Two bug fix commit fixes in the ubi_resize_volume() were fixed by a patch in the mailing list

Zhihao Cheng chengzhihao1 at huawei.com
Sun Apr 2 20:55:38 PDT 2023 

Hi,
> Hi
> 
>      Mainline fix commit 1e591ea072df ("ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()")
> 
> and 9af31d6ec1a4 ("ubi: Fix use-after-free when volume resizing failed")  involve fixing memory security issues, which
> 
> were fixed by a patch [1] ("ubi: fix slab-out-of-bounds in ubi_eba_get_ldesc+0xfb/0x130") that was on the mailing list
> 
> in 2022. In addition to fixing the race issue, I think this fix keeping old_eba_tbl might be a better solution to the UAF
> 
> problem.
> 
> 
>      I'd like to know why patch[1] didn't get into the mainline.
> 
> [1] http://patchwork.ozlabs.org/project/linux-mtd/patch/20220124024056.1996763-1-guoxuenan@huawei.com/

I find there were three problems in ubi_resize_volume():

1. Memleak  - fixed by 1e591ea072df ("ubi: Fix unreferenced object 
reported by kmemleak in ubi_resize_volume()")
2. UAF in error handling path  - fixed by 9af31d6ec1a4 ("ubi: Fix 
use-after-free when volume resizing failed")
3. UAF in concurrent shring volume and writing 
fastmap(vol->reserved_pebs iteration)  - fixed by [1]
4. Potentional data lost in failed shrinking(failed after unmapping 
lebs)  - mentioned in [1], which is not a big problem, we can add some 
comments to explain it.
5. Too many lebs used if expanding volume failed after [1] applied:
If we update vol->reserved_pebs together with vol->eba_tbl, then other 
writing process could take lnum bigger than old vol->reserved_pebs. 
There will be zombie logical pebs(lnum greater than vol->reserved_pebs, 
could not be accessed or reclaimed) if resizing failed.
Maybe we should fix that by holding 'leb_write_lock' while expanding volume?
6. In error handling path 'out_acc', UBI should recover 'ubi->rsvd_pebs'
and 'ubi->avail_pebs' in 'pebs > 0' case, otherwise UBI will display 
wrong available peb count.

Richard, How do you think?

[1] 
http://patchwork.ozlabs.org/project/linux-mtd/patch/20220124024056.1996763-1-guoxuenan@huawei.com/

More information about the linux-mtd mailing list