lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 4 Apr 2021 15:56:02 +0000
From:   Al Viro <viro@...iv.linux.org.uk>
To:     Christian Brauner <christian.brauner@...ntu.com>
Cc:     Jens Axboe <axboe@...nel.dk>,
        syzbot <syzbot+c88a7030da47945a3cc3@...kaller.appspotmail.com>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, io-uring@...r.kernel.org
Subject: Re: [syzbot] WARNING in mntput_no_expire (2)

On Sun, Apr 04, 2021 at 01:34:45PM +0200, Christian Brauner wrote:

> Sorry for not replying to your earlier mail but I've been debugging this
> too. My current theory is that it's related to LOOKUP_ROOT_GRABBED when
> LOOKUP_CACHED is specified _possibly_ with an interaction how
> create_io_thread() is created with CLONE_FS. The reproducer requires you
> either have called pivot_root() or chroot() in order for the failure to
> happen. So I think the fact that we skip legitimize_root() when
> LOOKUP_CACHED is set might figure into this. I can keep digging.
> 

> Funny enough I already placed a printk statement into the place you
> wanted one too so I just amended mine. Here's what you get:
> 
> If pivot pivot_root() is used before the chroot() you get:
> 
> [  637.464555] AAAA: count(-1) | mnt_mntpoint(/) | mnt->mnt.mnt_root(/) | id(579) | dev(tmpfs)
> 
> if you only call chroot, i.e. make the pivot_root() branch a simple
> if (true) you get:
> 
> [  955.206117] AAAA: count(-2) | mnt_mntpoint(/) | mnt->mnt.mnt_root(/) | id(580) | dev(tmpfs)

Very interesting.  What happens if you call loop() twice?  And now I wonder
whether it's root or cwd, actually...  Hmm...

How about this:
	fd = open("/proc/self/mountinfo", 0);
	mkdir("./newroot/foo", 0777);
	mount("./newroot/foo", "./newroot/foo", 0, MS_BIND, NULL);
	chroot("./newroot");
	chdir("/foo");
	while (1) {
		static char buf[4096];
		int n = read(fd, buf, 4096);
		if (n <= 0)
			break;
		write(1, buf, n);
	}
	close(fd);
	drop_caps();
	loop();
as the end of namespace_sandbox_proc(), instead of
	chroot("./newroot");
	chdir("/");
	drop_caps();
	loop();
sequence we have there?

> The cat /proc/self/mountinfo is for the id(579) below:
... and it misses the damn thing, since we call it before the mount
in question had been created ;-/  So we'd probably be better off not
trying to be clever and just doing that as explicit (and completely
untested) read-write loop above.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ