From: "Michal Koutný" <mkoutny@suse.com>
To: Jinmeng Zhou <jjjinmeng.zhou@gmail.com>
Cc: tj@kernel.org, lizefan@huawei.com, hannes@cmpxchg.org,
shenwenbosmile@gmail.com, cgroups@vger.kernel.org,
linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org
Subject: Re: A missing check bug in cgroup1_reconfigure()
Date: Fri, 17 Sep 2021 19:28:57 +0200 [thread overview]
Message-ID: <20210917172857.GB13346@blackbody.suse.cz> (raw)
In-Reply-To: <CAA-qYXjxht4+GhTjNb0xmr4dLQYDVpDbO1R_FDcWtnsrQC=VNQ@mail.gmail.com>
On Thu, Sep 16, 2021 at 03:33:49PM +0800, Jinmeng Zhou <jjjinmeng.zhou@gmail.com> wrote:
> Dear maintainers,
> hi, our team has found a missing check bug on Linux kernel v5.10.7
> using static analysis.
> There is a checking path where cgroup1_get_tree() calls cgroup1_root_to_use()
> to mount cgroup_root after checking capability.
> However, another no-checking path exists, cgroup1_reconfigure() calls
> trace_cgroup_remount()
> to remount without checking capability.
> We think there is a missing check bug before mounting cgroup_root in
> cgroup1_reconfigure().
Thanks for the report.
AFAICS, the callers of the fs_context_operations callbacks do the checks
themselves, therefore I _think_ even the check in cgroup1_get_tree() is
superfluous (see also commit 23bf1b6be9c2 ("kernfs, sysfs, cgroup,
intel_rdt: Support fs_context")).
But let me CC also VFS folks for confirmation (rest of the message
below).
> Specifically, cgroup1_get_tree() uses ns_capable(ctx->ns->user_ns,
> CAP_SYS_ADMIN) to check
> the permission before calling the critical function
> cgroup1_root_to_use() to mount.
>
> 1. // check ns_capable() ////////////////////////////
> 2. int cgroup1_get_tree(struct fs_context *fc)
> 3. {
> 4. struct cgroup_fs_context *ctx = cgroup_fc2context(fc);
> 5. int ret;
> 6. /* Check if the caller has permission to mount. */
> 7. if (!ns_capable(ctx->ns->user_ns, CAP_SYS_ADMIN))
> 8. return -EPERM;
> 9. cgroup_lock_and_drain_offline(&cgrp_dfl_root.cgrp);
> 10. ret = cgroup1_root_to_use(fc);
> 11. ...
> 12. }
>
> trace_cgroup_remount() is called to remount cgroup_root in
> cgroup1_reconfigure().
> However, it lacks the check.
> 1. int cgroup1_reconfigure(struct fs_context *fc)
> 2. {
> 3. struct cgroup_fs_context *ctx = cgroup_fc2context(fc);
> 4. struct kernfs_root *kf_root = kernfs_root_from_sb(fc->root->d_sb);
> 5. struct cgroup_root *root = cgroup_root_from_kf(kf_root);
> 6. int ret = 0;
> 7. u16 added_mask, removed_mask;
> 8. ...
> 9. trace_cgroup_remount(root);
> 10. ...
> 11. }
>
> We find cgroup1_reconfigure() is only used in a variable initialization.
> Function cgroup1_get_tree() is also used in this initialization.
> Both functions are indirectly called which is hard to trace.
> We reasonably consider that the two functions can be equally reached
> by the user,
> therefore, there is a missing check bug.
> 1. static const struct fs_context_operations cgroup1_fs_context_ops = {
> 2. …
> 3. .get_tree = cgroup1_get_tree,
> 4. .reconfigure = cgroup1_reconfigure,
> 5. };
>
>
> Thanks!
>
>
> Best regards,
> Jinmeng Zhou
>
WARNING: multiple messages have this Message-ID (diff)
From: "Michal Koutný" <mkoutny@suse.com>
To: Jinmeng Zhou <jjjinmeng.zhou@gmail.com>
Cc: tj@kernel.org, lizefan@huawei.com, hannes@cmpxchg.org,
shenwenbosmile@gmail.com, cgroups@vger.kernel.org,
linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org
Subject: Re: A missing check bug in cgroup1_reconfigure()
Date: Fri, 17 Sep 2021 19:28:57 +0200 [thread overview]
Message-ID: <20210917172857.GB13346@blackbody.suse.cz> (raw)
In-Reply-To: <CAA-qYXjxht4+GhTjNb0xmr4dLQYDVpDbO1R_FDcWtnsrQC=VNQ@mail.gmail.com>
On Thu, Sep 16, 2021 at 03:33:49PM +0800, Jinmeng Zhou <jjjinmeng.zhou@gmail.com> wrote:
> Dear maintainers,
> hi, our team has found a missing check bug on Linux kernel v5.10.7
> using static analysis.
> There is a checking path where cgroup1_get_tree() calls cgroup1_root_to_use()
> to mount cgroup_root after checking capability.
> However, another no-checking path exists, cgroup1_reconfigure() calls
> trace_cgroup_remount()
> to remount without checking capability.
> We think there is a missing check bug before mounting cgroup_root in
> cgroup1_reconfigure().
Thanks for the report.
AFAICS, the callers of the fs_context_operations callbacks do the checks
themselves, therefore I _think_ even the check in cgroup1_get_tree() is
superfluous (see also commit 23bf1b6be9c2 ("kernfs, sysfs, cgroup,
intel_rdt: Support fs_context")).
But let me CC also VFS folks for confirmation (rest of the message
below).
> Specifically, cgroup1_get_tree() uses ns_capable(ctx->ns->user_ns,
> CAP_SYS_ADMIN) to check
> the permission before calling the critical function
> cgroup1_root_to_use() to mount.
>
> 1. // check ns_capable() ////////////////////////////
> 2. int cgroup1_get_tree(struct fs_context *fc)
> 3. {
> 4. struct cgroup_fs_context *ctx = cgroup_fc2context(fc);
> 5. int ret;
> 6. /* Check if the caller has permission to mount. */
> 7. if (!ns_capable(ctx->ns->user_ns, CAP_SYS_ADMIN))
> 8. return -EPERM;
> 9. cgroup_lock_and_drain_offline(&cgrp_dfl_root.cgrp);
> 10. ret = cgroup1_root_to_use(fc);
> 11. ...
> 12. }
>
> trace_cgroup_remount() is called to remount cgroup_root in
> cgroup1_reconfigure().
> However, it lacks the check.
> 1. int cgroup1_reconfigure(struct fs_context *fc)
> 2. {
> 3. struct cgroup_fs_context *ctx = cgroup_fc2context(fc);
> 4. struct kernfs_root *kf_root = kernfs_root_from_sb(fc->root->d_sb);
> 5. struct cgroup_root *root = cgroup_root_from_kf(kf_root);
> 6. int ret = 0;
> 7. u16 added_mask, removed_mask;
> 8. ...
> 9. trace_cgroup_remount(root);
> 10. ...
> 11. }
>
> We find cgroup1_reconfigure() is only used in a variable initialization.
> Function cgroup1_get_tree() is also used in this initialization.
> Both functions are indirectly called which is hard to trace.
> We reasonably consider that the two functions can be equally reached
> by the user,
> therefore, there is a missing check bug.
> 1. static const struct fs_context_operations cgroup1_fs_context_ops = {
> 2. …
> 3. .get_tree = cgroup1_get_tree,
> 4. .reconfigure = cgroup1_reconfigure,
> 5. };
>
>
> Thanks!
>
>
> Best regards,
> Jinmeng Zhou
>
next prev parent reply other threads:[~2021-09-17 17:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-16 7:33 A missing check bug in cgroup1_reconfigure() Jinmeng Zhou
2021-09-16 7:33 ` Jinmeng Zhou
2021-09-17 17:28 ` Michal Koutný [this message]
2021-09-17 17:28 ` Michal Koutný
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210917172857.GB13346@blackbody.suse.cz \
--to=mkoutny@suse.com \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=jjjinmeng.zhou@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=shenwenbosmile@gmail.com \
--cc=tj@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.