| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Oct 2020 13:45:28 -0700
From: Andrii Nakryiko <andrii@...nel.org>
To: <viro@...iv.linux.org.uk>, <linux-fsdevel@...r.kernel.org>
CC: <torvalds@...ux-foundation.org>, <kernel-team@...com>,
Andrii Nakryiko <andrii@...nel.org>,
<linux-kernel@...r.kernel.org>
Subject: [PATCH] fs: fix NULL dereference due to data race in prepend_path()
Fix data race in prepend_path() with re-reading mnt->mnt_ns twice without
holding the lock. is_mounted() does check for NULL, but is_anon_ns(mnt->mnt_ns)
might re-read the pointer again which could be NULL already, if in between
reads one of kern_unmount()/kern_unmount_array()/umount_tree() sets mnt->mnt_ns
to NULL.
This is seen in production with the following stack trace:
[22942.418012] BUG: kernel NULL pointer dereference, address: 0000000000000048
...
[22942.976884] RIP: 0010:prepend_path.isra.4+0x1ce/0x2e0
[22943.037706] Code: 89 c6 e9 0d ff ff ff 49 8b 85 c0 00 00 00 48 85 c0 0f 84 9d 00 00 00 48 3d 00 f0 ff ff 0f 87 91 00 00 00 49 8b 86 e0 00 00 00 <48> 83 78 48 00 0f 94 c0 0f b6 c0 83 c0 01 e9 3b ff ff ff 39 0d 29
[22943.264141] RSP: 0018:ffffc90020d6fd98 EFLAGS: 00010283
[22943.327058] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000007e5ee
[22943.413041] RDX: ffff889fb56ac0c0 RSI: ffffffd05dc8147e RDI: ffff88b1f845ab7b
[22943.499015] RBP: ffff889fbf8100c0 R08: ffffc90020d6fe30 R09: ffffc90020d6fe2c
[22943.584992] R10: ffffc90020d6fe2c R11: ffffea00095836c0 R12: ffffc90020d6fe30
[22943.670968] R13: ffff88b7d336bea0 R14: ffff88b7d336be80 R15: ffff88aeb78db980
[22943.756944] FS: 00007f228447e980(0000) GS:ffff889fc00c0000(0000) knlGS:0000000000000000
[22943.854448] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[22943.923653] CR2: 0000000000000048 CR3: 0000001ed235e001 CR4: 00000000007606e0
[22944.009630] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[22944.095604] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[22944.181581] PKRU: 55555554
[22944.214100] Call Trace:
[22944.243485] d_path+0xe6/0x150
[22944.280202] proc_pid_readlink+0x8f/0x100
[22944.328449] vfs_readlink+0xf8/0x110
[22944.371456] ? touch_atime+0x33/0xd0
[22944.414466] do_readlinkat+0xfd/0x120
[22944.458522] __x64_sys_readlinkat+0x1a/0x20
[22944.508868] do_syscall_64+0x42/0x110
[22944.552928] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Cc: Alexander Viro <viro@...iv.linux.org.uk>
Cc: linux-fsdevel@...r.kernel.org
Cc: linux-kernel@...r.kernel.org
Fixes: f2683bd8d5bd ("[PATCH] fix d_absolute_path() interplay with fsmount()")
Signed-off-by: Andrii Nakryiko <andrii@...nel.org>
---
fs/d_path.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/d_path.c b/fs/d_path.c
index 0f1fc1743302..a69e2cd36e6e 100644
--- a/fs/d_path.c
+++ b/fs/d_path.c
@@ -102,6 +102,8 @@ static int prepend_path(const struct path *path,
if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
struct mount *parent = READ_ONCE(mnt->mnt_parent);
+ struct mnt_namespace *mnt_ns;
+
/* Escaped? */
if (dentry != vfsmnt->mnt_root) {
bptr = *buffer;
@@ -116,7 +118,9 @@ static int prepend_path(const struct path *path,
vfsmnt = &mnt->mnt;
continue;
}
- if (is_mounted(vfsmnt) && !is_anon_ns(mnt->mnt_ns))
+ mnt_ns = READ_ONCE(mnt->mnt_ns);
+ /* open-coded is_mounted() to use local mnt_ns */
+ if (!IS_ERR_OR_NULL(mnt_ns) && !is_anon_ns(mnt_ns))
error = 1; // absolute root
else
error = 2; // detached or not attached yet
--
2.24.1
Powered by blists - more mailing lists