Re: [PATCH next] fs/9p: fix uaf in in v9fs_stat2inode_dotl

[Alexei Starovoitov]

On Wed, Mar 27, 2024 at 11:53 AM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
>
> On Fri, 22 Mar 2024 08:13:12 -0700 Jakub Kicinski wrote:
> > On Fri, 22 Mar 2024 14:26:07 +0000 Eric Van Hensbergen wrote:
> > > Patch is in the unapplied portion of my for-next tree along with
> > > another one.  I was hoping to hear some feedback on the other one
> > > before i did a pull request and was torn on whether or not I wait on
> > > -rc1 to send since we are so close.
> >
> > My guess would be that quite a few folks use 9p for in-VM kernel
> > testing. Real question is how many actually update their work tree
> > before -rc1 or even -rc2, given the anticipated merge window code
> > instability.. so maybe there's no extreme urgency?
> >
> > From netdev's perspective, FWIW, it'd be great if the fix reached
> > Linux before Thursday, which is when we will forward our tree again.
>
> Any progress on getting the fix to Linus? I didn't spot it getting
> merged.
>
> I'm a bit surprised there aren't more people complaining TBH
> I'd have thought any CI setup with KASAN enabled has a good
> chance of hitting this..

The proposed fix is no brainer:
https://lore.kernel.org/all/20240202121531.2550018-1-lizhi.xu@xxxxxxxxxxxxx/

+ v9fs_stat2inode_dotl(st, inode, 0);
  kfree(st);
  if (retval)
    goto error;

- v9fs_stat2inode_dotl(st, inode, 0);

Please ship it to Linus asap.
I'm surprised this bug slipped through.

It does affect bpf developers and our CI, since we run with KASAN and use 9P.