[PATCH] io_uring: set table->files[i] to NULL when io_sqe_file

public inbox for [email protected]
 help / color / mirror / Atom feed

* [PATCH] io_uring: set table->files[i] to NULL when io_sqe_file_register failed
@ 2020-09-02  9:59 Jiufei Xue
  2020-09-02 14:12 ` Jens Axboe
  0 siblings, 1 reply; 4+ messages in thread
From: Jiufei Xue @ 2020-09-02  9:59 UTC (permalink / raw)
  To: io-uring, axboe

While io_sqe_file_register() failed in __io_sqe_files_update(),
table->files[i] still point to the original file which may freed
soon, and that will trigger use-after-free problems.

Signed-off-by: Jiufei Xue <[email protected]>
---
 fs/io_uring.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index ce69bd9..0092418 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -7353,6 +7353,7 @@ static int __io_sqe_files_update(struct io_ring_ctx *ctx,
 			table->files[index] = file;
 			err = io_sqe_file_register(ctx, file, i);
 			if (err) {
+				table->files[index] = NULL;
 				fput(file);
 				break;
 			}
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] io_uring: set table->files[i] to NULL when io_sqe_file_register failed
  2020-09-02  9:59 [PATCH] io_uring: set table->files[i] to NULL when io_sqe_file_register failed Jiufei Xue
@ 2020-09-02 14:12 ` Jens Axboe
  2020-09-02 15:07   ` missing backport markings on security fix [was: [PATCH] io_uring: set table->files[i] to NULL when io_sqe_file_register failed] Jann Horn
  0 siblings, 1 reply; 4+ messages in thread
From: Jens Axboe @ 2020-09-02 14:12 UTC (permalink / raw)
  To: Jiufei Xue, io-uring

On 9/2/20 3:59 AM, Jiufei Xue wrote:
> While io_sqe_file_register() failed in __io_sqe_files_update(),
> table->files[i] still point to the original file which may freed
> soon, and that will trigger use-after-free problems.

Applied, thanks.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 4+ messages in thread

* missing backport markings on security fix [was: [PATCH] io_uring: set table->files[i] to NULL when io_sqe_file_register failed]
  2020-09-02 14:12 ` Jens Axboe
@ 2020-09-02 15:07   ` Jann Horn
  2020-09-02 15:11     ` Jens Axboe
  0 siblings, 1 reply; 4+ messages in thread
From: Jann Horn @ 2020-09-02 15:07 UTC (permalink / raw)
  To: Jens Axboe; +Cc: Jiufei Xue, io-uring, stable

On Wed, Sep 2, 2020 at 4:49 PM Jens Axboe <[email protected]> wrote:
> On 9/2/20 3:59 AM, Jiufei Xue wrote:
> > While io_sqe_file_register() failed in __io_sqe_files_update(),
> > table->files[i] still point to the original file which may freed
> > soon, and that will trigger use-after-free problems.
>
> Applied, thanks.

Shouldn't this have a CC stable tag and a fixes tag on it? AFAICS this
is a fix for a UAF that exists since
f3bd9dae3708a0ff6b067e766073ffeb853301f9 ("io_uring: fix memleak in
__io_sqe_files_update()"), and that commit was marked for stable
backporting back to when c3a31e605620 landed, and that commit was
introduced in Linux 5.5.

You can see at <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/io_uring.c?h=linux-5.8.y#n6933>
that this security vulnerability currently exists in the stable 5.8
branch.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: missing backport markings on security fix [was: [PATCH] io_uring: set table->files[i] to NULL when io_sqe_file_register failed]
  2020-09-02 15:07   ` missing backport markings on security fix [was: [PATCH] io_uring: set table->files[i] to NULL when io_sqe_file_register failed] Jann Horn
@ 2020-09-02 15:11     ` Jens Axboe
  0 siblings, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2020-09-02 15:11 UTC (permalink / raw)
  To: Jann Horn; +Cc: Jiufei Xue, io-uring, stable

On 9/2/20 9:07 AM, Jann Horn wrote:
> On Wed, Sep 2, 2020 at 4:49 PM Jens Axboe <[email protected]> wrote:
>> On 9/2/20 3:59 AM, Jiufei Xue wrote:
>>> While io_sqe_file_register() failed in __io_sqe_files_update(),
>>> table->files[i] still point to the original file which may freed
>>> soon, and that will trigger use-after-free problems.
>>
>> Applied, thanks.
> 
> Shouldn't this have a CC stable tag and a fixes tag on it? AFAICS this
> is a fix for a UAF that exists since
> f3bd9dae3708a0ff6b067e766073ffeb853301f9 ("io_uring: fix memleak in
> __io_sqe_files_update()"), and that commit was marked for stable
> backporting back to when c3a31e605620 landed, and that commit was
> introduced in Linux 5.5.
> 
> You can see at <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/io_uring.c?h=linux-5.8.y#n6933>
> that this security vulnerability currently exists in the stable 5.8
> branch.

I'll mark it for stable, it should have been just like the previous one
is.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-09-02 15:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-09-02  9:59 [PATCH] io_uring: set table->files[i] to NULL when io_sqe_file_register failed Jiufei Xue
2020-09-02 14:12 ` Jens Axboe
2020-09-02 15:07   ` missing backport markings on security fix [was: [PATCH] io_uring: set table->files[i] to NULL when io_sqe_file_register failed] Jann Horn
2020-09-02 15:11     ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox