fs: fix UAF/GPF bug in nilfs_mdt_destroy

PlaidCat · PlaidCat · commit 3c89a41b34a2 · 2025-11-11T06:01:41.000-05:00
jira LE-4704 cve CVE-2022-50367 Rebuild_History Non-Buildable kernel-4.18.0-553.83.1.el8_10 commit-author Dongliang Mu <mudongliangabcd@gmail.com> commit 2e488f1 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.83.1.el8_10/2e488f13.failed In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes) Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com> Reported-by: Hao Sun <sunhao.th@gmail.com> Reported-by: Jiacheng Xu <stitch@zju.edu.cn> Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit 2e488f1) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # fs/inode.c
diff --git a/ciq/ciq_backports/kernel-4.18.0-553.83.1.el8_10/2e488f13.failed b/ciq/ciq_backports/kernel-4.18.0-553.83.1.el8_10/2e488f13.failed
@@ -0,0 +1,54 @@
+fs: fix UAF/GPF bug in nilfs_mdt_destroy
+
+jira LE-4704
+cve CVE-2022-50367
+Rebuild_History Non-Buildable kernel-4.18.0-553.83.1.el8_10
+commit-author Dongliang Mu <mudongliangabcd@gmail.com>
+commit 2e488f13755ffbb60f307e991b27024716a33b29
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.83.1.el8_10/2e488f13.failed
+
+In alloc_inode, inode_init_always() could return -ENOMEM if
+security_inode_alloc() fails, which causes inode->i_private
+uninitialized. Then nilfs_is_metadata_file_inode() returns
+true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),
+which frees the uninitialized inode->i_private
+and leads to crashes(e.g., UAF/GPF).
+
+Fix this by moving security_inode_alloc just prior to
+this_cpu_inc(nr_inodes)
+
+Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com
+	Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+	Reported-by: Hao Sun <sunhao.th@gmail.com>
+	Reported-by: Jiacheng Xu <stitch@zju.edu.cn>
+	Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+	Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+	Cc: Al Viro <viro@zeniv.linux.org.uk>
+	Cc: stable@vger.kernel.org
+	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+(cherry picked from commit 2e488f13755ffbb60f307e991b27024716a33b29)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/inode.c
+diff --cc fs/inode.c
+index 024853e8ceb1,5559a2983341..000000000000
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@@ -166,10 -192,6 +166,13 @@@ int inode_init_always(struct super_bloc
+  	inode->i_wb_frn_history = 0;
+  #endif
+  
+++<<<<<<< HEAD
+ +	inode->rh_reserved2 = 0;
+ +
+ +	if (security_inode_alloc(inode))
+ +		goto out;
+++=======
+++>>>>>>> 2e488f13755f (fs: fix UAF/GPF bug in nilfs_mdt_destroy)
+  	spin_lock_init(&inode->i_lock);
+  	lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
+  
+* Unmerged path fs/inode.c
