btree.c | 2 +-
fs/xfs/scrub/dabtree.c | 2 +-
fs/xfs/scrub/dir.c | 2 +-
fs/xfs/scrub/quota.c | 2 +-
fs/xfs/scrub/symlink.c | 6 +--
fs/xfs/xfs_attr_inactive.c | 16 +++-----
fs/xfs/xfs_attr_list.c | 9 ++---
fs/xfs/xfs_bmap_util.c | 22 +++++------
fs/xfs/xfs_dir2_readdir.c | 2 +-
fs/xfs/xfs_icache.c | 12 +++---
fs/xfs/xfs_inode.c | 24 +++++------
fs/xfs/xfs_inode.h | 62 ++++++++++++++++++++++++++++-
fs/xfs/xfs_inode_item.c | 58 +++++++++++++--------------
fs/xfs/xfs_ioctl.c | 2 +-
fs/xfs/xfs_iomap.c | 8 ++--
fs/xfs/xfs_iops.c | 2 +-
fs/xfs/xfs_itable.c | 4 +-
fs/xfs/xfs_qm.c | 2 +-
fs/xfs/xfs_reflink.c | 6 +--
fs/xfs/xfs_symlink.c | 2 +-
fs/xfs/xfs_trace.h | 2 +-
35 files changed, 285 insertions(+), 247 deletions(-)
