lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250211-work-acct-v1-0-1c16aecab8b3@kernel.org>
Date: Tue, 11 Feb 2025 18:15:58 +0100
From: Christian Brauner <brauner@...nel.org>
To: Zicheng Qu <quzicheng@...wei.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Christian Brauner <brauner@...nel.org>,
	jlayton@...nel.org,
	axboe@...nel.dk,
	joel.granados@...nel.org,
	tglx@...utronix.de,
	viro@...iv.linux.org.uk,
	hch@....de,
	len.brown@...el.com,
	pavel@....cz,
	pengfei.xu@...el.com,
	rafael@...nel.org,
	tanghui20@...wei.com,
	zhangqiao22@...wei.com,
	judy.chenhui@...wei.com,
	linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com,
	linux-pm@...r.kernel.org,
	stable@...r.kernel.org
Subject: [PATCH 0/2] acct: don't allow access to internal filesystems

In [1] it was reported that the acct(2) system call can be used to
trigger a NULL deref in cases where it is set to write to a file that
triggers an internal lookup.

This can e.g., happen when pointing acct(2) to /sys/power/resume. At the
point the where the write to this file happens the calling task has
already exited and called exit_fs() but an internal lookup might be
triggered through lookup_bdev(). This may trigger a NULL-deref
when accessing current->fs.

This series does two things:

- Reorganize the code so that the the final write happens from the
  workqueue but with the caller's credentials. This preserves the
  (strange) permission model and has almost no regression risk.

- Block access to kernel internal filesystems as well as procfs and
  sysfs in the first place.

This api should stop to exist imho.

Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com [1]

Signed-off-by: Christian Brauner <brauner@...nel.org>
---
Christian Brauner (2):
      acct: perform last write from workqueue
      acct: block access to kernel internal filesystems

 kernel/acct.c | 134 ++++++++++++++++++++++++++++++++++++----------------------
 1 file changed, 84 insertions(+), 50 deletions(-)
---
base-commit: af69e27b3c8240f7889b6c457d71084458984d8e
change-id: 20250211-work-acct-a6d8e92a5fe0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ