From: Kees Cook <keescook@chromium.org>
To: Tycho Andersen <tycho@tycho.ws>, James Morris <jmorris@namei.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
LKML <linux-kernel@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
syzbot <syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com>
Subject: Re: [PATCH] seccomp: fix UAF in user-trap code
Date: Sat, 12 Jan 2019 10:36:33 -0800 [thread overview]
Message-ID: <CAGXu5jJKeO_-Vy5sffQugBKy4z1W7KGwUAySz=MN9ZvMsYqKFw@mail.gmail.com> (raw)
In-Reply-To: <20190112182420.4669-1-tycho@tycho.ws>
On Sat, Jan 12, 2019 at 10:24 AM Tycho Andersen <tycho@tycho.ws> wrote:
>
> On the failure path, we do an fput() of the listener fd if the filter fails
> to install (e.g. because of a TSYNC race that's lost, or if the thread is
> killed, etc.). fput() doesn't actually release the fd, it just ads it to a
> work queue. Then the thread proceeds to free the filter, even though the
> listener struct file has a reference to it.
>
> To fix this, on the failure path let's set the private data to null, so we
> know in ->release() to ignore the filter.
>
> Reported-by: syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com
> Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
> Signed-off-by: Tycho Andersen <tycho@tycho.ws>
> ---
> This is a little ugly, but I can't really think of a better way (other than
> force freeing, but the fput function that does the actual work is declared
> static with four underscores :).
This makes sense to me. Thanks for fixing it!
Acked-by: Kees Cook <keescook@chromium.org>
James, can you add this to your fixes tree for sending to Linus?
-Kees
> ---
> kernel/seccomp.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index d7f538847b84..e815781ed751 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -976,6 +976,9 @@ static int seccomp_notify_release(struct inode *inode, struct file *file)
> struct seccomp_filter *filter = file->private_data;
> struct seccomp_knotif *knotif;
>
> + if (!filter)
> + return 0;
> +
> mutex_lock(&filter->notify_lock);
>
> /*
> @@ -1300,6 +1303,7 @@ static long seccomp_set_mode_filter(unsigned int flags,
> out_put_fd:
> if (flags & SECCOMP_FILTER_FLAG_NEW_LISTENER) {
> if (ret < 0) {
> + listener_f->private_data = NULL;
> fput(listener_f);
> put_unused_fd(listener);
> } else {
> --
> 2.19.1
>
--
Kees Cook
next prev parent reply other threads:[~2019-01-12 18:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-11 15:53 KASAN: use-after-free Read in seccomp_notify_release syzbot
2019-01-12 16:34 ` Kees Cook
2019-01-12 18:24 ` [PATCH] seccomp: fix UAF in user-trap code Tycho Andersen
2019-01-12 18:36 ` Kees Cook [this message]
2019-01-15 17:42 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jJKeO_-Vy5sffQugBKy4z1W7KGwUAySz=MN9ZvMsYqKFw@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tycho@tycho.ws \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).