Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1155895pxb; Thu, 16 Sep 2021 00:35:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwW/MSbdVtueA12bhfmdjswdcb1hawQb8HUuIR0S7rqRO3xgCZgpmXZrK4t3K+7LxiYKXq2 X-Received: by 2002:a05:6638:dc8:: with SMTP id m8mr3224383jaj.21.1631777751739; Thu, 16 Sep 2021 00:35:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631777751; cv=none; d=google.com; s=arc-20160816; b=KXyfS6QMNErTW0UoSQybX32Z6XAKwUalTMevebfFkX5xs/jn2VMlIiFBLHmQ7OKzrj 5QPRRP3dQI5+6NvqTSs9AGqibnxw9HaJa8dJlSEUDCi5wpizrwnPp6XqDr89JtPuuSm1 E1gdcy7NO3vFb+vilGtOwLdGhQO8FBm/RUEU6WfCzTEMNVPU2kWtlVoC3w8losHZLD6B +UukOk+9PUWZCej+XPf8G3vwdsLGY6QVoqD3PczS1KcYBYfQqytAx2oFQ2XRyBaluf90 BCW6CBzB3AvXRmszWphnkSkkteyAqyf1suoJYz9UQ64roxe7X6ZEwdPIGBPIPTWNjp5C r7qQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:mime-version:dkim-signature; bh=Bb9J2o84T3V9+Tf1rBXjmsTxCOrWhxebCsVPY9V9H3Q=; b=hIaIjrG4md3D/IG5at2MiidWh1eF+j+0qsikc2OSDTeb+EXhWx9iAvKqaz9P7U1dr1 UVeqLP2dShpMQD/QGpQW0DN0SYot64kIrLhSw0pJCdFr9l64hJjhsTgrf4QcayxCQxag vNQUpQVZ+uQJQYaSrTMDhlJvtiTbZ70+Th9kLf4robWn/KCKso9GQz5BFeVUmdzpXsg2 bw21DZfHMUieV/XBzIYDKOMa/UElNH9JbZwAIg6DiDpeSgq94bXBcky4pE4Cp40ehMyi PfvXT5wzYgBinlkblKWe45442auLYX3mMjm6dJY7GrI77dJ/EE+QdlYlnO2v6MGa2j/K cmJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="o7Hc/0r4"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 15si2467375ilt.96.2021.09.16.00.35.40; Thu, 16 Sep 2021 00:35:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="o7Hc/0r4"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234814AbhIPHfW (ORCPT + 99 others); Thu, 16 Sep 2021 03:35:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36312 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234799AbhIPHfV (ORCPT ); Thu, 16 Sep 2021 03:35:21 -0400 Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56A70C061574; Thu, 16 Sep 2021 00:34:01 -0700 (PDT) Received: by mail-il1-x12b.google.com with SMTP id x2so5656611ila.11; Thu, 16 Sep 2021 00:34:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=Bb9J2o84T3V9+Tf1rBXjmsTxCOrWhxebCsVPY9V9H3Q=; b=o7Hc/0r4/rqQZyDLh4oEdpb5eQFXFhD0EjPpk5hn/2A+g/usJSxSnLmJafVUoT38Zj 8053Lv2OJY+wJyx+T0HEQgk3aFYMyzIw1m+wWScYol/9TSMGOTP/A1VCHz0yCXVOp9Io LzwSUt3Eqyfb9klM81ai+mwwcLv89gsJTUm30A8VQZpgs3tdG2nyb5yB+tOqxPfV5Yz4 0TySfqplMUy9HvWeFvDi1pe+KyceI3mU/9146Shy6A8qUTYXeVgz6bn6Zu6L/aTARQwd 4YJtIfql+wrNd11IzdnxdSk7yBqGnmPAMWP5VTHc7nrZ7PeI/dsinYip+3qzTTuBTK74 hPaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=Bb9J2o84T3V9+Tf1rBXjmsTxCOrWhxebCsVPY9V9H3Q=; b=tHTMq22fqK0BENcVw2qFz9n5V0ke1IbUYkyumMtkFzazvltLqee1vicvcwKCiA6nks OXQFKnmhHnjIesMB89KyZBupajmQUaZGH1RSqEO8T5cU4bcKgLq2XsQTVQvVtupOMVGa 1ZVD0TGjsrJNBXo2zUgaYX2eS98qem6h+nPP8TZrZgQGxX/DP+kcY99yObxelGpFU6jm Fbz+BWc5/Vsr8YiYQvWtENLB45dAyPZb3TY+Q2KpE1DZJQlkLshLWLyYLIhUyBr3sPx0 +sKepywqIHIpPp9Gf0INXoDs0nELknG69xucbmbm2zj3Hc5LKGNyTBFjPvS5M9JQmXNt 1Oow== X-Gm-Message-State: AOAM531pwqWXsVk8vRxfzfzUE8b4LZ+pkF3QDXxdEOBl+lAQnkwHQSJR BSU7dz2md+g6BiNWGeiKc/2ZvGEtpSZ/1cOS1g== X-Received: by 2002:a92:db0b:: with SMTP id b11mr2935465iln.275.1631777640713; Thu, 16 Sep 2021 00:34:00 -0700 (PDT) MIME-Version: 1.0 From: Jinmeng Zhou Date: Thu, 16 Sep 2021 15:33:49 +0800 Message-ID: Subject: A missing check bug in cgroup1_reconfigure() To: tj@kernel.org, lizefan@huawei.com, hannes@cmpxchg.org Cc: shenwenbosmile@gmail.com, cgroups@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Dear maintainers, hi, our team has found a missing check bug on Linux kernel v5.10.7 using static analysis. There is a checking path where cgroup1_get_tree() calls cgroup1_root_to_use= () to mount cgroup_root after checking capability. However, another no-checking path exists, cgroup1_reconfigure() calls trace_cgroup_remount() to remount without checking capability. We think there is a missing check bug before mounting cgroup_root in cgroup1_reconfigure(). Specifically, cgroup1_get_tree() uses ns_capable(ctx->ns->user_ns, CAP_SYS_ADMIN) to check the permission before calling the critical function cgroup1_root_to_use() to mount. 1. // check ns_capable() //////////////////////////// 2. int cgroup1_get_tree(struct fs_context *fc) 3. { 4. struct cgroup_fs_context *ctx =3D cgroup_fc2context(fc); 5. int ret; 6. /* Check if the caller has permission to mount. */ 7. if (!ns_capable(ctx->ns->user_ns, CAP_SYS_ADMIN)) 8. return -EPERM; 9. cgroup_lock_and_drain_offline(&cgrp_dfl_root.cgrp); 10. ret =3D cgroup1_root_to_use(fc); 11. ... 12. } trace_cgroup_remount() is called to remount cgroup_root in cgroup1_reconfigure(). However, it lacks the check. 1. int cgroup1_reconfigure(struct fs_context *fc) 2. { 3. struct cgroup_fs_context *ctx =3D cgroup_fc2context(fc); 4. struct kernfs_root *kf_root =3D kernfs_root_from_sb(fc->root->d_sb); 5. struct cgroup_root *root =3D cgroup_root_from_kf(kf_root); 6. int ret =3D 0; 7. u16 added_mask, removed_mask; 8. ... 9. trace_cgroup_remount(root); 10. ... 11. } We find cgroup1_reconfigure() is only used in a variable initialization. Function cgroup1_get_tree() is also used in this initialization. Both functions are indirectly called which is hard to trace. We reasonably consider that the two functions can be equally reached by the user, therefore, there is a missing check bug. 1. static const struct fs_context_operations cgroup1_fs_context_ops =3D { 2. =E2=80=A6 3. .get_tree =3D cgroup1_get_tree, 4. .reconfigure =3D cgroup1_reconfigure, 5. }; Thanks! Best regards, Jinmeng Zhou