| From: Luís Henriques <ocfs2-devel@oss.oracle.com> |
| Subject: ocfs2: fix use-after-free when unmounting read-only filesystem |
| Date: Mon, 22 May 2023 11:21:12 +0100 |
| |
| It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using |
| fstest generic/452. After a read-only remount, quotas are suspended and |
| ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting |
| the filesystem, an UAF access to the oinfo will eventually cause a crash. |
| |
| BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 |
| Read of size 8 at addr ffff8880389a8208 by task umount/669 |
| ... |
| Call Trace: |
| <TASK> |
| ... |
| timer_delete+0x54/0xc0 |
| try_to_grab_pending+0x31/0x230 |
| __cancel_work_timer+0x6c/0x270 |
| ocfs2_disable_quotas.isra.0+0x3e/0xf0 [ocfs2] |
| ocfs2_dismount_volume+0xdd/0x450 [ocfs2] |
| generic_shutdown_super+0xaa/0x280 |
| kill_block_super+0x46/0x70 |
| deactivate_locked_super+0x4d/0xb0 |
| cleanup_mnt+0x135/0x1f0 |
| ... |
| </TASK> |
| |
| Allocated by task 632: |
| kasan_save_stack+0x1c/0x40 |
| kasan_set_track+0x21/0x30 |
| __kasan_kmalloc+0x8b/0x90 |
| ocfs2_local_read_info+0xe3/0x9a0 [ocfs2] |
| dquot_load_quota_sb+0x34b/0x680 |
| dquot_load_quota_inode+0xfe/0x1a0 |
| ocfs2_enable_quotas+0x190/0x2f0 [ocfs2] |
| ocfs2_fill_super+0x14ef/0x2120 [ocfs2] |
| mount_bdev+0x1be/0x200 |
| legacy_get_tree+0x6c/0xb0 |
| vfs_get_tree+0x3e/0x110 |
| path_mount+0xa90/0xe10 |
| __x64_sys_mount+0x16f/0x1a0 |
| do_syscall_64+0x43/0x90 |
| entry_SYSCALL_64_after_hwframe+0x72/0xdc |
| |
| Freed by task 650: |
| kasan_save_stack+0x1c/0x40 |
| kasan_set_track+0x21/0x30 |
| kasan_save_free_info+0x2a/0x50 |
| __kasan_slab_free+0xf9/0x150 |
| __kmem_cache_free+0x89/0x180 |
| ocfs2_local_free_info+0x2ba/0x3f0 [ocfs2] |
| dquot_disable+0x35f/0xa70 |
| ocfs2_susp_quotas.isra.0+0x159/0x1a0 [ocfs2] |
| ocfs2_remount+0x150/0x580 [ocfs2] |
| reconfigure_super+0x1a5/0x3a0 |
| path_mount+0xc8a/0xe10 |
| __x64_sys_mount+0x16f/0x1a0 |
| do_syscall_64+0x43/0x90 |
| entry_SYSCALL_64_after_hwframe+0x72/0xdc |
| |
| Link: https://lkml.kernel.org/r/20230522102112.9031-1-lhenriques@suse.de |
| Signed-off-by: Luís Henriques <lhenriques@suse.de> |
| Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> |
| Tested-by: Joseph Qi <joseph.qi@linux.alibaba.com> |
| Cc: Mark Fasheh <mark@fasheh.com> |
| Cc: Joel Becker <jlbec@evilplan.org> |
| Cc: Junxiao Bi <junxiao.bi@oracle.com> |
| Cc: Changwei Ge <gechangwei@live.cn> |
| Cc: Gang He <ghe@suse.com> |
| Cc: Jun Piao <piaojun@huawei.com> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| --- |
| |
| fs/ocfs2/super.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/fs/ocfs2/super.c~ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem |
| +++ a/fs/ocfs2/super.c |
| @@ -952,8 +952,10 @@ static void ocfs2_disable_quotas(struct |
| for (type = 0; type < OCFS2_MAXQUOTAS; type++) { |
| if (!sb_has_quota_loaded(sb, type)) |
| continue; |
| - oinfo = sb_dqinfo(sb, type)->dqi_priv; |
| - cancel_delayed_work_sync(&oinfo->dqi_sync_work); |
| + if (!sb_has_quota_suspended(sb, type)) { |
| + oinfo = sb_dqinfo(sb, type)->dqi_priv; |
| + cancel_delayed_work_sync(&oinfo->dqi_sync_work); |
| + } |
| inode = igrab(sb->s_dquot.files[type]); |
| /* Turn off quotas. This will remove all dquot structures from |
| * memory and so they will be automatically synced to global |
| _ |
