Skip to content
Snippets Groups Projects
  1. Jul 01, 2022
  2. Jun 29, 2022
  3. Jun 28, 2022
    • Zhihao Cheng's avatar
      io_uring: io_close: Set owner as current->files if req->work.files uninitialized · 25c4db2a
      Zhihao Cheng authored
      hulk inclusion
      category: bugfix
      bugzilla: 186543, https://gitee.com/openeuler/kernel/issues/I5BGFA
      
      
      CVE: NA
      
      --------------------------------
      
      Following process will trigger an use-after-free problem:
      
      1. open /proc/sysvipc/msg and lock it by file lock
         fcntl_setlk
           do_lock_file_wait
             vfs_lock_file
               posix_lock_file
                 locks_insert_lock_ctx
                   locks_insert_global_locks  // Added to lock list
      2. Close /proc/sysvipc/msg by io_uring
         filp_close(close->put_file, req->work.files)  // req->work.files equals
      		NULL,io_grab_files() initialize it, non-async operations
      		won't invokes the function.
           locks_remove_posix(filp, NULL)
             lock.fl_owner = NULL
             vfs_lock_file
               posix_lock_file
                 posix_same_owner  // Return false according to fl_owner.
      		locks_delete_lock_ctx(fl, &dispose) and locks_dispose_list
      		won't be executed, flock is not removed from lock list
            fput(filp)  // release filp
      3. Read /proc/locks
        seq_read
          locks_start  // Get flock from lock list
          locks_show
            lock_get_status
              file_inode(f->file)  // Access released file, UAF occurs!
      
      Fix it by passing current->files when req->work.files is uninitialized,
      because io-sq thread shares same files with uring_fd task, so it still
      works in SQPOLL mode.
      
      Signed-off-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
      Reviewed-by: default avatarZhang Yi <yi.zhang@huawei.com>
      Signed-off-by: default avatarYongqiang Liu <liuyongqiang13@huawei.com>
      25c4db2a
  4. Jun 27, 2022
    • 卢佳琳's avatar
      mm/memcontrol: fix wrong vmstats for dying memcg · b2cd06f8
      卢佳琳 authored
      hulk inclusion
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I5E8LA
      
      
      CVE: NA
      
      --------------------------------
      
      At present, only when the absolute value of stat_cpu->count exceeds
      MEMCG_CHARGE_BATCH will it be updated to stat, so there will always
      be a certain lag difference between stat and the correct value.
      
      In addition, since the partially deleted memcg is still referenced, it
      will not be freed immediately after it is offline. Although the
      remaining memcg has released the page, it and the parent's stat will
      still be not 0 or too large due to the update lag, which leads to the
      abnormality of the total_<count> parameter in the memory.stat file.
      
      This patch mainly solves the problem of synchronization between
      memcg's stat and the correct value during the destruction process
      from two aspects:
      1) Perform a flush synchronization operation when memcg is offline
      2) For memcg in the process of being destroyed, bypass the threshold
         judgment when updating vmstats
      
      Signed-off-by: default avatarLu Jialin <lujialin4@huawei.com>
      Reviewed-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Reviewed-by: default avatarXiu Jianfeng <xiujianfeng@huawei.com>
      Signed-off-by: default avatarYongqiang Liu <liuyongqiang13@huawei.com>
  5. Jun 25, 2022
    • Li Lingfeng's avatar
      ext4: recover csum seed of tmp_inode after migrating to extents · 8fbfe233
      Li Lingfeng authored
      hulk inclusion
      category: bugfix
      bugzilla: 186944, https://gitee.com/openeuler/kernel/issues/I5DAJY
      
      
      CVE: NA
      
      --------------------------------
      
      When migrating to extents, the checksum seed of temporary inode
      need to be replaced by inode's, otherwise the inode checksums
      will be incorrect when swapping the inodes data.
      
      However, the temporary inode can not match it's checksum to
      itself since it has lost it's own checksum seed.
      
      mkfs.ext4 -F /dev/sdc
      mount /dev/sdc /mnt/sdc
      xfs_io -fc "pwrite 4k 4k" -c "fsync" /mnt/sdc/testfile
      chattr -e /mnt/sdc/testfile
      chattr +e /mnt/sdc/testfile
      fsck -fn /dev/sdc
      
      ========
      ...
      Pass 1: Checking inodes, blocks, and sizes
      Inode 13 passes checks, but checksum does not match inode.  Fix? no
      ...
      ========
      
      The fix is simple, save the checksum seed of temporary inode, and
      recover it after migrating to extents.
      
      Fixes: e81c9302a6c3 ("ext4: set csum seed in tmp inode while migrating to extents")
      Signed-off-by: default avatarLi Lingfeng <lilingfeng3@huawei.com>
      Reviewed-by: default avatarZhang Yi <yi.zhang@huawei.com>
      Signed-off-by: default avatarYongqiang Liu <liuyongqiang13@huawei.com>
      8fbfe233
  6. Jun 22, 2022
  7. Jun 21, 2022
  8. Jun 20, 2022
  9. Jun 18, 2022
  10. Jun 17, 2022
  11. Jun 16, 2022
  12. Jun 15, 2022