diff options
| author | yangerkun <yangerkun@huawei.com> | 2021-09-30 06:22:28 +0300 |
|---|---|---|
| committer | Miklos Szeredi <mszeredi@redhat.com> | 2021-10-29 14:48:19 +0300 |
| commit | 9a254403760041528bc8f69fe2f5e1ef86950991 (patch) | |
| tree | 8f18843e1fb6bf5cf3b9a9ab2ed6f91737c2eeb8 /fs/binfmt_aout.c | |
| parent | 1dc1eed46f9fa4cb8a07baa24fb44c96d6dd35c9 (diff) | |
| download | linux-9a254403760041528bc8f69fe2f5e1ef86950991.tar.xz | |
ovl: fix use after free in struct ovl_aio_req
Example for triggering use after free in a overlay on ext4 setup:
aio_read
ovl_read_iter
vfs_iter_read
ext4_file_read_iter
ext4_dio_read_iter
iomap_dio_rw -> -EIOCBQUEUED
/*
* Here IO is completed in a separate thread,
* ovl_aio_cleanup_handler() frees aio_req which has iocb embedded
*/
file_accessed(iocb->ki_filp); /**BOOM**/
Fix by introducing a refcount in ovl_aio_req similarly to aio_kiocb. This
guarantees that iocb is only freed after vfs_read/write_iter() returns on
underlying fs.
Fixes: 2406a307ac7d ("ovl: implement async IO routines")
Signed-off-by: yangerkun <yangerkun@huawei.com>
Link: https://lore.kernel.org/r/20210930032228.3199690-3-yangerkun@huawei.com/
Cc: <stable@vger.kernel.org> # v5.6
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'fs/binfmt_aout.c')
0 files changed, 0 insertions, 0 deletions