Re: [PATCH] epoll: Fix UAF dentry name access in wakeup source setup
From: Al Viro
Date: Tue Apr 28 2020 - 22:46:58 EST
On Wed, Apr 29, 2020 at 04:31:04AM +0200, Jann Horn wrote:
> I'm guessing this will go through akpm's tree?
>
> fs/eventpoll.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/fs/eventpoll.c b/fs/eventpoll.c
> index 8c596641a72b0..5052a41670479 100644
> --- a/fs/eventpoll.c
> +++ b/fs/eventpoll.c
> @@ -1450,7 +1450,7 @@ static int reverse_path_check(void)
>
> static int ep_create_wakeup_source(struct epitem *epi)
> {
> - const char *name;
> + struct name_snapshot name;
> struct wakeup_source *ws;
>
> if (!epi->ep->ws) {
> @@ -1459,8 +1459,9 @@ static int ep_create_wakeup_source(struct epitem *epi)
> return -ENOMEM;
> }
>
> - name = epi->ffd.file->f_path.dentry->d_name.name;
> - ws = wakeup_source_register(NULL, name);
> + take_dentry_name_snapshot(&name, epi->ffd.file->f_path.dentry);
> + ws = wakeup_source_register(NULL, name.name.name);
> + release_dentry_name_snapshot(&name);
I'm not sure I like it. Sure, it won't get freed under you that way; it still
can go absolutely stale by the time you return from wakeup_source_register().
What is it being used for?