| From 73601ea5b7b18eb234219ae2adf77530f389da79 Mon Sep 17 00:00:00 2001 |
| From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| Date: Thu, 28 Mar 2019 20:43:30 -0700 |
| Subject: fs/open.c: allow opening only regular files during execve() |
| |
| From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| |
| commit 73601ea5b7b18eb234219ae2adf77530f389da79 upstream. |
| |
| syzbot is hitting lockdep warning [1] due to trying to open a fifo |
| during an execve() operation. But we don't need to open non regular |
| files during an execve() operation, for all files which we will need are |
| the executable file itself and the interpreter programs like /bin/sh and |
| ld-linux.so.2 . |
| |
| Since the manpage for execve(2) says that execve() returns EACCES when |
| the file or a script interpreter is not a regular file, and the manpage |
| for uselib(2) says that uselib() can return EACCES, and we use |
| FMODE_EXEC when opening for execve()/uselib(), we can bail out if a non |
| regular file is requested with FMODE_EXEC set. |
| |
| Since this deadlock followed by khungtaskd warnings is trivially |
| reproducible by a local unprivileged user, and syzbot's frequent crash |
| due to this deadlock defers finding other bugs, let's workaround this |
| deadlock until we get a chance to find a better solution. |
| |
| [1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce |
| |
| Link: http://lkml.kernel.org/r/1552044017-7890-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp |
| Reported-by: syzbot <syzbot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@syzkaller.appspotmail.com> |
| Fixes: 8924feff66f35fe2 ("splice: lift pipe_lock out of splice_to_pipe()") |
| Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| Acked-by: Kees Cook <keescook@chromium.org> |
| Cc: Al Viro <viro@zeniv.linux.org.uk> |
| Cc: Eric Biggers <ebiggers3@gmail.com> |
| Cc: Dmitry Vyukov <dvyukov@google.com> |
| Cc: <stable@vger.kernel.org> [4.9+] |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/open.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/fs/open.c |
| +++ b/fs/open.c |
| @@ -716,6 +716,12 @@ static int do_dentry_open(struct file *f |
| return 0; |
| } |
| |
| + /* Any file opened for execve()/uselib() has to be a regular file. */ |
| + if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) { |
| + error = -EACCES; |
| + goto cleanup_file; |
| + } |
| + |
| if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) { |
| error = get_write_access(inode); |
| if (unlikely(error)) |