Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1951314imu; Sat, 12 Jan 2019 11:26:07 -0800 (PST) X-Google-Smtp-Source: ALg8bN6rytDkOdvkbSK+x/gj25zOkZ2lDqTS2CUE/o71UD6RkLCqjSp/e7c4xOXU5Uc00pd7gHGb X-Received: by 2002:a63:d5e:: with SMTP id 30mr17785857pgn.54.1547321167757; Sat, 12 Jan 2019 11:26:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547321167; cv=none; d=google.com; s=arc-20160816; b=IYWg5T9b66dfiJ29PJK5Z7qDl7YTE9wpOJQVglp/TTp5swdPVe1NLoRm7VBgbcobhV KmoaDz5uNLNysSwcjozoq/yz+x7YiW+m47gczqdajcZJ3ymD68u99kXNPBgQj5IvqLjX Dorb2Cn9qgBU2XTN1xuV/+bDN+NwKCb4S81NRUzgNlJFJNvBuflQ4VEjdhFTNZweBEtu +feo6v+8WjznpKxZzj5C+gePv3yJb+5PN9Cy41WD1c3hWkgMxTIIcSSrx+bjbRs7JK2s jkAmTYQlPWmpHmy46M6Fu1DVqrwRUGuZruOX8m54iaX7+BxlyOR17ORH6hKXQ2r/2tcK J9jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=N+2nUVDOHGycsD0liXCBjsCmBJu5kZfTKeMx8kQh4n8=; b=dViaEte3itlLoDfAX/rnbYhcHe8UZk5vzTmrI77qSvx9m29dAFW/Drvf3zFP+n3s1F AtaHr6aYDxF7OLHyJu44UfSXXChMNgL74QzmNGjzN9E5FgdAzMZPZ+y1CFQrgXi7ZUMh NVpgT2w7eiTaxMk25WSXH+tOIbXIt3ZZ6LQ+pA7TKMNR2QGe11knw1+JaZiFoz7FJvBA 4qefC0F1VEcrOtIWIj+SyEGypxYx2Lq1PmeToPFIZdH8rg2WBabKUPRKCVkmQY1Hk+L9 y5kpyHVTg4tJ4aNAkcJVBJEZa1U8jZBhrNwjJ9wJ34Q3dWM7fiC6teKa/TocDYbNvn5M X2MA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=XkcW+YmP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u188si38486423pfb.232.2019.01.12.11.25.52; Sat, 12 Jan 2019 11:26:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=XkcW+YmP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726580AbfALSgs (ORCPT + 99 others); Sat, 12 Jan 2019 13:36:48 -0500 Received: from mail-ua1-f67.google.com ([209.85.222.67]:38834 "EHLO mail-ua1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725847AbfALSgr (ORCPT ); Sat, 12 Jan 2019 13:36:47 -0500 Received: by mail-ua1-f67.google.com with SMTP id p9so5795815uaa.5 for ; Sat, 12 Jan 2019 10:36:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=N+2nUVDOHGycsD0liXCBjsCmBJu5kZfTKeMx8kQh4n8=; b=XkcW+YmPwFllIyGDzl3EXryZNOJnaEA2eECEYjp7fcUXkFWOhEGjrGF/cll/FVbf8q 3GJ56BNl6j708KbWwc9bvvvdRduFxMiL8bNKXP6yYWpbBZGPjynHTFVWcVPjMZLRj6PI SZRvXNTWkEARPsyNilt5bHPk1haoMTxSjMDnA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=N+2nUVDOHGycsD0liXCBjsCmBJu5kZfTKeMx8kQh4n8=; b=B+2Sipq5y/CvwLmzguKMUZyemjtMfYZdul/7o3GKebxdea6shEDY1Ja/DXmeVEWZXK FgZUiINvzG6JNYpPHRVx7L5BQKc/UM/EDooVAAvaIkIkkLRRZZQZD4Bpb//JqqmHpTxV k5AYfQjCYvzeqVrqRcyyi7DLkx7/pPJvbS4ZW/miQnD2aI73S1ZCPoVhQYKKH8O6AbY0 B3+VMIyvhkevBqHeJpOtL3phc3znNZyuxFxH4SNTlsUErjo2nGqDk2Xgh0pxzTNrRGkc qjpA19uZkARSHJelIbGAEgIR/4QqumYixVKKuPiORkUvnpb+E4RxZDjwYI5L+Yfjqrn5 knsg== X-Gm-Message-State: AJcUukduNLI1cztTO9mv52sZ1SrQ/VoCcGL2K7IQFcFI3a+AyPOgx0fz KJcFFg+QXorkNFXKm7+7HznBBECbml0= X-Received: by 2002:ab0:30b7:: with SMTP id b23mr7147896uam.109.1547318206779; Sat, 12 Jan 2019 10:36:46 -0800 (PST) Received: from mail-ua1-f45.google.com (mail-ua1-f45.google.com. [209.85.222.45]) by smtp.gmail.com with ESMTPSA id e67sm43594943vsd.32.2019.01.12.10.36.45 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 12 Jan 2019 10:36:45 -0800 (PST) Received: by mail-ua1-f45.google.com with SMTP id v24so5788424uap.13 for ; Sat, 12 Jan 2019 10:36:45 -0800 (PST) X-Received: by 2002:ab0:645:: with SMTP id f63mr2040025uaf.106.1547318205051; Sat, 12 Jan 2019 10:36:45 -0800 (PST) MIME-Version: 1.0 References: <20190112182420.4669-1-tycho@tycho.ws> In-Reply-To: <20190112182420.4669-1-tycho@tycho.ws> From: Kees Cook Date: Sat, 12 Jan 2019 10:36:33 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] seccomp: fix UAF in user-trap code To: Tycho Andersen , James Morris Cc: Andy Lutomirski , Will Drewry , LKML , syzkaller-bugs , syzbot Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jan 12, 2019 at 10:24 AM Tycho Andersen wrote: > > On the failure path, we do an fput() of the listener fd if the filter fails > to install (e.g. because of a TSYNC race that's lost, or if the thread is > killed, etc.). fput() doesn't actually release the fd, it just ads it to a > work queue. Then the thread proceeds to free the filter, even though the > listener struct file has a reference to it. > > To fix this, on the failure path let's set the private data to null, so we > know in ->release() to ignore the filter. > > Reported-by: syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com > Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") > Signed-off-by: Tycho Andersen > --- > This is a little ugly, but I can't really think of a better way (other than > force freeing, but the fput function that does the actual work is declared > static with four underscores :). This makes sense to me. Thanks for fixing it! Acked-by: Kees Cook James, can you add this to your fixes tree for sending to Linus? -Kees > --- > kernel/seccomp.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index d7f538847b84..e815781ed751 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -976,6 +976,9 @@ static int seccomp_notify_release(struct inode *inode, struct file *file) > struct seccomp_filter *filter = file->private_data; > struct seccomp_knotif *knotif; > > + if (!filter) > + return 0; > + > mutex_lock(&filter->notify_lock); > > /* > @@ -1300,6 +1303,7 @@ static long seccomp_set_mode_filter(unsigned int flags, > out_put_fd: > if (flags & SECCOMP_FILTER_FLAG_NEW_LISTENER) { > if (ret < 0) { > + listener_f->private_data = NULL; > fput(listener_f); > put_unused_fd(listener); > } else { > -- > 2.19.1 > -- Kees Cook