lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAOQ4uxhAB4=kp4NSw=hs0S1HyPFcL3FTGkMgoTuxRSa8eu1n+g@mail.gmail.com>
Date: Fri, 7 Feb 2025 13:42:50 +0100
From: Amir Goldstein <amir73il@...il.com>
To: Lizhi Xu <lizhi.xu@...driver.com>
Cc: syzbot+62dfea789a2cedac1298@...kaller.appspotmail.com, 
	linux-kernel@...r.kernel.org, linux-unionfs@...r.kernel.org, 
	miklos@...redi.hu, syzkaller-bugs@...glegroups.com, 
	Christian Brauner <brauner@...nel.org>
Subject: Re: [PATCH] fs: prevent access to ns if it is not mounted

On Fri, Feb 7, 2025 at 8:13 AM Lizhi Xu <lizhi.xu@...driver.com> wrote:
>
> syzbot reported a null ptr deref in clone_private_mount. [1]
>
> The mnt_ns member should be accessed after confirming that it has been mounted.
>
> [1]
> KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
> CPU: 0 UID: 0 PID: 5834 Comm: syz-executor772 Not tainted 6.14.0-rc1-next-20250206-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
> RIP: 0010:is_anon_ns fs/mount.h:159 [inline]
> RIP: 0010:clone_private_mount+0x184/0x3e0 fs/namespace.c:2425

The splat beyond this point is mainly noise I think and referencing [1] is also
a bit weird in the context of this short message

> Reported-by: syzbot+62dfea789a2cedac1298@...kaller.appspotmail.com

Missing:
Fixes: ae63304102ecd ("fs: allow detached mounts in clone_private_mount()")

> Closes: https://syzkaller.appspot.com/bug?extid=62dfea789a2cedac1298
> Signed-off-by: Lizhi Xu <lizhi.xu@...driver.com>
> ---
>  fs/namespace.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 1314f11ed961..8e2ff3dbab58 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2421,6 +2421,9 @@ struct vfsmount *clone_private_mount(const struct path *path)
>                 if (!check_mnt(old_mnt))
>                         return ERR_PTR(-EINVAL);
>         } else {
> +               if (!is_mounted(&old_mnt->mnt))
> +                       return ERR_PTR(-EINVAL);
> +
>                 /* Make sure this isn't something purely kernel internal. */
>                 if (!is_anon_ns(old_mnt->mnt_ns))
>                         return ERR_PTR(-EINVAL);

Do we still need the second check if we have the first one?

Thanks,
Amir.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ