inotify: race use after free/double free in inotify inode marks
in [Kernel]
|
Prev: linux-next: manual merge of the v4l-dvb tree
Next: linux-next: manual merge of the kvm tree with Linus' tree
From: Andrew Morton on 12 May 2010 23:20 On Wed, 12 May 2010 12:08:00 -0400 Eric Paris <eparis(a)redhat.com> wrote: > From: root <root(a)tyan-gt24-04.rhts.eng.bos.redhat.com> hm. > There is a race in the inotify add/rm watch code. A task can find and > remove a mark which doesn't have all of it's references. This can > result in a use after free/double free situation. > > Task A Task B > ------------ ----------- > inotify_new_watch() > allocate a mark (refcnt == 1) > add it to the idr > inotify_rm_watch() > inotify_remove_from_idr() > fsnotify_put_mark() > refcnt hits 0, free > take reference because we are on idr > [at this point it is a use after free] > [time goes on] > refcnt may hit 0 again, double free > > The fix is to take the reference BEFORE the object can be found in the > idr. > > Signed-off-by: Eric Paris <eparis(a)redhat.com> The changelog has no "Cc: <stable(a)kernel.org>". I suspect it should have that? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Eric Paris on 13 May 2010 07:40
On Wed, 2010-05-12 at 20:16 -0400, Andrew Morton wrote: > On Wed, 12 May 2010 12:08:00 -0400 Eric Paris <eparis(a)redhat.com> wrote: > > > From: root <root(a)tyan-gt24-04.rhts.eng.bos.redhat.com> > > hm. Well poop. That's what I get for using git on a random test box. I moved it to my real tree with git-format-patch > git-am. I'll fix the author. > > There is a race in the inotify add/rm watch code. A task can find and > > remove a mark which doesn't have all of it's references. This can > > result in a use after free/double free situation. > > > > Task A Task B > > ------------ ----------- > > inotify_new_watch() > > allocate a mark (refcnt == 1) > > add it to the idr > > inotify_rm_watch() > > inotify_remove_from_idr() > > fsnotify_put_mark() > > refcnt hits 0, free > > take reference because we are on idr > > [at this point it is a use after free] > > [time goes on] > > refcnt may hit 0 again, double free > > > > The fix is to take the reference BEFORE the object can be found in the > > idr. > > > > Signed-off-by: Eric Paris <eparis(a)redhat.com> > > The changelog has no "Cc: <stable(a)kernel.org>". I suspect it should > have that? Will fix before I ask Linus to pull.... -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |