releases/5.12.19/cgroup-verify-that-source-is-a-string.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 3b0462726e7ef281c35a7a4ae33e93ee2bc9975b Mon Sep 17 00:00:00 2001
 From: Christian Brauner <christian.brauner@ubuntu.com>
 Date: Wed, 14 Jul 2021 15:47:49 +0200
 Subject: cgroup: verify that source is a string

 From: Christian Brauner <christian.brauner@ubuntu.com>

 commit 3b0462726e7ef281c35a7a4ae33e93ee2bc9975b upstream.

 The following sequence can be used to trigger a UAF:

     int fscontext_fd = fsopen("cgroup");
     int fd_null = open("/dev/null, O_RDONLY);
     int fsconfig(fscontext_fd, FSCONFIG_SET_FD, "source", fd_null);
     close_range(3, ~0U, 0);

 The cgroup v1 specific fs parser expects a string for the "source"
 parameter.  However, it is perfectly legitimate to e.g.  specify a file
 descriptor for the "source" parameter.  The fs parser doesn't know what
 a filesystem allows there.  So it's a bug to assume that "source" is
 always of type fs_value_is_string when it can reasonably also be
 fs_value_is_file.

 This assumption in the cgroup code causes a UAF because struct
 fs_parameter uses a union for the actual value.  Access to that union is
 guarded by the param->type member.  Since the cgroup paramter parser
 didn't check param->type but unconditionally moved param->string into
 fc->source a close on the fscontext_fd would trigger a UAF during
 put_fs_context() which frees fc->source thereby freeing the file stashed
 in param->file causing a UAF during a close of the fd_null.

 Fix this by verifying that param->type is actually a string and report
 an error if not.

 In follow up patches I'll add a new generic helper that can be used here
 and by other filesystems instead of this error-prone copy-pasta fix.
 But fixing it in here first makes backporting a it to stable a lot
 easier.

 Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
 Reported-by: syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com
 Cc: Christoph Hellwig <hch@lst.de>
 Cc: Alexander Viro <viro@zeniv.linux.org.uk>
 Cc: Dmitry Vyukov <dvyukov@google.com>
 Cc: <stable@kernel.org>
 Cc: syzkaller-bugs <syzkaller-bugs@googlegroups.com>
 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  kernel/cgroup/cgroup-v1.c |    2 ++
  1 file changed, 2 insertions(+)

 --- a/kernel/cgroup/cgroup-v1.c
 +++ b/kernel/cgroup/cgroup-v1.c
 @@ -912,6 +912,8 @@ int cgroup1_parse_param(struct fs_contex
  	opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
  	if (opt == -ENOPARAM) {
  		if (strcmp(param->key, "source") == 0) {
 +			if (param->type != fs_value_is_string)
 +				return invalf(fc, "Non-string source");
  			if (fc->source)
  				return invalf(fc, "Multiple sources not supported");
  			fc->source = param->string;
	From 3b0462726e7ef281c35a7a4ae33e93ee2bc9975b Mon Sep 17 00:00:00 2001
	From: Christian Brauner <christian.brauner@ubuntu.com>
	Date: Wed, 14 Jul 2021 15:47:49 +0200
	Subject: cgroup: verify that source is a string

	From: Christian Brauner <christian.brauner@ubuntu.com>

	commit 3b0462726e7ef281c35a7a4ae33e93ee2bc9975b upstream.

	The following sequence can be used to trigger a UAF:

	int fscontext_fd = fsopen("cgroup");
	int fd_null = open("/dev/null, O_RDONLY);
	int fsconfig(fscontext_fd, FSCONFIG_SET_FD, "source", fd_null);
	close_range(3, ~0U, 0);

	The cgroup v1 specific fs parser expects a string for the "source"
	parameter. However, it is perfectly legitimate to e.g. specify a file
	descriptor for the "source" parameter. The fs parser doesn't know what
	a filesystem allows there. So it's a bug to assume that "source" is
	always of type fs_value_is_string when it can reasonably also be
	fs_value_is_file.

	This assumption in the cgroup code causes a UAF because struct
	fs_parameter uses a union for the actual value. Access to that union is
	guarded by the param->type member. Since the cgroup paramter parser
	didn't check param->type but unconditionally moved param->string into
	fc->source a close on the fscontext_fd would trigger a UAF during
	put_fs_context() which frees fc->source thereby freeing the file stashed
	in param->file causing a UAF during a close of the fd_null.

	Fix this by verifying that param->type is actually a string and report
	an error if not.

	In follow up patches I'll add a new generic helper that can be used here
	and by other filesystems instead of this error-prone copy-pasta fix.
	But fixing it in here first makes backporting a it to stable a lot
	easier.

	Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
	Reported-by: syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com
	Cc: Christoph Hellwig <hch@lst.de>
	Cc: Alexander Viro <viro@zeniv.linux.org.uk>
	Cc: Dmitry Vyukov <dvyukov@google.com>
	Cc: <stable@kernel.org>
	Cc: syzkaller-bugs <syzkaller-bugs@googlegroups.com>
	Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	kernel/cgroup/cgroup-v1.c \| 2 ++
	1 file changed, 2 insertions(+)

	--- a/kernel/cgroup/cgroup-v1.c
	+++ b/kernel/cgroup/cgroup-v1.c
	@@ -912,6 +912,8 @@ int cgroup1_parse_param(struct fs_contex
	opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
	if (opt == -ENOPARAM) {
	if (strcmp(param->key, "source") == 0) {
	+ if (param->type != fs_value_is_string)
	+ return invalf(fc, "Non-string source");
	if (fc->source)
	return invalf(fc, "Multiple sources not supported");
	fc->source = param->string;