TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b993c450f9
twx-linux/fs
History
Vasiliy Kovalev 64455c8051 ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up 
[ Upstream commit c84e125fff2615b4d9c259e762596134eddd2f27 ]

The issue was caused by dput(upper) being called before
ovl_dentry_update_reval(), while upper->d_flags was still
accessed in ovl_dentry_remote().

Move dput(upper) after its last use to prevent use-after-free.

BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167

Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
 ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
 ovl_link_up fs/overlayfs/copy_up.c:610 [inline]
 ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170
 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223
 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136
 vfs_rename+0xf84/0x20a0 fs/namei.c:4893
...
 </TASK>

Fixes: b07d5cc93e1b ("ovl: update of dentry revalidate flags after copy up")
Reported-by: syzbot+316db8a1191938280eb6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=316db8a1191938280eb6
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
Link: https://lore.kernel.org/r/20250214215148.761147-1-kovalev@altlinux.org
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-03-07 16:45:36 +01:00
..
9p fs/9p: fix uninitialized values during inode evict 2024-11-22 15:38:37 +01:00
adfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
affs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
afs afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call 2025-02-08 09:51:43 +01:00
autofs
befs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
bfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
btrfs btrfs: fix hole expansion when writing at an offset beyond EOF 2025-02-21 13:57:19 +01:00
cachefiles cachefiles: Fix NULL pointer dereference in object->file 2025-02-17 09:40:42 +01:00
ceph ceph: give up on paths longer than PATH_MAX 2025-01-09 13:31:54 +01:00
coda
configfs
cramfs fs: Convert to bdev_open_by_dev() 2024-08-19 06:04:25 +02:00
crypto fs: Create a generic is_dot_dotdot() utility 2024-10-04 16:29:48 +02:00
debugfs debugfs: fix automount d_fsdata usage 2024-01-20 11:51:37 +01:00
devpts
dlm dlm: fix srcu_read_lock() return type to int 2025-02-08 09:51:41 +01:00
ecryptfs fs: Create a generic is_dot_dotdot() utility 2024-10-04 16:29:48 +02:00
efivarfs efivarfs: Fix error on non-existent file 2024-12-27 13:58:50 +01:00
efs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
erofs erofs: fix PSI memstall accounting 2025-01-17 13:36:11 +01:00
exfat exfat: fix the infinite loop in __exfat_free_cluster() 2025-01-17 13:36:10 +01:00
exportfs exportfs: remove kernel-doc warnings in exportfs 2023-08-29 17:45:22 -04:00
ext2 ext2: Verify bitmap and itable block numbers before using them 2024-08-03 08:54:15 +02:00
ext4 ext4: fix access to uninitialised lock in fc replay path 2025-02-01 18:37:55 +01:00
f2fs f2fs: Introduce linear search for dentries 2025-02-08 09:52:35 +01:00
fat fat: fix uninitialized variable 2024-10-22 15:46:20 +02:00
freevxfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
fscache netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING 2024-12-09 10:31:45 +01:00
fuse fuse: fix memory leak in fuse_create_open 2024-09-12 11:11:26 +02:00
gfs2 gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag 2025-02-01 18:37:52 +01:00
hfs hfs: Sanity check the root record 2025-01-23 17:21:13 +01:00
hfsplus hfsplus: don't query the device logical block size multiple times 2024-12-09 10:31:45 +01:00
hostfs Revert "hostfs: convert hostfs to use the new mount API" 2025-02-11 09:37:33 +01:00
hpfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
hugetlbfs mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE 2024-02-23 09:25:16 +01:00
iomap iomap: avoid avoid truncating 64-bit offset to 32 bits 2025-01-23 17:21:14 +01:00
isofs isofs: handle CDs with bad root inode but good Joliet root directory 2024-04-13 13:07:34 +02:00
jbd2 jbd2: flush filesystem device before updating tail sequence 2025-01-17 13:36:09 +01:00
jffs2 jffs2: Fix rtime decompressor 2024-12-14 20:00:21 +01:00
jfs jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree 2024-12-14 20:00:07 +01:00
kernfs kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files 2024-08-29 17:33:33 +02:00
lockd nfsd: stop setting ->pg_stats for unused stats 2024-08-19 06:04:23 +02:00
minix for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
netfs netfs: Only call folio_start_fscache() one time for each folio 2023-09-18 12:03:46 -07:00
nfs NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client() 2025-02-21 13:57:11 +01:00
nfs_common
nfsd NFSD: fix hang in nfsd4_shutdown_callback 2025-02-21 13:57:06 +01:00
nilfs2 nilfs2: handle errors that nilfs_prepare_chunk() may return 2025-02-27 04:10:54 -08:00
nls nls: Hide new NLS_UCS2_UTILS 2023-08-31 12:07:34 -05:00
notify fs: relax assertions on failure to encode file handles 2025-01-23 17:21:19 +01:00
ntfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
ntfs3 fs/ntfs3: Fix warning in ni_fiemap 2025-01-09 13:31:46 +01:00
ocfs2 ocfs2: check dir i_size in ocfs2_find_entry 2025-02-17 09:40:42 +01:00
omfs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
openpromfs openpromfs: finish conversion to the new mount API 2024-06-12 11:11:30 +02:00
orangefs orangefs: fix a oob in orangefs_debug_write 2025-02-21 13:57:12 +01:00
overlayfs ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up 2025-03-07 16:45:36 +01:00
proc fs/proc: do_task_stat: Fix ESP not readable during coredump 2025-02-17 09:40:15 +01:00
pstore pstore/blk: trivial typo fixes 2025-02-08 09:51:42 +01:00
qnx4 for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
qnx6 for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
quota quota: flush quota_release_work upon quota writeback 2024-12-09 10:33:01 +01:00
ramfs
reiserfs reiserfs: fix uninit-value in comp_keys 2024-08-19 06:04:26 +02:00
romfs fs: Convert to bdev_open_by_dev() 2024-08-19 06:04:25 +02:00
smb smb: client: Add check for next_buffer in receive_encrypted_standard() 2025-02-27 04:10:53 -08:00
squashfs Squashfs: sanity check symbolic link size 2024-09-12 11:11:39 +02:00
sysfs fs: sysfs: Fix reference leak in sysfs_break_active_protection() 2024-04-27 17:11:41 +02:00
sysv sysv: don't call sb_bread() with pointers_lock held 2024-04-13 13:07:34 +02:00
tracefs eventfs: Use list_del_rcu() for SRCU protected list variable 2024-09-12 11:11:27 +02:00
ubifs ubifs: skip dumping tnc tree when zroot is null 2025-02-08 09:52:28 +01:00
udf udf: Verify inode link counts before performing rename 2025-01-09 13:31:50 +01:00
ufs for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
unicode Revert "unicode: Don't special case ignorable code points" 2024-12-14 20:00:20 +01:00
vboxsf vboxsf: explicitly deny setlease attempts 2024-05-17 12:02:13 +02:00
verity fsverity: use register_sysctl_init() to avoid kmemleak warning 2024-06-16 13:47:33 +02:00
xfs xfs: don't over-report free space or inodes in statvfs 2025-02-27 04:10:44 -08:00
zonefs zonefs: Improve error handling 2024-02-23 09:25:13 +01:00
aio.c fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion 2024-04-03 15:28:44 +02:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_elf_fdpic.c fs: binfmt_elf_efpic: don't use missing interpreter's properties 2024-08-29 17:33:33 +02:00
binfmt_elf_test.c
binfmt_elf.c ELF: fix kernel.randomize_va_space double read 2024-09-12 11:11:29 +02:00
binfmt_flat.c binfmt_flat: Fix integer overflow bug on 32 bit systems 2025-02-17 09:40:16 +01:00
binfmt_misc.c binfmt_misc: cleanup on filesystem umount 2024-08-29 17:33:27 +02:00
binfmt_script.c
buffer.c buffer: make folio_create_empty_buffers() return a buffer_head 2025-02-08 09:52:26 +01:00
char_dev.c
compat_binfmt_elf.c
coredump.c
d_path.c
dax.c fsdax: dax_unshare_iter needs to copy entire blocks 2024-11-08 16:28:19 +01:00
dcache.c fs: better handle deep ancestor chains in is_subdir() 2024-07-25 09:50:54 +02:00
direct-io.c
drop_caches.c
eventfd.c
eventpoll.c epoll: Add synchronous wakeup support for ep_poll_callback 2024-12-27 13:58:57 +01:00
exec.c exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case 2025-02-17 09:40:03 +01:00
fcntl.c fs: Fix file_set_fowner LSM hook inconsistencies 2024-10-04 16:29:56 +02:00
fhandle.c fs: Annotate struct file_handle with __counted_by() and use struct_size() 2024-08-19 06:04:28 +02:00
file_table.c fs: fix proc_handler for sysctl_nr_open 2025-02-08 09:51:42 +01:00
file.c fs: fix missing declaration of init_files 2025-01-23 17:21:13 +01:00
filesystems.c
fs_context.c fs: factor out vfs_parse_monolithic_sep() helper 2023-10-12 18:53:36 +03:00
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c fs/writeback: bail out if there is no more inodes for IO and queued once 2024-06-27 13:49:00 +02:00
fsopen.c
init.c
inode.c fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name 2024-12-09 10:31:41 +01:00
internal.h for-6.6/block-2023-08-28 2023-08-29 20:21:42 -07:00
ioctl.c lsm: new security_file_ioctl_compat() hook 2024-01-31 16:18:54 -08:00
Kconfig mm/hugetlb: enforce that PMD PT sharing has split PMD PT locks 2025-01-17 13:36:26 +01:00
Kconfig.binfmt
kernel_read_file.c
libfs.c libfs: Use d_children list to iterate simple_offset directories 2025-02-01 18:37:54 +01:00
locks.c filelock: Fix fcntl/close race recovery compat path 2024-07-27 11:34:10 +02:00
Makefile
mbcache.c
mnt_idmapping.c
mount.h
mpage.c
namei.c fs: Create a generic is_dot_dotdot() utility 2024-10-04 16:29:48 +02:00
namespace.c mount: handle OOM on mnt_warn_timestamp_expiry 2024-10-04 16:28:51 +02:00
nsfs.c
open.c openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) 2024-11-01 01:58:32 +01:00
pipe.c fs/pipe: Fix lockdep false-positive in watchqueue pipe_write() 2024-04-10 16:35:57 +02:00
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
readdir.c
remap_range.c
select.c select: Fix unbalanced user_access_end() 2025-02-08 09:51:43 +01:00
seq_file.c
signalfd.c
splice.c - Some swap cleanups from Ma Wupeng ("fix WARN_ON in add_to_avail_list") 2023-08-29 14:25:26 -07:00
stack.c
stat.c fs: Pass AT_GETATTR_NOSEC flag to getattr interface function 2023-12-03 07:33:03 +01:00
statfs.c
super.c fs: Convert to bdev_open_by_dev() 2024-08-19 06:04:25 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c Fix userfaultfd_api to return EINVAL as expected 2024-07-18 13:21:22 +02:00
utimes.c
xattr.c vfs: Fix potential circular locking through setxattr() and removexattr() 2024-09-12 11:11:38 +02:00