lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250207-radikal-radio-f968e6a4bab2@brauner>
Date: Fri, 7 Feb 2025 13:50:28 +0100
From: Christian Brauner <brauner@...nel.org>
To: Amir Goldstein <amir73il@...il.com>
Cc: Lizhi Xu <lizhi.xu@...driver.com>, 
	syzbot+62dfea789a2cedac1298@...kaller.appspotmail.com, linux-kernel@...r.kernel.org, linux-unionfs@...r.kernel.org, 
	miklos@...redi.hu, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] fs: prevent access to ns if it is not mounted

On Fri, Feb 07, 2025 at 01:42:50PM +0100, Amir Goldstein wrote:
> On Fri, Feb 7, 2025 at 8:13 AM Lizhi Xu <lizhi.xu@...driver.com> wrote:
> >
> > syzbot reported a null ptr deref in clone_private_mount. [1]
> >
> > The mnt_ns member should be accessed after confirming that it has been mounted.
> >
> > [1]
> > KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
> > CPU: 0 UID: 0 PID: 5834 Comm: syz-executor772 Not tainted 6.14.0-rc1-next-20250206-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
> > RIP: 0010:is_anon_ns fs/mount.h:159 [inline]
> > RIP: 0010:clone_private_mount+0x184/0x3e0 fs/namespace.c:2425
> 
> The splat beyond this point is mainly noise I think and referencing [1] is also
> a bit weird in the context of this short message
> 
> > Reported-by: syzbot+62dfea789a2cedac1298@...kaller.appspotmail.com
> 
> Missing:
> Fixes: ae63304102ecd ("fs: allow detached mounts in clone_private_mount()")
> 
> > Closes: https://syzkaller.appspot.com/bug?extid=62dfea789a2cedac1298
> > Signed-off-by: Lizhi Xu <lizhi.xu@...driver.com>
> > ---
> >  fs/namespace.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/fs/namespace.c b/fs/namespace.c
> > index 1314f11ed961..8e2ff3dbab58 100644
> > --- a/fs/namespace.c
> > +++ b/fs/namespace.c
> > @@ -2421,6 +2421,9 @@ struct vfsmount *clone_private_mount(const struct path *path)
> >                 if (!check_mnt(old_mnt))
> >                         return ERR_PTR(-EINVAL);
> >         } else {
> > +               if (!is_mounted(&old_mnt->mnt))
> > +                       return ERR_PTR(-EINVAL);
> > +
> >                 /* Make sure this isn't something purely kernel internal. */
> >                 if (!is_anon_ns(old_mnt->mnt_ns))
> >                         return ERR_PTR(-EINVAL);
> 
> Do we still need the second check if we have the first one?

Yes, is_mounted() checks whether this is NULL or ERR_PTR(-EINVAL) and
is_anon_ns() checks for null mntns->seq.

I'll fold this fix referencing it in the commit message.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ