Message ID | 20240712012622.2234811-1-yuxuan.luo@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-52760 | expand |
On Thu, Jul 11, 2024 at 09:26:20PM -0400, Yuxuan Luo wrote: > [Impact] > A potential use-after-free may occur in gfs2 file system when unmounting > the fs, which put the system's control integrity at risk. > > [Backport] > The fix commit, bdcb8aa434c6 ("gfs2: Fix slab-use-after-free in > gfs2_qd_dealloc"), addresses two problems: > > 1) UAF caused by gfs2_quota_cleanup() not called if not already > withdrawn "[otherwise], struct gfs2_sbd will be freed before > gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects". > 2) Double-free by calling gfs2_quota_cleanup() twice if in not read-only > mode. > > The second issue is introduced by f66af88e3321 ("gfs2: Stop using > gfs2_make_fs_ro for withdraw") while the first one predate in the very > old kernels. To solve the first one, only call the gfs2_quota_cleanup() > if the gfs2_make_fs_ro() is not called since gfs2_make_fs_ro() calls > gfs2_quota_cleanup() as well. > > [Test] > Compile and boot tested only. > > [Where things could go wrong] > Regression might occur when unmounting the fs. > > Juntong Deng (1): > gfs2: Fix slab-use-after-free in gfs2_qd_dealloc > > fs/gfs2/super.c | 2 ++ > 1 file changed, 2 insertions(+) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
On Thu, Jul 11, 2024 at 9:27 PM Yuxuan Luo <yuxuan.luo@canonical.com> wrote: > > [Impact] > A potential use-after-free may occur in gfs2 file system when unmounting > the fs, which put the system's control integrity at risk. > > [Backport] > The fix commit, bdcb8aa434c6 ("gfs2: Fix slab-use-after-free in > gfs2_qd_dealloc"), addresses two problems: > > 1) UAF caused by gfs2_quota_cleanup() not called if not already > withdrawn "[otherwise], struct gfs2_sbd will be freed before > gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects". > 2) Double-free by calling gfs2_quota_cleanup() twice if in not read-only > mode. > > The second issue is introduced by f66af88e3321 ("gfs2: Stop using > gfs2_make_fs_ro for withdraw") while the first one predate in the very > old kernels. To solve the first one, only call the gfs2_quota_cleanup() > if the gfs2_make_fs_ro() is not called since gfs2_make_fs_ro() calls > gfs2_quota_cleanup() as well. > > [Test] > Compile and boot tested only. > > [Where things could go wrong] > Regression might occur when unmounting the fs. > > Juntong Deng (1): > gfs2: Fix slab-use-after-free in gfs2_qd_dealloc > > fs/gfs2/super.c | 2 ++ > 1 file changed, 2 insertions(+) > > -- Acked-by: Kevin Becker <kevin.becker@canonical.com>
On 12.07.24 03:26, Yuxuan Luo wrote: > [Impact] > A potential use-after-free may occur in gfs2 file system when unmounting > the fs, which put the system's control integrity at risk. > > [Backport] > The fix commit, bdcb8aa434c6 ("gfs2: Fix slab-use-after-free in > gfs2_qd_dealloc"), addresses two problems: > > 1) UAF caused by gfs2_quota_cleanup() not called if not already > withdrawn "[otherwise], struct gfs2_sbd will be freed before > gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects". > 2) Double-free by calling gfs2_quota_cleanup() twice if in not read-only > mode. > > The second issue is introduced by f66af88e3321 ("gfs2: Stop using > gfs2_make_fs_ro for withdraw") while the first one predate in the very > old kernels. To solve the first one, only call the gfs2_quota_cleanup() > if the gfs2_make_fs_ro() is not called since gfs2_make_fs_ro() calls > gfs2_quota_cleanup() as well. > > [Test] > Compile and boot tested only. > > [Where things could go wrong] > Regression might occur when unmounting the fs. > > Juntong Deng (1): > gfs2: Fix slab-use-after-free in gfs2_qd_dealloc > > fs/gfs2/super.c | 2 ++ > 1 file changed, 2 insertions(+) > Applied to jammy,focal:linux/master-next. Thanks. -Stefan