hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICP68T -------------------------------- When mounting overlay with "metacopy=on", if lowerdir contains a file A: 1) Thread p1 executes ln A B (creates a hard link to file A as B); 2) Thread p2 simultaneously opens file B; then a UAF issue can occur due to concurrency. p1 p2 sys_open ovl_lookup B ovl_alloc_entry oe->numlower = 0 ln A B ovl_link ovl_open ovl_maybe_copy_up ovl_open_need_copy_up ovl_already_copied_up ovl_dentry_needs_data_copy_up ovl_has_upperdata // false as metacopy=on ovl_copy_up_flags ovl_copy_up_one ovl_path_lower path = {} vfs_getattr(path, xxx) security_inode_getattr(path) ...path->dentry... ----------null-ptr-deref!!! To resolve this issue, add a check in ovl_copy_up_one(). If lowerpath does not exist, return an error immediately. Fixes: 0c2888749363 ("ovl: A new xattr OVL_XATTR_METACOPY for file on upper") Signed-off-by: Zizhi Wo <wozizhi@huawei.com> --- fs/overlayfs/copy_up.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index a1ec45fc77d8..4324d84ac1d7 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -879,6 +879,12 @@ static int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry, return -EROFS; ovl_path_lower(dentry, &ctx.lowerpath); + + if (unlikely(!ctx.lowerpath.dentry)) { + pr_err("prevention GPF in security_inode_getattr()\n"); + return -EIO; + } + err = vfs_getattr(&ctx.lowerpath, &ctx.stat, STATX_BASIC_STATS, AT_STATX_SYNC_AS_STAT); if (err) -- 2.46.1