Re: [PATCH next] fs/9p: fix uaf in in v9fs_stat2inode_dotl

v9fs.lists.linux.dev archive mirror
 help / color / mirror / Atom feed

From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Eric Van Hensbergen <eric.vanhensbergen@linux.dev>,
	asmadeus@codewreck.org,  Lizhi Xu <lizhi.xu@windriver.com>,
	 syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com,
	 Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	 linux_oss@crudebyte.com, lucho@ionkov.net,
	 syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	v9fs@lists.linux.dev,
	 Linux Regressions <regressions@lists.linux.dev>,
	Network Development <netdev@vger.kernel.org>,
	 Alexei Starovoitov <ast@kernel.org>, bpf <bpf@vger.kernel.org>
Subject: Re: [PATCH next] fs/9p: fix uaf in in v9fs_stat2inode_dotl
Date: Wed, 27 Mar 2024 12:02:08 -0700	[thread overview]
Message-ID: <CAADnVQJ2SyJq25wvV2kf8Mepic_rYyGNYh7KpdGerFi6a-jQJw@mail.gmail.com> (raw)
In-Reply-To: <20240327115328.22c5b5a3@kernel.org>

On Wed, Mar 27, 2024 at 11:53 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Fri, 22 Mar 2024 08:13:12 -0700 Jakub Kicinski wrote:
> > On Fri, 22 Mar 2024 14:26:07 +0000 Eric Van Hensbergen wrote:
> > > Patch is in the unapplied portion of my for-next tree along with
> > > another one.  I was hoping to hear some feedback on the other one
> > > before i did a pull request and was torn on whether or not I wait on
> > > -rc1 to send since we are so close.
> >
> > My guess would be that quite a few folks use 9p for in-VM kernel
> > testing. Real question is how many actually update their work tree
> > before -rc1 or even -rc2, given the anticipated merge window code
> > instability.. so maybe there's no extreme urgency?
> >
> > From netdev's perspective, FWIW, it'd be great if the fix reached
> > Linux before Thursday, which is when we will forward our tree again.
>
> Any progress on getting the fix to Linus? I didn't spot it getting
> merged.
>
> I'm a bit surprised there aren't more people complaining TBH
> I'd have thought any CI setup with KASAN enabled has a good
> chance of hitting this..

The proposed fix is no brainer:
https://lore.kernel.org/all/20240202121531.2550018-1-lizhi.xu@windriver.com/

+ v9fs_stat2inode_dotl(st, inode, 0);
  kfree(st);
  if (retval)
    goto error;

- v9fs_stat2inode_dotl(st, inode, 0);

Please ship it to Linus asap.
I'm surprised this bug slipped through.

It does affect bpf developers and our CI, since we run with KASAN and use 9P.

     prev parent reply	other threads:[~2024-03-27 19:02 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-02  4:49 [syzbot] [v9fs?] KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl syzbot
2024-02-02 12:15 ` [PATCH next] fs/9p: fix uaf in " Lizhi Xu
2024-02-28 10:33   ` Breno Leitao
2024-03-04 13:02   ` asmadeus
2024-03-22  1:28     ` Jakub Kicinski
2024-03-22 14:26       ` Eric Van Hensbergen
2024-03-22 15:13         ` Jakub Kicinski
2024-03-27 18:53           ` Jakub Kicinski
2024-03-27 19:02             ` Alexei Starovoitov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAADnVQJ2SyJq25wvV2kf8Mepic_rYyGNYh7KpdGerFi6a-jQJw@mail.gmail.com \
    --to=alexei.starovoitov@gmail.com \
    --cc=asmadeus@codewreck.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=eric.vanhensbergen@linux.dev \
    --cc=kuba@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux_oss@crudebyte.com \
    --cc=lizhi.xu@windriver.com \
    --cc=lucho@ionkov.net \
    --cc=netdev@vger.kernel.org \
    --cc=regressions@lists.linux.dev \
    --cc=syzbot+7a3d75905ea1a830dbe5@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=v9fs@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).