| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191106072407.GU26530@ZenIV.linux.org.uk>
Date: Wed, 6 Nov 2019 07:24:07 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Thibaut Sautereau <thibaut@...tereau.fr>
Cc: Christian Brauner <christian.brauner@...ntu.com>,
dhowells@...hat.com, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org,
Christian Brauner <christian@...uner.io>,
cgroups@...r.kernel.org
Subject: Re: NULL pointer deref in put_fs_context with unprivileged LXC
On Tue, Nov 05, 2019 at 09:58:30PM +0100, Thibaut Sautereau wrote:
> > > BUG: kernel NULL pointer dereference, address: 0000000000000043
ERR_PTR(something)->d_sb, most likely.
> > > 493 if (fc->root) {
> > > 494 sb = fc->root->d_sb;
> > > 495 dput(fc->root);
> > > 496 fc->root = NULL;
> > > 497 deactivate_super(sb);
> > > 498 }
> fs_context: DEBUG: fc->root = fffffffffffffff3
> fs_context: DEBUG: fc->source = cgroup2
Yup. That'd be ERR_PTR(-13), i.e. ERR_PTR(-EACCES). Most likely
from
nsdentry = kernfs_node_dentry(cgrp->kn, sb);
dput(fc->root);
fc->root = nsdentry;
if (IS_ERR(nsdentry)) {
ret = PTR_ERR(nsdentry);
deactivate_locked_super(sb);
}
in cgroup_do_get_tree(). As a quick test, try to add fc->root = NULL;
next to that deactivate_locked_super(sb); inside the if (IS_ERR(...))
body and see if it helps; it's not the best way to fix it (I'd rather
go for
if (IS_ERR(nsdentry)) {
ret = PTR_ERR(nsdentry);
deactivate_locked_super(sb);
nsdentry = NULL;
}
fc->root = nsdentry;
), but it would serve to verify that this is the source of that crap.
Powered by blists - more mailing lists