| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Y0LITEA/22Z7YVSa@cae.in-ulm.de>
Date: Sun, 9 Oct 2022 15:10:36 +0200
From: "Christian A. Ehrhardt" <lk@...e.de>
To: Christian Brauner <brauner@...nel.org>
Cc: Tejun Heo <tj@...nel.org>,
syzbot <syzbot+534ee3d24c37c411f37f@...kaller.appspotmail.com>,
gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com,
Yosry Ahmed <yosryahmed@...gle.com>
Subject: [PATCH] cgroup: Fix crash with CLONE_INTO_CGROUP and v1 cgroups
Since commit f3a2aebdd6, Version 1 cgroups no longer cause an
error when used with CLONE_INTO_CGROUP. However, the permission
checks performed during clone assume a Version 2 cgroup.
Restore the error check for V1 cgroups in the clone() path.
Reported-by: syzbot+534ee3d24c37c411f37f@...kaller.appspotmail.com
Link: https://lore.kernel.org/lkml/000000000000385cbf05ea3f1862@google.com/
Fixes: f3a2aebdd6 ("cgroup: enable cgroup_get_from_file() on cgroup1")
Signed-off-by: Christian A. Ehrhardt <lk@...e.de>
---
kernel/cgroup/cgroup.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index b6e3110b3ea7..f7fc3afa88c1 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6244,6 +6244,11 @@ static int cgroup_css_set_fork(struct kernel_clone_args *kargs)
goto err;
}
+ if (!cgroup_on_dfl(dst_cgrp)) {
+ ret = -EBADF;
+ goto err;
+ }
+
if (cgroup_is_dead(dst_cgrp)) {
ret = -ENODEV;
goto err;
--
2.34.1
Powered by blists - more mailing lists