| From 3b0462726e7ef281c35a7a4ae33e93ee2bc9975b Mon Sep 17 00:00:00 2001 |
| From: Christian Brauner <christian.brauner@ubuntu.com> |
| Date: Wed, 14 Jul 2021 15:47:49 +0200 |
| Subject: cgroup: verify that source is a string |
| |
| From: Christian Brauner <christian.brauner@ubuntu.com> |
| |
| commit 3b0462726e7ef281c35a7a4ae33e93ee2bc9975b upstream. |
| |
| The following sequence can be used to trigger a UAF: |
| |
| int fscontext_fd = fsopen("cgroup"); |
| int fd_null = open("/dev/null, O_RDONLY); |
| int fsconfig(fscontext_fd, FSCONFIG_SET_FD, "source", fd_null); |
| close_range(3, ~0U, 0); |
| |
| The cgroup v1 specific fs parser expects a string for the "source" |
| parameter. However, it is perfectly legitimate to e.g. specify a file |
| descriptor for the "source" parameter. The fs parser doesn't know what |
| a filesystem allows there. So it's a bug to assume that "source" is |
| always of type fs_value_is_string when it can reasonably also be |
| fs_value_is_file. |
| |
| This assumption in the cgroup code causes a UAF because struct |
| fs_parameter uses a union for the actual value. Access to that union is |
| guarded by the param->type member. Since the cgroup paramter parser |
| didn't check param->type but unconditionally moved param->string into |
| fc->source a close on the fscontext_fd would trigger a UAF during |
| put_fs_context() which frees fc->source thereby freeing the file stashed |
| in param->file causing a UAF during a close of the fd_null. |
| |
| Fix this by verifying that param->type is actually a string and report |
| an error if not. |
| |
| In follow up patches I'll add a new generic helper that can be used here |
| and by other filesystems instead of this error-prone copy-pasta fix. |
| But fixing it in here first makes backporting a it to stable a lot |
| easier. |
| |
| Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing") |
| Reported-by: syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com |
| Cc: Christoph Hellwig <hch@lst.de> |
| Cc: Alexander Viro <viro@zeniv.linux.org.uk> |
| Cc: Dmitry Vyukov <dvyukov@google.com> |
| Cc: <stable@kernel.org> |
| Cc: syzkaller-bugs <syzkaller-bugs@googlegroups.com> |
| Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| kernel/cgroup/cgroup-v1.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/kernel/cgroup/cgroup-v1.c |
| +++ b/kernel/cgroup/cgroup-v1.c |
| @@ -912,6 +912,8 @@ int cgroup1_parse_param(struct fs_contex |
| opt = fs_parse(fc, cgroup1_fs_parameters, param, &result); |
| if (opt == -ENOPARAM) { |
| if (strcmp(param->key, "source") == 0) { |
| + if (param->type != fs_value_is_string) |
| + return invalf(fc, "Non-string source"); |
| if (fc->source) |
| return invalf(fc, "Multiple sources not supported"); |
| fc->source = param->string; |