| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Sep 2014 12:24:24 -0700
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Jan Kara <jack@...e.cz>,
Douglas Leeder <douglas.leeder@...hos.com>,
Heinrich Schuchard <xypron.glpk@....de>,
Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: [PATCH 3.16 025/158] fanotify: fix double free of pending permission events
3.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@...e.cz>
commit 5838d4442bd5971687b72221736222637e03140d upstream.
Commit 85816794240b ("fanotify: Fix use after free for permission
events") introduced a double free issue for permission events which are
pending in group's notification queue while group is being destroyed.
These events are freed from fanotify_handle_event() but they are not
removed from groups notification queue and thus they get freed again
from fsnotify_flush_notify().
Fix the problem by removing permission events from notification queue
before freeing them if we skip processing access response. Also expand
comments in fanotify_release() to explain group shutdown in detail.
Fixes: 85816794240b9659e66e4d9b0df7c6e814e5f603
Signed-off-by: Jan Kara <jack@...e.cz>
Reported-by: Douglas Leeder <douglas.leeder@...hos.com>
Tested-by: Douglas Leeder <douglas.leeder@...hos.com>
Reported-by: Heinrich Schuchard <xypron.glpk@....de>
Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
fs/notify/fanotify/fanotify.c | 9 ++++++++-
fs/notify/fanotify/fanotify_user.c | 12 ++++++++++++
fs/notify/notification.c | 18 +++++++++++++++++-
include/linux/fsnotify_backend.h | 2 ++
4 files changed, 39 insertions(+), 2 deletions(-)
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -70,8 +70,15 @@ static int fanotify_get_response(struct
wait_event(group->fanotify_data.access_waitq, event->response ||
atomic_read(&group->fanotify_data.bypass_perm));
- if (!event->response) /* bypass_perm set */
+ if (!event->response) { /* bypass_perm set */
+ /*
+ * Event was canceled because group is being destroyed. Remove
+ * it from group's event list because we are responsible for
+ * freeing the permission event.
+ */
+ fsnotify_remove_event(group, &event->fae.fse);
return 0;
+ }
/* userspace responded, convert to something usable */
switch (event->response) {
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -359,6 +359,11 @@ static int fanotify_release(struct inode
#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
struct fanotify_perm_event_info *event, *next;
+ /*
+ * There may be still new events arriving in the notification queue
+ * but since userspace cannot use fanotify fd anymore, no event can
+ * enter or leave access_list by now.
+ */
spin_lock(&group->fanotify_data.access_lock);
atomic_inc(&group->fanotify_data.bypass_perm);
@@ -373,6 +378,13 @@ static int fanotify_release(struct inode
}
spin_unlock(&group->fanotify_data.access_lock);
+ /*
+ * Since bypass_perm is set, newly queued events will not wait for
+ * access response. Wake up the already sleeping ones now.
+ * synchronize_srcu() in fsnotify_destroy_group() will wait for all
+ * processes sleeping in fanotify_handle_event() waiting for access
+ * response and thus also for all permission events to be freed.
+ */
wake_up(&group->fanotify_data.access_waitq);
#endif
--- a/fs/notify/notification.c
+++ b/fs/notify/notification.c
@@ -73,7 +73,8 @@ void fsnotify_destroy_event(struct fsnot
/* Overflow events are per-group and we don't want to free them */
if (!event || event->mask == FS_Q_OVERFLOW)
return;
-
+ /* If the event is still queued, we have a problem... */
+ WARN_ON(!list_empty(&event->list));
group->ops->free_event(event);
}
@@ -125,6 +126,21 @@ queue:
}
/*
+ * Remove @event from group's notification queue. It is the responsibility of
+ * the caller to destroy the event.
+ */
+void fsnotify_remove_event(struct fsnotify_group *group,
+ struct fsnotify_event *event)
+{
+ mutex_lock(&group->notification_mutex);
+ if (!list_empty(&event->list)) {
+ list_del_init(&event->list);
+ group->q_len--;
+ }
+ mutex_unlock(&group->notification_mutex);
+}
+
+/*
* Remove and return the first event from the notification list. It is the
* responsibility of the caller to destroy the obtained event
*/
--- a/include/linux/fsnotify_backend.h
+++ b/include/linux/fsnotify_backend.h
@@ -326,6 +326,8 @@ extern int fsnotify_add_notify_event(str
struct fsnotify_event *event,
int (*merge)(struct list_head *,
struct fsnotify_event *));
+/* Remove passed event from groups notification queue */
+extern void fsnotify_remove_event(struct fsnotify_group *group, struct fsnotify_event *event);
/* true if the group notification queue is empty */
extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group);
/* return, but do not dequeue the first event on the notification queue */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists