lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200804203155.2181099-1-lokeshgidra@google.com>
Date:   Tue,  4 Aug 2020 13:31:55 -0700
From:   Lokesh Gidra <lokeshgidra@...gle.com>
To:     viro@...iv.linux.org.uk, stephen.smalley.work@...il.com,
        casey@...aufler-ca.com, jmorris@...ei.org
Cc:     kaleshsingh@...gle.com, dancol@...col.org, surenb@...gle.com,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        nnk@...gle.com, jeffv@...gle.com, calin@...gle.com,
        kernel-team@...roid.com, yanfei.xu@...driver.com,
        Lokesh Gidra <lokeshgidra@...gle.com>,
        syzbot+75867c44841cb6373570@...kaller.appspotmail.com
Subject: [PATCH] Userfaultfd: Avoid double free of userfault_ctx and remove O_CLOEXEC

when get_unused_fd_flags returns error, ctx will be freed by
userfaultfd's release function, which is indirectly called by fput().
Also, if anon_inode_getfile_secure() returns an error, then
userfaultfd_ctx_put() is called, which calls mmdrop() and frees ctx.

Also, the O_CLOEXEC was inadvertently added to the call to
get_unused_fd_flags() [1].

Adding Al Viro's suggested-by, based on [2].

[1] https://lore.kernel.org/lkml/1f69c0ab-5791-974f-8bc0-3997ab1d61ea@dancol.org/
[2] https://lore.kernel.org/lkml/20200719165746.GJ2786714@ZenIV.linux.org.uk/

Fixes: d08ac70b1e0d (Wire UFFD up to SELinux)
Suggested-by: Al Viro <viro@...iv.linux.org.uk>
Reported-by: syzbot+75867c44841cb6373570@...kaller.appspotmail.com
Signed-off-by: Lokesh Gidra <lokeshgidra@...gle.com>
---
 fs/userfaultfd.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index ae859161908f..e15eb8fdc083 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -2042,24 +2042,18 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
 		O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS),
 		NULL);
 	if (IS_ERR(file)) {
-		fd = PTR_ERR(file);
-		goto out;
+		userfaultfd_ctx_put(ctx);
+		return PTR_ERR(file);
 	}
 
-	fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
+	fd = get_unused_fd_flags(O_RDONLY);
 	if (fd < 0) {
 		fput(file);
-		goto out;
+		return fd;
 	}
 
 	ctx->owner = file_inode(file);
 	fd_install(fd, file);
-
-out:
-	if (fd < 0) {
-		mmdrop(ctx->mm);
-		kmem_cache_free(userfaultfd_ctx_cachep, ctx);
-	}
 	return fd;
 }
 
-- 
2.28.0.163.g6104cc2f0b6-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ