Commit e5db2c5c authored by Dongliang Mu's avatar Dongliang Mu Committed by Zheng Zengkai
Browse files

fs: fix UAF/GPF bug in nilfs_mdt_destroy 

mainline inclusion
from mainline-v6.1-rc1
commit 2e488f13
category: bugfix
bugzilla: 187543, https://gitee.com/src-openeuler/kernel/issues/I5NZ98
CVE: CVE-2022-2978

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.1-rc3&id=2e488f13755ffbb60f307e991b27024716a33b29

-------------------------------

In alloc_inode, inode_init_always() could return -ENOMEM if
security_inode_alloc() fails, which causes inode->i_private
uninitialized. Then nilfs_is_metadata_file_inode() returns
true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),
which frees the uninitialized inode->i_private
and leads to crashes(e.g., UAF/GPF).

Fix this by moving security_inode_alloc just prior to
this_cpu_inc(nr_inodes)

Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com


Reported-by: default avatarbutt3rflyh4ck <butterflyhuangxx@gmail.com>
Reported-by: default avatarHao Sun <sunhao.th@gmail.com>
Reported-by: default avatarJiacheng Xu <stitch@zju.edu.cn>
Reviewed-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: default avatarDongliang Mu <mudongliangabcd@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarLi Lingfeng <lilingfeng3@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 1abe4c14
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment