| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190629202744.12396-1-ebiggers@kernel.org>
Date: Sat, 29 Jun 2019 13:27:44 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: linux-fsdevel@...r.kernel.org,
Alexander Viro <viro@...iv.linux.org.uk>
Cc: David Howells <dhowells@...hat.com>, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: [PATCH] vfs: move_mount: reject moving kernel internal mounts
From: Eric Biggers <ebiggers@...gle.com>
sys_move_mount() crashes by dereferencing the pointer MNT_NS_INTERNAL,
a.k.a. ERR_PTR(-EINVAL), if the old mount is specified by fd for a
kernel object with an internal mount, such as a pipe or memfd.
Fix it by checking for this case and returning -EINVAL.
Reproducer:
#include <unistd.h>
#define __NR_move_mount 429
#define MOVE_MOUNT_F_EMPTY_PATH 0x00000004
int main()
{
int fds[2];
pipe(fds);
syscall(__NR_move_mount, fds[0], "", -1, "/", MOVE_MOUNT_F_EMPTY_PATH);
}
Reported-by: syzbot+6004acbaa1893ad013f0@...kaller.appspotmail.com
Fixes: 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around")
Signed-off-by: Eric Biggers <ebiggers@...gle.com>
---
fs/namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 7660c2749c96..a7e5a44770a7 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2600,7 +2600,7 @@ static int do_move_mount(struct path *old_path, struct path *new_path)
if (attached && !check_mnt(old))
goto out;
- if (!attached && !(ns && is_anon_ns(ns)))
+ if (!attached && !(ns && ns != MNT_NS_INTERNAL && is_anon_ns(ns)))
goto out;
if (old->mnt.mnt_flags & MNT_LOCKED)
--
2.22.0
Powered by blists - more mailing lists