acrn-kernel/fs/overlayfs
Zhihao Cheng 53dd2ca2c0 ovl: fix null pointer dereference in ovl_permission()
commit 1a73f5b8f0 upstream.

Following process:
          P1                     P2
 path_lookupat
  link_path_walk
   inode_permission
    ovl_permission
      ovl_i_path_real(inode, &realpath)
        path->dentry = ovl_i_dentry_upper(inode)
                          drop_cache
			   __dentry_kill(ovl_dentry)
		            iput(ovl_inode)
		             ovl_destroy_inode(ovl_inode)
		              dput(oi->__upperdentry)
		               dentry_kill(upperdentry)
		                dentry_unlink_inode
				 upperdentry->d_inode = NULL
      realinode = d_inode(realpath.dentry) // return NULL
      inode_permission(realinode)
       inode->i_sb  // NULL pointer dereference
, will trigger an null pointer dereference at realinode:
  [  335.664979] BUG: kernel NULL pointer dereference,
                 address: 0000000000000002
  [  335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0
  [  335.669956] RIP: 0010:inode_permission+0x33/0x2c0
  [  335.678939] Call Trace:
  [  335.679165]  <TASK>
  [  335.679371]  ovl_permission+0xde/0x320
  [  335.679723]  inode_permission+0x15e/0x2c0
  [  335.680090]  link_path_walk+0x115/0x550
  [  335.680771]  path_lookupat.isra.0+0xb2/0x200
  [  335.681170]  filename_lookup+0xda/0x240
  [  335.681922]  vfs_statx+0xa6/0x1f0
  [  335.682233]  vfs_fstatat+0x7b/0xb0

Fetch a reproducer in [Link].

Use the helper ovl_i_path_realinode() to get realinode and then do
non-nullptr checking.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=217405
Fixes: 4b7791b2e9 ("ovl: handle idmappings in ovl_permission()")
Cc: <stable@vger.kernel.org> # v5.19
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Suggested-by: Christian Brauner <brauner@kernel.org>
Suggested-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-08-03 10:23:47 +02:00
..
Kconfig
Makefile
copy_up.c ovl: update of dentry revalidate flags after copy up 2023-07-19 16:21:33 +02:00
dir.c ovl: update of dentry revalidate flags after copy up 2023-07-19 16:21:33 +02:00
export.c ovl: update of dentry revalidate flags after copy up 2023-07-19 16:21:33 +02:00
file.c
inode.c ovl: fix null pointer dereference in ovl_permission() 2023-08-03 10:23:47 +02:00
namei.c ovl: update of dentry revalidate flags after copy up 2023-07-19 16:21:33 +02:00
overlayfs.h ovl: let helper ovl_i_path_real() return the realinode 2023-07-23 13:49:28 +02:00
ovl_entry.h ovl: check type and offset of struct vfsmount in ovl_entry 2023-07-27 08:50:32 +02:00
readdir.c
super.c ovl: update of dentry revalidate flags after copy up 2023-07-19 16:21:33 +02:00
util.c ovl: let helper ovl_i_path_real() return the realinode 2023-07-23 13:49:28 +02:00