From: Al Viro <viro@zeniv.linux.org.uk>
To: Jann Horn <jannh@google.com>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
kernel list <linux-kernel@vger.kernel.org>
Subject: Re: BUG: d_path() races with do_move_mount() on ->mnt_ns, leading to use-after-free
Date: Tue, 13 Sep 2022 18:48:05 +0100 [thread overview]
Message-ID: <YyDCVSaA2Kjnz/a5@ZenIV> (raw)
In-Reply-To: <CAG48ez2dS04ONb-EVQGOtmeU6vTpKLe4J0W1yqa+Q9j+Hg3hFw@mail.gmail.com>
On Tue, Sep 13, 2022 at 07:14:56PM +0200, Jann Horn wrote:
> As the subject says, there's a race between d_path() (specifically
> __prepend_path()) looking at mnt->mnt_ns with is_anon_ns(), and
> do_move_mount() switching out the ->mnt_ns and freeing the old one.
> This can theoretically lead to a use-after-free read, but it doesn't
> seem to be very interesting from a security perspective, since all it
> gets you is a comparison of a value in freed memory with zero.
... with d_absolute_path() being the only caller that might even
theoretically care.
Anyway, shouldn't be hard to deal with - adding rcu_head to
struct mnt_namespace (anon-unioned with e.g. ->list) and turning kfree()
in free_mnt_ns() into kfree_rcu() ought to do it...
prev parent reply other threads:[~2022-09-13 18:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-13 17:14 BUG: d_path() races with do_move_mount() on ->mnt_ns, leading to use-after-free Jann Horn
2022-09-13 17:48 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YyDCVSaA2Kjnz/a5@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=dhowells@redhat.com \
--cc=jannh@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.