From patchwork Sun Feb 26 12:49:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dongliang Mu X-Patchwork-Id: 61604 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp1930716wrd; Sun, 26 Feb 2023 04:59:17 -0800 (PST) X-Google-Smtp-Source: AK7set+z7T0AZYinMzxIxtVncVWaK8NpP8Cf3q8C9/ggOFN6aXP70l06PCaXsGGHXKQQtVfM91GF X-Received: by 2002:a17:902:e84b:b0:19a:723a:8405 with SMTP id t11-20020a170902e84b00b0019a723a8405mr20923907plg.6.1677416357013; Sun, 26 Feb 2023 04:59:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1677416356; cv=none; d=google.com; s=arc-20160816; b=u9ioV6D/cF9708RIqp/KDg7wBDKdBx2CGI/aYUyS5VyO12fTisSA3o2e1YVxA5BUc9 e68oKBU5uZWKQRrjsG8NsctSJPMuXHmgkcKd7D5HVfSdwqhTwc8Iih2C30boVjN9D0O9 uAsuzULZWi7R+sj6tECxQM1oBr9zQW0EzKhT82yM+OeWR3XXjvOyqQx/YzmTx4pNQ5i/ XKUrejv/oPY5o3CF+/8HyJRw64D6Ki8IN9IGPmVZ2b0r3le2MJI9XbexYiovAmcg4HrY 4vfiChdicoNTfDaMhoXam7qDKMuEDuQgxzBBqVuJWy014TkruWlqkkbnsJAt5n6pVMZh zpXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=yS+TlC+EiV0VF2Rz3BRf4GEHgtRgdd+dzhIKTko3Adc=; b=yax9tGY321QAPvHEt2d2IpJrRA1VCRXTYJiK72Tg33tNv5MXRptZ6HfKvk3swD7JGn skeMZEROWAr+1ChRVt2HpLeBQDJViphEWqK98SqRLBUnH9fJt3KMQTKuT1Z4mx8wRTXN GmfgMEUY9s3vrjWE38s22nZhdFjI++IB9bi1F7xFrHKKUutGId9g6j0aPOqPPs6T1my2 x7DkKkcYRpMNbaXNYJMeejqkWrgYl9gr7PlgMC6e45s3AVh2CX/7n8WVoX/YN0bQc8Lf wQf2ePWZvOuXp5KKDzYJNO7kw3579Oi2LJu8fUTWrln+utVMgG2s3cnRMu+xW3rpGIUV b0dQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="J3uh/yzO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id kw13-20020a170902f90d00b0019aa43ead4esi4136364plb.9.2023.02.26.04.59.03; Sun, 26 Feb 2023 04:59:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="J3uh/yzO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229595AbjBZMwb (ORCPT + 99 others); Sun, 26 Feb 2023 07:52:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229549AbjBZMwa (ORCPT ); Sun, 26 Feb 2023 07:52:30 -0500 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DE34BBAE; Sun, 26 Feb 2023 04:52:29 -0800 (PST) Received: by mail-pj1-x102f.google.com with SMTP id kb15so3464214pjb.1; Sun, 26 Feb 2023 04:52:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=yS+TlC+EiV0VF2Rz3BRf4GEHgtRgdd+dzhIKTko3Adc=; b=J3uh/yzOf0BMd6HVZ427c8iw0Q3fhTNqjTvvEpAFqErAaEE+9oRuC1giLmhLFg2hUC rHoMSLwG5Reteaiu7wXv7O1mo5J0n/g5G8D7gt66MBgVTCcUMEXap09Y9DjPK9xeeIeW kJpSobXfi0in5dTgl3Q/WzQg95sGmPCRN1c48aqLtxUIcSXx6ABFwQ3LgO2f2z77gjJv n3OhMJSF7F0c9VSW+TWMnSWEjBFmwubOHDxn4utTTjEHP7/YEanU/sZysApBGoJ2yweE OZTc4G+Rb02mPH8+0krx15HDQW9hG1GZYBrXfYOwP1tyfA3mul33LRpmrG/Lcxy8Lm+D cjKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yS+TlC+EiV0VF2Rz3BRf4GEHgtRgdd+dzhIKTko3Adc=; b=AZnPTUkwHUaGSHxzLkHXyBO1EpRQjx+oLjYfFoC/vEWdig3aGDMYPrrwM7ygxXjmR5 vNV6kbmtnA1TWyRlxq5wO1qCc3bfrc4Q4ozGLmaErP2uINtKVthb8lE1CKRE3S/PrmDt MJKsJvbTVTjdJEGEILeVFXfGBcQtxqFbFHGNxwLQ0yxcM9YPV9ABtj/mB8iUNp00dixp Dn0JbSdHyYY2jICPWKE8fBMl1S3uEFiU0aCfuyCXAUahOAlOYbkZiK0qZDOtvyB1k/Df x5AxTxWwokABL1/zTKC5PdzrfNg/qsA0Dq8IXX9g9aeMNcCDMC9rJczX7J+/4bsaemAv 2fTg== X-Gm-Message-State: AO0yUKXgRx3L+V9fRHo2Q+E/DVbzu7ctnyT9GfPAIyyk14FD5UnPSe+A jbhPPnnL4x/3et3aGKK2DvJbcWhayw3Lq3BoMoE= X-Received: by 2002:a05:6a20:4417:b0:cd:4ad1:cffb with SMTP id ce23-20020a056a20441700b000cd4ad1cffbmr279401pzb.51.1677415948615; Sun, 26 Feb 2023 04:52:28 -0800 (PST) Received: from localhost.localdomain ([199.101.192.110]) by smtp.gmail.com with ESMTPSA id c24-20020aa78c18000000b005ac419804d5sm2506090pfd.98.2023.02.26.04.52.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Feb 2023 04:52:28 -0800 (PST) From: Dongliang Mu To: Bart Van Assche , Andrew Morton , Roman Gushchin , "Theodore Ts'o" , Muchun Song Cc: Dongliang Mu , syzbot+57e3e98f7e3b80f64d56@syzkaller.appspotmail.com, Jens Axboe , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] fs: hfsplus: Fix UAF issue in hfsplus_put_super Date: Sun, 26 Feb 2023 20:49:47 +0800 Message-Id: <20230226124948.3175736-1-mudongliangabcd@gmail.com> X-Mailer: git-send-email 2.39.1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1758898533889603346?= X-GMAIL-MSGID: =?utf-8?q?1758898533889603346?= The current hfsplus_put_super first calls hfs_btree_close on sbi->ext_tree, then invokes iput on sbi->hidden_dir, resulting in an use-after-free issue in hfsplus_release_folio. As shown in hfsplus_fill_super, the error handling code also calls iput before hfs_btree_close. To fix this error, we move all iput calls before hfsplus_btree_close. Note that this patch is tested on Syzbot. Reported-by: syzbot+57e3e98f7e3b80f64d56@syzkaller.appspotmail.com Tested-by: Dongliang Mu Signed-off-by: Dongliang Mu --- fs/hfsplus/super.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c index 122ed89ebf9f..1986b4f18a90 100644 --- a/fs/hfsplus/super.c +++ b/fs/hfsplus/super.c @@ -295,11 +295,11 @@ static void hfsplus_put_super(struct super_block *sb) hfsplus_sync_fs(sb, 1); } + iput(sbi->alloc_file); + iput(sbi->hidden_dir); hfs_btree_close(sbi->attr_tree); hfs_btree_close(sbi->cat_tree); hfs_btree_close(sbi->ext_tree); - iput(sbi->alloc_file); - iput(sbi->hidden_dir); kfree(sbi->s_vhdr_buf); kfree(sbi->s_backup_vhdr_buf); unload_nls(sbi->nls);