Public bug reported:
SRU Justification
Impact: All non-special files (For shiftfs this only includes fifos and
- for this case - unix sockets - since we don't allow character and
block devices to be created.) go through shiftfs_open() and have their
dentry pinned through this codepath preventing it from going negative.
But fifos don't use the shiftfs fops but rather use the pipefifo_fops
which means they do not go through shiftfs_open() and thus don't have
their dentry pinned that way. Thus, the lower dentries for such files
can go negative on unlink causing segfaults. The following C program can
be used to reproduce the crash:
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
struct stat stat;
unlink("./bbb");
int ret = mknod("./bbb", S_IFIFO|0666, 0);
if (ret < 0)
exit(1);
int fd = open("./bbb", O_RDWR);
if (fd < 0)
exit(2);
if (unlink("./bbb"))
exit(4);
fstat(fd, &stat);
return 0;
}
Fix: Similar to ecryptfs we need to dget() the lower dentry before
calling vfs_unlink() on it and dput() it afterwards.
Regression Potential: Limited to shiftfs.
Test Case: Compiled a kernel with the fix and used the reproducer above
to verify that the kernel cannot be crashed anymore.
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Christian Brauner (cbrauner)
Status: In Progress
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Changed in: linux (Ubuntu)
Status: Confirmed => In Progress
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Christian Brauner (cbrauner)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1860041
Title:
shiftfs: prevent lower dentries from going negative during unlink
Status in linux package in Ubuntu:
In Progress
Bug description:
SRU Justification
Impact: All non-special files (For shiftfs this only includes fifos
and - for this case - unix sockets - since we don't allow character
and block devices to be created.) go through shiftfs_open() and have
their dentry pinned through this codepath preventing it from going
negative. But fifos don't use the shiftfs fops but rather use the
pipefifo_fops which means they do not go through shiftfs_open() and
thus don't have their dentry pinned that way. Thus, the lower dentries
for such files can go negative on unlink causing segfaults. The
following C program can be used to reproduce the crash:
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
struct stat stat;
unlink("./bbb");
int ret = mknod("./bbb", S_IFIFO|0666, 0);
if (ret < 0)
exit(1);
int fd = open("./bbb", O_RDWR);
if (fd < 0)
exit(2);
if (unlink("./bbb"))
exit(4);
fstat(fd, &stat);
return 0;
}
Fix: Similar to ecryptfs we need to dget() the lower dentry before
calling vfs_unlink() on it and dput() it afterwards.
Regression Potential: Limited to shiftfs.
Test Case: Compiled a kernel with the fix and used the reproducer
above to verify that the kernel cannot be crashed anymore.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860041/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
