[Kernel-packages] [Bug 1860041] Re: shiftfs: prevent lower dentries from going negative during unlink

Fri, 17 Jan 2020 00:36:39 -0800 

** Also affects: linux (Ubuntu Eoan)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Disco)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Disco)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Eoan)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Disco)
       Status: New => In Progress

** Changed in: linux (Ubuntu Eoan)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1860041

Title:
  shiftfs: prevent lower dentries from going negative during unlink

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Disco:
  In Progress
Status in linux source package in Eoan:
  In Progress

Bug description:
  SRU Justification

  Impact: All non-special files (For shiftfs this only includes fifos
  and - for this case - unix sockets - since we don't allow character
  and block devices to be created.) go through shiftfs_open() and have
  their dentry pinned through this codepath preventing it from going
  negative. But fifos don't use the shiftfs fops but rather use the
  pipefifo_fops which means they do not go through shiftfs_open() and
  thus don't have their dentry pinned that way. Thus, the lower dentries
  for such files can go negative on unlink causing segfaults. The
  following C program can be used to reproduce the crash:

  #include <stdio.h>
  #include <fcntl.h>
  #include <unistd.h>
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <unistd.h>
  #include <stdlib.h>

  int main(int argc, char *argv[])
  {
        struct stat stat;

          unlink("./bbb");

        int ret = mknod("./bbb", S_IFIFO|0666, 0);
        if (ret < 0)
                exit(1);

        int fd = open("./bbb", O_RDWR);
        if (fd < 0)
                exit(2);

        if (unlink("./bbb"))
                exit(4);

          fstat(fd, &stat);

        return 0;
  }

  Fix: Similar to ecryptfs we need to dget() the lower dentry before
  calling vfs_unlink() on it and dput() it afterwards.

  Regression Potential: Limited to shiftfs.

  Test Case: Compiled a kernel with the fix and used the reproducer
  above to verify that the kernel cannot be crashed anymore.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860041/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to