CVE-2021-46972: Resolving the Ovl Leaked Dentry vulnerability in the Linux kernel

In the Linux kernel, a vulnerability has been discovered and successfully resolved. This vulnerability, identified as CVE-2021-46972, is related to the Overlay file system (also known as overlayfs) where an error in the metacopy function can lead to dentry leaks when shutting down the related superblock.

A dentry leak causes the dentry (directory entry) to remain allocated even when it should have been freed, which can cause issues during unmounting. This article will provide insights into the details of the fix, including code snippets and links to original references. In addition, the article will explore an exploit and vulnerability details, shedding light on the specific issues and their resolution.

Root Cause

The root cause of the issue is a metacopy error that fails to put temporary dentry when it happens. Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()"), overlayfs doesn't put temporary dentry, leading to dentry leaks when shutting down the related superblock.

Patch and Resolution

The patch for the vulnerability resolves this issue of missed putting temporary dentry when a metacopy error occurs. The patch has already been applied to the kernel and has been tested with a syzkaller reproducer. The fixed code can be found in the mainline Linux kernel Github repository.

For reference, here's a code snippet of the patch that solves the issue

ovl: fix leaked dentry
...
/**
* ovl_dentry_upper - return upper dentry of an overlay dentry
* @dentry: overlayfs dentry
*
* Returns pointer to dentry or error.
*/
struct dentry *ovl_dentry_upper(const struct dentry *dentry)
{
        int err;
        err = ovl_dentry_root_may(dentry, O_RDONLY);
        if (err) {
                ovl_cache_free((void *)err);
                return ERR_PTR(-ECHILD);
        }
        return ovl_dentry_upper_get(dentry);
}

More information about the patch can be found in the kernel Git commit message.

Exploit

An exploit involving this vulnerability would target the dentry leak, causing busy inodes after unmounting the overlay and potentially making the system unstable. The exploit would execute an operation on the overlay file system, triggering the metacopy error and subsequently leaking dentry. The syzkaller reproducer was the tool used to test the fixed code and verify that the vulnerability has been successfully patched.

Below are the original references for the vulnerability and its resolution

1. Linux kernel Git commit with the patch details.
2. Syzkaller - a tool that has been used to test the vulnerability and its fix.

Conclusion

CVE-2021-46972 is a vulnerability in the Linux kernel related to ovl leaked dentry, caused by a metacopy error in the overlay file system. The vulnerability has been successfully patched, and the fix has been tested using a syzkaller reproducer. Users are encouraged to update their kernel to a version containing the patch to avoid potential issues caused by the vulnerability.

Timeline

Published on: 02/27/2024 19:04:07 UTC
Last modified on: 02/28/2024 14:06:45 UTC