| From ee12595147ac1fbfb5bcb23837e26dd58d94b15d Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Fri, 28 Jan 2022 22:57:01 +0300 |
| Subject: [PATCH] fanotify: Fix stale file descriptor in copy_event_to_user() |
| Git-commit: ee12595147ac1fbfb5bcb23837e26dd58d94b15d |
| Patch-mainline: v5.17-rc3 |
| References: bsc#1195187 CVE-2022-1998 |
| |
| This code calls fd_install() which gives the userspace access to the fd. |
| Then if copy_info_records_to_user() fails it calls put_unused_fd(fd) but |
| that will not release it and leads to a stale entry in the file |
| descriptor table. |
| |
| Generally you can't trust the fd after a call to fd_install(). The fix |
| is to delay the fd_install() until everything else has succeeded. |
| |
| Fortunately it requires CAP_SYS_ADMIN to reach this code so the security |
| impact is less. |
| |
| Fixes: f644bc449b37 ("fanotify: fix copy_event_to_user() fid error clean up") |
| Link: https://lore.kernel.org/r/20220128195656.GA26981@kili |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Reviewed-by: Mathias Krause <minipli@grsecurity.net> |
| Signed-off-by: Jan Kara <jack@suse.cz> |
| Acked-by: Jan Kara <jack@suse.cz> |
| |
| fs/notify/fanotify/fanotify_user.c | 6 +++--- |
| 1 file changed, 3 insertions(+), 3 deletions(-) |
| |
| |
| |
| @@ -464,9 +464,6 @@ static ssize_t copy_event_to_user(struct |
| if (fanotify_is_perm_event(event->mask)) |
| FANOTIFY_PERM(event)->fd = fd; |
| |
| - if (f) |
| - fd_install(fd, f); |
| - |
| /* Event info records order is: dir fid + name, child fid */ |
| if (fanotify_event_dir_fh_len(event)) { |
| info_type = info->name_len ? FAN_EVENT_INFO_TYPE_DFID_NAME : |
| @@ -530,6 +527,9 @@ static ssize_t copy_event_to_user(struct |
| count -= ret; |
| } |
| |
| + if (f) |
| + fd_install(fd, f); |
| + |
| return metadata.event_len; |
| |
| out_close_fd: |