Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Giuseppe Scrivano <gscrivan@redhat.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	LKML <linux-kernel@vger.kernel.org>,
	alexander.deucher@amd.com, broonie@kernel.org,
	chris@chris-wilson.co.uk, David Miller <davem@davemloft.net>,
	deepa.kernel@gmail.com, Greg KH <gregkh@linuxfoundation.org>,
	luc.vanoostenryck@gmail.com, lucien xin <lucien.xin@gmail.com>,
	Ingo Molnar <mingo@kernel.org>,
	Neil Horman <nhorman@tuxdriver.com>,
	syzkaller-bugs@googlegroups.com,
	Vladislav Yasevich <vyasevich@gmail.com>
Subject: Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free
Date: Tue, 19 Dec 2017 17:59:32 +0100	[thread overview]
Message-ID: <874lomhcwb.fsf@redhat.com> (raw)
In-Reply-To: <20171219153225.GA14771@ZenIV.linux.org.uk> (Al Viro's message of "Tue, 19 Dec 2017 15:32:25 +0000")

Al Viro <viro@ZenIV.linux.org.uk> writes:

> On Tue, Dec 19, 2017 at 11:48:19AM +0000, Al Viro wrote:
>> On Tue, Dec 19, 2017 at 11:14:40AM +0100, Giuseppe Scrivano wrote:
>> > mqueue_evict_inode() doesn't access the ipc namespace if it was
>> > already freed.  It can happen if in a new IPC namespace the inode was
>> > created without a prior mq_open() which creates the vfsmount used to
>> > access the superblock from mq_clear_sbinfo().
>> > 
>> > Keep a direct pointer to the superblock used by the inodes so we can
>> > correctly reset the reference to the IPC namespace being destroyed.
>> > 
>> > Bug introduced with 9c583773d03633 ("ipc, mqueue: lazy call
>> > kern_mount_data in new namespaces")
>> 
>> And just what will happen in the same scenario if you mount the damn
>> thing in userland without ever calling mq_open(), touch a file there,
>> then unmount and then leave the ipc namespace?
>
> FWIW, the real solution would be to have userland mounts trigger the creation
> of internal one, same as mq_open() would.  Something along these lines
> (completely untested, on top of vfs.git#for-next).  Care to give it some
> beating?

thanks for the patch.  It seems to work after this minor fixup on top of
it:

diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 30327e201571..636989a44fae 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -360,7 +360,7 @@ static struct vfsmount *mq_internal_mount(void)
 		spin_unlock(&mq_lock);
 		if (!IS_ERR(m))
 			kern_unmount(m);
-			return ns->mq_mnt;
+		return ns->mq_mnt;
 	}
 	if (!IS_ERR(m))
 		ns->mq_mnt = m;
@@ -1560,6 +1560,7 @@ static struct file_system_type mqueue_fs_type = {
 
 int mq_init_ns(struct ipc_namespace *ns)
 {
+	ns->mq_mnt           = NULL;
 	ns->mq_queues_count  = 0;
 	ns->mq_queues_max    = DFLT_QUEUESMAX;
 	ns->mq_msg_max       = DFLT_MSGMAX;


The only issue I've seen with my version is that if I do:

# unshare -im /bin/sh
# mount -t mqueue mqueue /dev/mqueue
# touch /dev/mqueue/foo
# umount /dev/mqueue
# mount -t mqueue mqueue /dev/mqueue

then /dev/mqueue/foo doesn't exist at this point.  Your patch does not
have this problem and /dev/mqueue/foo is again accessible after the
second mount.

Regards,
Giuseppe

next prev parent reply	other threads:[~2017-12-19 16:59 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-19 10:14 [PATCH linux-next] mqueue: fix IPC namespace use-after-free Giuseppe Scrivano
2017-12-19 11:48 ` Al Viro
2017-12-19 15:32   ` Al Viro
2017-12-19 15:44     ` Al Viro
2017-12-19 16:31       ` Dmitry Vyukov
2017-12-19 17:02         ` Giuseppe Scrivano
2017-12-19 16:59     ` Giuseppe Scrivano [this message]
2017-12-19 18:40       ` Giuseppe Scrivano
2017-12-19 20:14         ` Al Viro
2017-12-19 21:49           ` Eric W. Biederman
2017-12-19 22:40             ` Al Viro
2017-12-19 23:36               ` Eric W. Biederman
2017-12-21 19:19           ` Giuseppe Scrivano

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:30327e20157 dfblob:636989a44fa )
 OR (
bs:"Re: [PATCH linux-next] mqueue: fix IPC namespace use-after-free" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=874lomhcwb.fsf@redhat.com \
    --to=gscrivan@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=alexander.deucher@amd.com \
    --cc=broonie@kernel.org \
    --cc=chris@chris-wilson.co.uk \
    --cc=davem@davemloft.net \
    --cc=deepa.kernel@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luc.vanoostenryck@gmail.com \
    --cc=lucien.xin@gmail.com \
    --cc=mingo@kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@ZenIV.linux.org.uk \
    --cc=vyasevich@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.