From: Levi <ppbuk5246@gmail.com>
To: viro@zeniv.linux.org.uk, davem@davemloft.net, kuba@kernel.org,
gnault@redhat.com, nicolas.dichtel@6wind.com,
edumazet@google.com, lirongqing@baidu.com, tglx@linutronix.de,
johannes.berg@intel.com, dhowells@redhat.com,
daniel@iogearbox.net, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH] netns: dangling pointer on netns bind mount point.
Date: Tue, 7 Apr 2020 11:35:46 +0900 [thread overview]
Message-ID: <20200407023512.GA25005@ubuntu> (raw)
When we try to bind mount on network namespace (ex) /proc/{pid}/ns/net,
inode's private data can have dangling pointer to net_namespace that was
already freed in below case.
1. Forking the process.
2. [PARENT] Waiting the Child till the end.
3. [CHILD] call unshare for creating new network namespace
4. [CHILD] Bind mount with /proc/self/ns/net to some mount point.
5. [CHILD] Exit child.
6. [PARENT] Try to setns with binded mount point
In step 5, net_namespace made by child process'll be freed,
But in bind mount point, it still held the pointer to net_namespace made
by child process.
In this situation, when parent try to call "setns" systemcall with the
bind mount point, parent process try to access to freed memory, That
makes memory corruption.
This patch fix the above scenario by increaseing reference count.
Signed-off-by: Levi Yun <ppbuk5246@gmail.com>
---
fs/namespace.c | 31 +++++++++++++++++++++++++++++++
include/net/net_namespace.h | 7 +++++++
net/core/net_namespace.c | 5 -----
3 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index a28e4db075ed..ed0fbb6a1b52 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -31,6 +31,10 @@
#include <linux/fs_context.h>
#include <linux/shmem_fs.h>
+#ifdef CONFIG_NET_NS
+#include <net/net_namespace.h>
+#endif
+
#include "pnode.h"
#include "internal.h"
@@ -1013,12 +1017,25 @@ vfs_submount(const struct dentry *mountpoint, struct file_system_type *type,
}
EXPORT_SYMBOL_GPL(vfs_submount);
+#ifdef CONFIG_NET_NS
+static bool is_net_ns_file(struct dentry *dentry)
+{
+ /* Is this a proxy for a network namespace? */
+ return dentry->d_op == &ns_dentry_operations &&
+ dentry->d_fsdata == &netns_operations;
+}
+#endif
+
static struct mount *clone_mnt(struct mount *old, struct dentry *root,
int flag)
{
struct super_block *sb = old->mnt.mnt_sb;
struct mount *mnt;
int err;
+#ifdef CONFIG_NET_NS
+ struct ns_common *ns = NULL;
+ struct net *net = NULL;
+#endif
mnt = alloc_vfsmnt(old->mnt_devname);
if (!mnt)
@@ -1035,6 +1052,20 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
goto out_free;
}
+#ifdef CONFIG_NET_NS
+ if (!(flag & CL_COPY_MNT_NS_FILE) && is_net_ns_file(root)) {
+ ns = get_proc_ns(d_inode(root));
+ if (ns == NULL || ns->ops->type != CLONE_NEWNET) {
+ err = -EINVAL;
+
+ goto out_free;
+ }
+
+ net = to_net_ns(ns);
+ net = get_net(net);
+ }
+#endif
+
mnt->mnt.mnt_flags = old->mnt.mnt_flags;
mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL);
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index ab96fb59131c..275258d1dbee 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -474,4 +474,11 @@ static inline void fnhe_genid_bump(struct net *net)
atomic_inc(&net->fnhe_genid);
}
+#ifdef CONFIG_NET_NS
+static inline struct net *to_net_ns(struct ns_common *ns)
+{
+ return container_of(ns, struct net, ns);
+}
+#endif
+
#endif /* __NET_NET_NAMESPACE_H */
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 190ca66a383b..3a6d9155806f 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -1343,11 +1343,6 @@ static struct ns_common *netns_get(struct task_struct *task)
return net ? &net->ns : NULL;
}
-static inline struct net *to_net_ns(struct ns_common *ns)
-{
- return container_of(ns, struct net, ns);
-}
-
static void netns_put(struct ns_common *ns)
{
put_net(to_net_ns(ns));
--
2.26.0
next reply other threads:[~2020-04-07 2:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-07 2:35 Levi [this message]
2020-04-07 3:05 ` [PATCH] netns: dangling pointer on netns bind mount point Al Viro
2020-04-07 3:13 ` Al Viro
2020-04-07 3:29 ` Yun Levi
2020-04-07 4:03 ` Al Viro
[not found] ` <CAM7-yPRaQsNgZKjru40nM1N_u8HVLVKmJCAzu20DcPL=jzKjWQ@mail.gmail.com>
2020-04-07 12:57 ` Fwd: " Yun Levi
2020-04-07 18:26 ` Al Viro
2020-04-08 5:59 ` Yun Levi
2020-04-08 13:48 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200407023512.GA25005@ubuntu \
--to=ppbuk5246@gmail.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=gnault@redhat.com \
--cc=johannes.berg@intel.com \
--cc=kuba@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lirongqing@baidu.com \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).