fanotify: Fix use after free for permission events
authorJan Kara <jack@suse.cz>
Tue, 28 Jan 2014 20:38:06 +0000 (21:38 +0100)
committerJan Kara <jack@suse.cz>
Wed, 29 Jan 2014 12:57:17 +0000 (13:57 +0100)
Currently struct fanotify_event_info has been destroyed immediately
after reporting its contents to userspace. However that is wrong for
permission events because those need to stay around until userspace
provides response which is filled back in fanotify_event_info. So change
to code to free permission events only after we have got the response
from userspace.

Reported-and-tested-by: Jiri Kosina <jkosina@suse.cz>
Reported-and-tested-by: Dave Jones <davej@fedoraproject.org>
Signed-off-by: Jan Kara <jack@suse.cz>
fs/notify/fanotify/fanotify.c
fs/notify/fanotify/fanotify.h
fs/notify/fanotify/fanotify_user.c

index c7e5e8f547480d33d68c980dce7af691af7d996f..0e792f5e3147c3cfcf38a980716075ea509b0e46 100644 (file)
@@ -192,14 +192,17 @@ static int fanotify_handle_event(struct fsnotify_group *group,
 
        ret = fsnotify_add_notify_event(group, fsn_event, fanotify_merge);
        if (ret) {
+               BUG_ON(mask & FAN_ALL_PERM_EVENTS);
                /* Our event wasn't used in the end. Free it. */
                fsnotify_destroy_event(group, fsn_event);
                ret = 0;
        }
 
 #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
-       if (mask & FAN_ALL_PERM_EVENTS)
+       if (mask & FAN_ALL_PERM_EVENTS) {
                ret = fanotify_get_response_from_access(group, event);
+               fsnotify_destroy_event(group, fsn_event);
+       }
 #endif
        return ret;
 }
index 0e90174a116a2c337f77af9e11760f1c21e00e43..32a2f034fb94b5915d1e8362ecbac21f362653fb 100644 (file)
@@ -4,6 +4,13 @@
 
 extern struct kmem_cache *fanotify_event_cachep;
 
+/*
+ * Lifetime of the structure differs for normal and permission events. In both
+ * cases the structure is allocated in fanotify_handle_event(). For normal
+ * events the structure is freed immediately after reporting it to userspace.
+ * For permission events we free it only after we receive response from
+ * userspace.
+ */
 struct fanotify_event_info {
        struct fsnotify_event fse;
        /*
index 1fd66abe574003cce8766e4533c1c42b27de4aff..b6175fa11bf856809d1ee6a43ee9b861980e9160 100644 (file)
@@ -319,7 +319,12 @@ static ssize_t fanotify_read(struct file *file, char __user *buf,
                        if (IS_ERR(kevent))
                                break;
                        ret = copy_event_to_user(group, kevent, buf);
-                       fsnotify_destroy_event(group, kevent);
+                       /*
+                        * Permission events get destroyed after we
+                        * receive response
+                        */
+                       if (!(kevent->mask & FAN_ALL_PERM_EVENTS))
+                               fsnotify_destroy_event(group, kevent);
                        if (ret < 0)
                                break;
                        buf += ret;