stuartl/linux-stable
1
0
Fork 0
mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git synced 2025-09-25 16:49:33 +10:00
Code Issues Releases Wiki Activity
159b1b9493
linux-stable/fs
History
Ye Bin eda279586e proc: fix UAF in proc_get_inode() 
commit 654b33ada4 upstream.

Fix race between rmmod and /proc/XXX's inode instantiation.

The bug is that pde->proc_ops don't belong to /proc, it belongs to a
module, therefore dereferencing it after /proc entry has been registered
is a bug unless use_pde/unuse_pde() pair has been used.

use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops
never changes so information necessary for inode instantiation can be
saved _before_ proc_register() in PDE itself and used later, avoiding
pde->proc_ops->...  dereference.

      rmmod                         lookup
sys_delete_module
                         proc_lookup_de
			   pde_get(de);
			   proc_get_inode(dir->i_sb, de);
  mod->exit()
    proc_remove
      remove_proc_subtree
       proc_entry_rundown(de);
  free_module(mod);

                               if (S_ISREG(inode->i_mode))
	                         if (de->proc_ops->proc_read_iter)
                           --> As module is already freed, will trigger UAF

BUG: unable to handle page fault for address: fffffbfff80a702b
PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:proc_get_inode+0x302/0x6e0
RSP: 0018:ffff88811c837998 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007
RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158
RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20
R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0
R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001
FS:  00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_lookup_de+0x11f/0x2e0
 __lookup_slow+0x188/0x350
 walk_component+0x2ab/0x4f0
 path_lookupat+0x120/0x660
 filename_lookup+0x1ce/0x560
 vfs_statx+0xac/0x150
 __do_sys_newstat+0x96/0x110
 do_syscall_64+0x5f/0x170
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

[adobriyan@gmail.com: don't do 2 atomic ops on the common path]
Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183
Fixes: 778f3dd5a1 ("Fix procfs compat_ioctl regression")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: David S. Miller <davem@davemloft.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-04-10 14:30:53 +02:00
..
9p
adfs
affs
afs afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call 2025-03-13 12:46:44 +01:00
autofs
befs
bfs
btrfs btrfs: bring back the incorrectly removed extent buffer lock recursion support 2025-03-13 12:47:44 +01:00
cachefiles
ceph ceph: give up on paths longer than PATH_MAX 2025-02-01 18:22:17 +01:00
cifs smb: client: Add check for next_buffer in receive_encrypted_standard() 2025-03-13 12:47:35 +01:00
coda
configfs
cramfs
crypto
debugfs
devpts
dlm
ecryptfs
efivarfs efivarfs: Fix error on non-existent file 2025-01-09 13:24:53 +01:00
efs
erofs erofs: fix incorrect symlink detection in fast symlink 2025-01-09 13:24:51 +01:00
exfat exfat: fix the infinite loop in exfat_readdir() 2025-02-01 18:22:18 +01:00
exportfs
ext2
ext4 ext4: fix FS_IOC_GETFSMAP handling 2024-12-14 19:48:08 +01:00
f2fs f2fs: fix to wait dio completion 2025-03-13 12:47:24 +01:00
fat fat: fix uninitialized variable 2024-10-22 15:39:24 +02:00
freevxfs
fscache
fuse fuse: don't truncate cached, mutated symlink 2025-04-10 14:30:50 +02:00
gfs2 gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag 2025-02-01 18:22:32 +01:00
hfs hfs: Sanity check the root record 2025-02-01 18:22:28 +01:00
hfsplus hfsplus: don't query the device logical block size multiple times 2024-12-14 19:47:44 +01:00
hostfs
hpfs
hugetlbfs
iomap iomap: update ki_pos a little later in iomap_dio_complete 2024-11-08 16:21:58 +01:00
isofs
jbd2 jbd2: flush filesystem device before updating tail sequence 2025-02-01 18:22:17 +01:00
jffs2 jffs2: Fix rtime decompressor 2024-12-14 19:48:34 +01:00
jfs jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree 2024-12-14 19:48:28 +01:00
kernfs
lockd
minix
nfs pnfs/flexfiles: retry getting layout segment for reads 2025-03-13 12:47:12 +01:00
nfs_common
nfsd NFSD: fix hang in nfsd4_shutdown_callback 2025-03-13 12:47:14 +01:00
nilfs2 nilfs2: handle errors that nilfs_prepare_chunk() may return 2025-03-13 12:47:43 +01:00
nls
notify fsnotify: fix sending inotify event with unexpected filename 2024-12-14 19:48:08 +01:00
ntfs
ocfs2 ocfs2: check dir i_size in ocfs2_find_entry 2025-03-13 12:47:13 +01:00
omfs
openpromfs
orangefs orangefs: fix a oob in orangefs_debug_write 2025-03-13 12:47:16 +01:00
overlayfs ovl: Filter invalid inodes with missing lookup function 2024-12-14 19:47:37 +01:00
proc proc: fix UAF in proc_get_inode() 2025-04-10 14:30:53 +02:00
pstore
qnx4
qnx6
quota quota: flush quota_release_work upon quota writeback 2024-12-14 19:48:16 +01:00
ramfs
reiserfs
romfs
squashfs Squashfs: check the inode number is not the invalid value of zero 2025-03-13 12:47:42 +01:00
sysfs
sysv
tracefs
ubifs ubifs: skip dumping tnc tree when zroot is null 2025-03-13 12:46:57 +01:00
udf udf: Fix use of check_add_overflow() with mixed type arguments 2025-03-13 12:47:45 +01:00
ufs
unicode Revert "unicode: Don't special case ignorable code points" 2024-12-14 19:48:33 +01:00
vboxsf vboxsf: fix building with GCC 15 2025-04-10 14:30:49 +02:00
verity
xfs xfs: fix scrub tracepoints when inode-rooted btrees are involved 2024-12-19 18:06:09 +01:00
zonefs
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c
binfmt_elf.c
binfmt_em86.c
binfmt_flat.c binfmt_flat: Fix integer overflow bug on 32 bit systems 2025-03-13 12:47:06 +01:00
binfmt_misc.c
binfmt_script.c
block_dev.c
buffer.c
char_dev.c
compat_binfmt_elf.c
coredump.c
d_path.c
dax.c
dcache.c
dcookies.c
direct-io.c
drop_caches.c
eventfd.c
eventpoll.c epoll: Add synchronous wakeup support for ep_poll_callback 2025-01-09 13:24:55 +01:00
exec.c exec: don't WARN for racy path_noexec check 2024-11-08 16:21:58 +01:00
fcntl.c
fhandle.c
file_table.c
file.c fs: fix missing declaration of init_files 2025-02-01 18:22:28 +01:00
filesystems.c
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c
fsopen.c
init.c
inode.c
internal.h
ioctl.c
Kconfig
Kconfig.binfmt
kernel_read_file.c
libfs.c
locks.c
Makefile
mbcache.c
mount.h
mpage.c
namei.c fuse: don't truncate cached, mutated symlink 2025-04-10 14:30:50 +02:00
namespace.c
no-block.c
nsfs.c
open.c openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) 2024-11-08 16:22:00 +01:00
pipe.c
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
readdir.c
remap_range.c
select.c select: Fix unbalanced user_access_end() 2025-03-13 12:46:44 +01:00
seq_file.c
signalfd.c
splice.c splice: don't generate zero-len segement bvecs 2024-11-17 14:59:37 +01:00
stack.c
stat.c
statfs.c
super.c
sync.c
timerfd.c
userfaultfd.c
utimes.c
xattr.c