Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1944019imu; Sat, 12 Jan 2019 11:14:09 -0800 (PST) X-Google-Smtp-Source: ALg8bN4kUlAT/gPVpHXglkYmJJDEcTxb3St69M3unuUmM5IdkgzOpSckgk9K4flSkS/TocOUMjbA X-Received: by 2002:a62:3241:: with SMTP id y62mr19393330pfy.178.1547320449685; Sat, 12 Jan 2019 11:14:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547320449; cv=none; d=google.com; s=arc-20160816; b=Ovt32qa4SHhaFpEgBPz81fSeHoEdhgSzbWyo8M0swvpTY9hc8fsTStJFZA8Iuni/K0 hGRR44FPUkpVymTkp/Pdqtsln2rgaSt7ZE0BdUDkcd49GeKTpUa4isYkAZbj/JLhjPjr Ztl7Pc44RWnDO+SKb2zy3LL5xKHRPxFZqVXaS+VdkX6U3GpnWyIDiGtCeurjjffCmNc2 bj2nLzq1gWNWHj3zpMoP8T+8wQmmuZIHazwRQjIwTd77o3T3buuG0QjfQGQc69nanIyv 3Jm6qr24uePbKGGrNAc9POn6sM7zhbSsYB2dq9MOX4jN+wY7ESuZ/6nP+zk3LgzyW1wg kT6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=FGdc6ZAHO71r4iEGIQRpzdsd9638cgOO1tSjP/bGKak=; b=Q4x7w6TPsEjagEi/f8Jo/BPQUmb25/sjcVdHe70z5EGAB4uqsmejHwh/7pX9ka4RdU 7uCXkTyK1+b5yqQA02khV1nNPLpkOy9OAezy4LLEirQIVBWRuSRZlDv5ud8O+VfK9pdv mUKbQLttEo06sefwKE5YVij2+frgF8cZm1tcSuyAfnd4OHFZPEgiylJIAxE+9FZ70+cK WNgY8JQHlg9WQh/NzAhnkqUQKlvkA4d/VWRdg0268dgTpQZzXrbY+E7Xwspabpxe9jvm tO6ZV/RfGqwCJ7rdol/fsZQ3zCel3RaIygkStD9t7Kfr8IQKxityHHqwjLx3Mm1iDdpi k6Gw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=RFlhbROx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 9si24493883pgn.524.2019.01.12.11.13.53; Sat, 12 Jan 2019 11:14:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=RFlhbROx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726498AbfALSYw (ORCPT + 99 others); Sat, 12 Jan 2019 13:24:52 -0500 Received: from mail-it1-f196.google.com ([209.85.166.196]:55410 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725842AbfALSYw (ORCPT ); Sat, 12 Jan 2019 13:24:52 -0500 Received: by mail-it1-f196.google.com with SMTP id m62so7650042ith.5 for ; Sat, 12 Jan 2019 10:24:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=FGdc6ZAHO71r4iEGIQRpzdsd9638cgOO1tSjP/bGKak=; b=RFlhbROx7aNot7KsfcbtJ2UQAffPOeOOGK7CQF41bUUPIhK9An0q86JRDPQoppMVfK RDHiKUC6k3ObfEchtaY6xuAawmP6xUWarpYRjxO/5kme/WlBVzp1O1TLtmAV6oDhTU9b Pl3ZWRkmMUeMWnv5Ul1puxtY70KYSYCjGM5HdrP4R9t8hXm1RUC52qiMtzCGO3zBZQFE zCClgoLs0J2CtQMXvJLlr+XlVQnAtX0GKNetF4s5SDwjsjzjKmCn128LWYo+405ziS5u OLYpGEdikadzocLUpX65mjtZ176TktkrLXmp9rzZBBkAvmfvxSg2JXZUEaqmemssA37u 1PrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FGdc6ZAHO71r4iEGIQRpzdsd9638cgOO1tSjP/bGKak=; b=UjBSCx4Z6bLxan0BR3O36ws2E6WJBphLmLmzwOhqWUQeSj0WfcbdmgSaDe2zheLZtU 4KiIXBGujquJdIYpmpa37T8sRv6N7GIpFXq8/MqTuYM/QDl4t+T1LWLoHPN/+oxus3+9 NNzs5oVpMe7iJXylhc9wU358tHdrUmmSHqkGiBCl4GHppO+X+fNdUUpUjV/CxYxpy/oC KyLHt29c0zFsQGPiql3IVYJghaTNf/Z1RsVyBNOwcwRtWn2YS0JpbhSjUoq5qxrEY+7E FzXQO7l0paq1vOwORgJlJe+L/F+Wt68pQTN3kAOs7zxp8FmMdFUvwgobwcocyYTKpIsQ CvwA== X-Gm-Message-State: AJcUuke0+nbFuj9i64GFXaZQBtcM0kIILWOoLBAhzck3HCGPo43meWF7 YjD93yULIQPsXCtI4CEUnMtmhhhWyL+tZTP5 X-Received: by 2002:a24:fdc4:: with SMTP id m187mr4135396ith.75.1547317491262; Sat, 12 Jan 2019 10:24:51 -0800 (PST) Received: from cisco.hsd1.co.comcast.net ([2601:282:901:dd7b:c69:9cc7:f9cf:ff1b]) by smtp.gmail.com with ESMTPSA id g186sm10968125ite.39.2019.01.12.10.24.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 12 Jan 2019 10:24:50 -0800 (PST) From: Tycho Andersen To: Kees Cook Cc: Andy Lutomirski , Will Drewry , linux-kernel@vger.kernel.org, syzkaller-bugs , syzbot , Tycho Andersen Subject: [PATCH] seccomp: fix UAF in user-trap code Date: Sat, 12 Jan 2019 11:24:20 -0700 Message-Id: <20190112182420.4669-1-tycho@tycho.ws> X-Mailer: git-send-email 2.19.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On the failure path, we do an fput() of the listener fd if the filter fails to install (e.g. because of a TSYNC race that's lost, or if the thread is killed, etc.). fput() doesn't actually release the fd, it just ads it to a work queue. Then the thread proceeds to free the filter, even though the listener struct file has a reference to it. To fix this, on the failure path let's set the private data to null, so we know in ->release() to ignore the filter. Reported-by: syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Signed-off-by: Tycho Andersen --- This is a little ugly, but I can't really think of a better way (other than force freeing, but the fput function that does the actual work is declared static with four underscores :). --- kernel/seccomp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index d7f538847b84..e815781ed751 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -976,6 +976,9 @@ static int seccomp_notify_release(struct inode *inode, struct file *file) struct seccomp_filter *filter = file->private_data; struct seccomp_knotif *knotif; + if (!filter) + return 0; + mutex_lock(&filter->notify_lock); /* @@ -1300,6 +1303,7 @@ static long seccomp_set_mode_filter(unsigned int flags, out_put_fd: if (flags & SECCOMP_FILTER_FLAG_NEW_LISTENER) { if (ret < 0) { + listener_f->private_data = NULL; fput(listener_f); put_unused_fd(listener); } else { -- 2.19.1