ovl: fix use after free in struct ovl_aio_req (!2304) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Miklos Szeredi requested to merge mszeredi/centos-stream-9:bz2176161 into main Apr 04, 2023

Example for triggering use after free in a overlay on ext4 setup:

aio_read
  ovl_read_iter
    vfs_iter_read
      ext4_file_read_iter
        ext4_dio_read_iter
          iomap_dio_rw -> -EIOCBQUEUED
          /*
	   * Here IO is completed in a separate thread,
	   * ovl_aio_cleanup_handler() frees aio_req which has iocb embedded
	   */
          file_accessed(iocb->ki_filp); /**BOOM**/

Fix by introducing a refcount in ovl_aio_req similarly to aio_kiocb.  This
guarantees that iocb is only freed after vfs_read/write_iter() returns on
underlying fs.

Fixes: 2406a307 ("ovl: implement async IO routines")
Signed-off-by: yangerkun yangerkun@huawei.com
Link: https://lore.kernel.org/r/20210930032228.3199690-3-yangerkun@huawei.com/
Cc: stable@vger.kernel.org # v5.6
Signed-off-by: Miklos Szeredi mszeredi@redhat.com
(cherry picked from commit 9a254403760041528bc8f69fe2f5e1ef86950991)
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2176161
CVE: CVE-2023-1252
Signed-off-by: Miklos Szeredi mszeredi@redhat.com# Merge Request Required Information

ovl: fix use after free in struct ovl_aio_req

Merge request reports