From: Alexander Kuznetsov <wwfq@yandex-team.ru>

Date: Wed, 9 Jun 2021 10:17:19 +0300

Subject: cgroup1: don't allow '\n' in renaming

Git-commit: b7e24eb1caa5f8da20d405d262dba67943aedc42

Patch-mainline: v5.13-rc6

References: bsc#1187972

cgroup_mkdir() have restriction on newline usage in names:

$ mkdir $'/sys/fs/cgroup/cpu/test\ntest2'

mkdir: cannot create directory

'/sys/fs/cgroup/cpu/test\ntest2': Invalid argument

But in cgroup1_rename() such check is missed.

This allows us to make /proc/<pid>/cgroup unparsable:

$ mkdir /sys/fs/cgroup/cpu/test

$ mv /sys/fs/cgroup/cpu/test $'/sys/fs/cgroup/cpu/test\ntest2'

$ echo $$ > $'/sys/fs/cgroup/cpu/test\ntest2'

$ cat /proc/self/cgroup

11:pids:/

10:freezer:/

9:hugetlb:/

8:cpuset:/

7:blkio:/user.slice

6:memory:/user.slice

5:net_cls,net_prio:/

4:perf_event:/

3:devices:/user.slice

2:cpu,cpuacct:/test

test2

1:name=systemd:/

0::/

Signed-off-by: Alexander Kuznetsov <wwfq@yandex-team.ru>

Reported-by: Andrey Krasichkov <buglloc@yandex-team.ru>

Acked-by: Dmitry Yakunin <zeil@yandex-team.ru>

Cc: stable@vger.kernel.org

Signed-off-by: Tejun Heo <tj@kernel.org>

Acked-by: Michal Koutný <mkoutny@suse.com>

---

 kernel/cgroup/cgroup-v1.c | 4 ++++

 1 file changed, 4 insertions(+)

diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c

index 8190b6bfc9784..1f274d7fc934e 100644

--- a/kernel/cgroup/cgroup-v1.c

+++ b/kernel/cgroup/cgroup-v1.c

@@ -820,6 +820,10 @@ static int cgroup1_rename(struct kernfs_node *kn, struct kernfs_node *new_parent

 	struct cgroup *cgrp = kn->priv;

 	int ret;

+	/* do not accept '\n' to prevent making /proc/<pid>/cgroup unparsable */

+	if (strchr(new_name_str, '\n'))

+		return -EINVAL;

+

 	if (kernfs_type(kn) != KERNFS_DIR)

 		return -ENOTDIR;

 	if (kn->parent != new_parent)