Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1944019imu;
        Sat, 12 Jan 2019 11:14:09 -0800 (PST)
X-Google-Smtp-Source: ALg8bN4kUlAT/gPVpHXglkYmJJDEcTxb3St69M3unuUmM5IdkgzOpSckgk9K4flSkS/TocOUMjbA
X-Received: by 2002:a62:3241:: with SMTP id y62mr19393330pfy.178.1547320449685;
        Sat, 12 Jan 2019 11:14:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547320449; cv=none;
        d=google.com; s=arc-20160816;
        b=Ovt32qa4SHhaFpEgBPz81fSeHoEdhgSzbWyo8M0swvpTY9hc8fsTStJFZA8Iuni/K0
         hGRR44FPUkpVymTkp/Pdqtsln2rgaSt7ZE0BdUDkcd49GeKTpUa4isYkAZbj/JLhjPjr
         Ztl7Pc44RWnDO+SKb2zy3LL5xKHRPxFZqVXaS+VdkX6U3GpnWyIDiGtCeurjjffCmNc2
         bj2nLzq1gWNWHj3zpMoP8T+8wQmmuZIHazwRQjIwTd77o3T3buuG0QjfQGQc69nanIyv
         3Jm6qr24uePbKGGrNAc9POn6sM7zhbSsYB2dq9MOX4jN+wY7ESuZ/6nP+zk3LgzyW1wg
         kT6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=FGdc6ZAHO71r4iEGIQRpzdsd9638cgOO1tSjP/bGKak=;
        b=Q4x7w6TPsEjagEi/f8Jo/BPQUmb25/sjcVdHe70z5EGAB4uqsmejHwh/7pX9ka4RdU
         7uCXkTyK1+b5yqQA02khV1nNPLpkOy9OAezy4LLEirQIVBWRuSRZlDv5ud8O+VfK9pdv
         mUKbQLttEo06sefwKE5YVij2+frgF8cZm1tcSuyAfnd4OHFZPEgiylJIAxE+9FZ70+cK
         WNgY8JQHlg9WQh/NzAhnkqUQKlvkA4d/VWRdg0268dgTpQZzXrbY+E7Xwspabpxe9jvm
         tO6ZV/RfGqwCJ7rdol/fsZQ3zCel3RaIygkStD9t7Kfr8IQKxityHHqwjLx3Mm1iDdpi
         k6Gw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=RFlhbROx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 9si24493883pgn.524.2019.01.12.11.13.53;
        Sat, 12 Jan 2019 11:14:09 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=RFlhbROx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726498AbfALSYw (ORCPT <rfc822;cesare.gargano@gmail.com>
        + 99 others); Sat, 12 Jan 2019 13:24:52 -0500
Received: from mail-it1-f196.google.com ([209.85.166.196]:55410 "EHLO
        mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725842AbfALSYw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 12 Jan 2019 13:24:52 -0500
Received: by mail-it1-f196.google.com with SMTP id m62so7650042ith.5
        for <linux-kernel@vger.kernel.org>; Sat, 12 Jan 2019 10:24:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=tycho-ws.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=FGdc6ZAHO71r4iEGIQRpzdsd9638cgOO1tSjP/bGKak=;
        b=RFlhbROx7aNot7KsfcbtJ2UQAffPOeOOGK7CQF41bUUPIhK9An0q86JRDPQoppMVfK
         RDHiKUC6k3ObfEchtaY6xuAawmP6xUWarpYRjxO/5kme/WlBVzp1O1TLtmAV6oDhTU9b
         Pl3ZWRkmMUeMWnv5Ul1puxtY70KYSYCjGM5HdrP4R9t8hXm1RUC52qiMtzCGO3zBZQFE
         zCClgoLs0J2CtQMXvJLlr+XlVQnAtX0GKNetF4s5SDwjsjzjKmCn128LWYo+405ziS5u
         OLYpGEdikadzocLUpX65mjtZ176TktkrLXmp9rzZBBkAvmfvxSg2JXZUEaqmemssA37u
         1PrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=FGdc6ZAHO71r4iEGIQRpzdsd9638cgOO1tSjP/bGKak=;
        b=UjBSCx4Z6bLxan0BR3O36ws2E6WJBphLmLmzwOhqWUQeSj0WfcbdmgSaDe2zheLZtU
         4KiIXBGujquJdIYpmpa37T8sRv6N7GIpFXq8/MqTuYM/QDl4t+T1LWLoHPN/+oxus3+9
         NNzs5oVpMe7iJXylhc9wU358tHdrUmmSHqkGiBCl4GHppO+X+fNdUUpUjV/CxYxpy/oC
         KyLHt29c0zFsQGPiql3IVYJghaTNf/Z1RsVyBNOwcwRtWn2YS0JpbhSjUoq5qxrEY+7E
         FzXQO7l0paq1vOwORgJlJe+L/F+Wt68pQTN3kAOs7zxp8FmMdFUvwgobwcocyYTKpIsQ
         CvwA==
X-Gm-Message-State: AJcUuke0+nbFuj9i64GFXaZQBtcM0kIILWOoLBAhzck3HCGPo43meWF7
        YjD93yULIQPsXCtI4CEUnMtmhhhWyL+tZTP5
X-Received: by 2002:a24:fdc4:: with SMTP id m187mr4135396ith.75.1547317491262;
        Sat, 12 Jan 2019 10:24:51 -0800 (PST)
Received: from cisco.hsd1.co.comcast.net ([2601:282:901:dd7b:c69:9cc7:f9cf:ff1b])
        by smtp.gmail.com with ESMTPSA id g186sm10968125ite.39.2019.01.12.10.24.49
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 12 Jan 2019 10:24:50 -0800 (PST)
From:   Tycho Andersen <tycho@tycho.ws>
To:     Kees Cook <keescook@chromium.org>
Cc:     Andy Lutomirski <luto@amacapital.net>,
        Will Drewry <wad@chromium.org>, linux-kernel@vger.kernel.org,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        syzbot <syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com>,
        Tycho Andersen <tycho@tycho.ws>
Subject: [PATCH] seccomp: fix UAF in user-trap code
Date:   Sat, 12 Jan 2019 11:24:20 -0700
Message-Id: <20190112182420.4669-1-tycho@tycho.ws>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <CAGXu5j+9ETYcavj2x3Up0FhvkopZohbJcS4CMvrrCWOwDurSFw@mail.gmail.com>
References: <CAGXu5j+9ETYcavj2x3Up0FhvkopZohbJcS4CMvrrCWOwDurSFw@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On the failure path, we do an fput() of the listener fd if the filter fails
to install (e.g. because of a TSYNC race that's lost, or if the thread is
killed, etc.). fput() doesn't actually release the fd, it just ads it to a
work queue. Then the thread proceeds to free the filter, even though the
listener struct file has a reference to it.

To fix this, on the failure path let's set the private data to null, so we
know in ->release() to ignore the filter.

Reported-by: syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com
Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
---
This is a little ugly, but I can't really think of a better way (other than
force freeing, but the fput function that does the actual work is declared
static with four underscores :).
---
 kernel/seccomp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index d7f538847b84..e815781ed751 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -976,6 +976,9 @@ static int seccomp_notify_release(struct inode *inode, struct file *file)
 	struct seccomp_filter *filter = file->private_data;
 	struct seccomp_knotif *knotif;
 
+	if (!filter)
+		return 0;
+
 	mutex_lock(&filter->notify_lock);
 
 	/*
@@ -1300,6 +1303,7 @@ static long seccomp_set_mode_filter(unsigned int flags,
 out_put_fd:
 	if (flags & SECCOMP_FILTER_FLAG_NEW_LISTENER) {
 		if (ret < 0) {
+			listener_f->private_data = NULL;
 			fput(listener_f);
 			put_unused_fd(listener);
 		} else {
-- 
2.19.1