-
由 Zhihao Cheng 提交于
hulk inclusion category: bugfix bugzilla: 186543, https://gitee.com/openeuler/kernel/issues/I5BGFA CVE: NA -------------------------------- Following process will trigger an use-after-free problem: 1. open /proc/sysvipc/msg and lock it by file lock fcntl_setlk do_lock_file_wait vfs_lock_file posix_lock_file locks_insert_lock_ctx locks_insert_global_locks // Added to lock list 2. Close /proc/sysvipc/msg by io_uring filp_close(close->put_file, req->work.files) // req->work.files equals NULL,io_grab_files() initialize it, non-async operations won't invokes the function. locks_remove_posix(filp, NULL) lock.fl_owner = NULL vfs_lock_file posix_lock_file posix_same_owner // Return false according to fl_owner. locks_delete_lock_ctx(fl, &dispose) and locks_dispose_list won't be executed, flock is not removed from lock list fput(filp) // release filp 3. Read /proc/locks seq_read locks_start // Get flock from lock list locks_show lock_get_status file_inode(f->file) // Access released file, UAF occurs! Fix it by passing current->files when req->work.files is uninitialized, because io-sq thread shares same files with uring_fd task, so it still works in SQPOLL mode. Signed-off-by: NZhihao Cheng <chengzhihao1@huawei.com> Reviewed-by: NZhang Yi <yi.zhang@huawei.com> Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>
25c4db2a