Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 85816794 authored by Jan Kara's avatar Jan Kara
Browse files

fanotify: Fix use after free for permission events 



Currently struct fanotify_event_info has been destroyed immediately
after reporting its contents to userspace. However that is wrong for
permission events because those need to stay around until userspace
provides response which is filled back in fanotify_event_info. So change
to code to free permission events only after we have got the response
from userspace.

Reported-and-tested-by: default avatarJiri Kosina <jkosina@suse.cz>
Reported-and-tested-by: default avatarDave Jones <davej@fedoraproject.org>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent 83c0e1b4

fs/notify/fanotify/fanotify.c

+4 −1
Original line number Diff line number Diff line
@@ -192,14 +192,17 @@ static int fanotify_handle_event(struct fsnotify_group *group, 


	ret = fsnotify_add_notify_event(group, fsn_event, fanotify_merge);

	if (ret) {

		BUG_ON(mask & FAN_ALL_PERM_EVENTS);

		/* Our event wasn't used in the end. Free it. */

		fsnotify_destroy_event(group, fsn_event);

		ret = 0;

	}



#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS

	if (mask & FAN_ALL_PERM_EVENTS)

	if (mask & FAN_ALL_PERM_EVENTS) {

		ret = fanotify_get_response_from_access(group, event);

		fsnotify_destroy_event(group, fsn_event);

	}

#endif

	return ret;

}

fs/notify/fanotify/fanotify.h

+7 −0
Original line number Diff line number Diff line
@@ -4,6 +4,13 @@ 


extern struct kmem_cache *fanotify_event_cachep;



/*

 * Lifetime of the structure differs for normal and permission events. In both

 * cases the structure is allocated in fanotify_handle_event(). For normal

 * events the structure is freed immediately after reporting it to userspace.

 * For permission events we free it only after we receive response from

 * userspace.

 */

struct fanotify_event_info {

	struct fsnotify_event fse;

	/*

fs/notify/fanotify/fanotify_user.c

+6 −1
Original line number Diff line number Diff line
@@ -319,6 +319,11 @@ static ssize_t fanotify_read(struct file *file, char __user *buf, 
			if (IS_ERR(kevent))

				break;

			ret = copy_event_to_user(group, kevent, buf);

			/*

			 * Permission events get destroyed after we

			 * receive response

			 */

			if (!(kevent->mask & FAN_ALL_PERM_EVENTS))

				fsnotify_destroy_event(group, kevent);

			if (ret < 0)

				break;