| Message ID | tencent_7FAE8DB725EE0DD69236DDABDDDE195E4F07@qq.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | fs/pidfs: when time ns disabled add check for ioctl | expand |
On Sun, Jul 21, 2024 at 02:23:12PM +0800, Edward Adam Davis wrote: > syzbot call pidfd_ioctl() with cmd "PIDFD_GET_TIME_NAMESPACE" and disabled > CONFIG_TIME_NS, since time_ns is NULL, it will make NULL ponter deref in > open_namespace. what about PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE?
On Sun, Jul 21, 2024 at 02:23:12PM GMT, Edward Adam Davis wrote: > syzbot call pidfd_ioctl() with cmd "PIDFD_GET_TIME_NAMESPACE" and disabled > CONFIG_TIME_NS, since time_ns is NULL, it will make NULL ponter deref in > open_namespace. > > Reported-and-tested-by: syzbot+34a0ee986f61f15da35d@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=34a0ee986f61f15da35d > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > --- Hm, nsproxy is really messy in that regard. Some namespaces will always be set to init_<type>_ns and others will be set to NULL. That's an invitation for bugs such as this. Imho the correct fix is to change nsproxy to always set nsp-><type>_ns to init_<type>_ns and no code ever needs to worry about dereferencing NULL. But that'll require more changes so this seems an appropriate fix for now.
diff --git a/fs/pidfs.c b/fs/pidfs.c index c9cb14181def..fe0ddab48f57 100644 --- a/fs/pidfs.c +++ b/fs/pidfs.c @@ -168,6 +168,8 @@ static long pidfd_ioctl(struct file *file, unsigned int cmd, unsigned long arg) case PIDFD_GET_TIME_NAMESPACE: get_time_ns(nsp->time_ns); ns_common = to_ns_common(nsp->time_ns); + if (!nsp->time_ns) + return -EINVAL; break; case PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE: get_time_ns(nsp->time_ns_for_children);
syzbot call pidfd_ioctl() with cmd "PIDFD_GET_TIME_NAMESPACE" and disabled CONFIG_TIME_NS, since time_ns is NULL, it will make NULL ponter deref in open_namespace. Reported-and-tested-by: syzbot+34a0ee986f61f15da35d@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=34a0ee986f61f15da35d Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- fs/pidfs.c | 2 ++ 1 file changed, 2 insertions(+)