Re: NULL pointer deref in put_fs_context with unprivileged LXC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 05, 2019 at 09:58:30PM +0100, Thibaut Sautereau wrote:

> > > 	BUG: kernel NULL pointer dereference, address: 0000000000000043

ERR_PTR(something)->d_sb, most likely.

> > > 	493		if (fc->root) {
> > > 	494			sb = fc->root->d_sb;
> > > 	495			dput(fc->root);
> > > 	496			fc->root = NULL;
> > > 	497			deactivate_super(sb);
> > > 	498		}

> 	fs_context: DEBUG: fc->root = fffffffffffffff3
> 	fs_context: DEBUG: fc->source = cgroup2

Yup.  That'd be ERR_PTR(-13), i.e. ERR_PTR(-EACCES).  Most likely
from
                nsdentry = kernfs_node_dentry(cgrp->kn, sb);
                dput(fc->root);
                fc->root = nsdentry;
                if (IS_ERR(nsdentry)) {
                        ret = PTR_ERR(nsdentry);
                        deactivate_locked_super(sb);
                }

in cgroup_do_get_tree().  As a quick test, try to add fc->root = NULL;
next to that deactivate_locked_super(sb); inside the if (IS_ERR(...))
body and see if it helps; it's not the best way to fix it (I'd rather
go for
                if (IS_ERR(nsdentry)) {
                        ret = PTR_ERR(nsdentry);
                        deactivate_locked_super(sb);
			nsdentry = NULL;
                }
                fc->root = nsdentry;
), but it would serve to verify that this is the source of that crap.



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]     [Monitors]

  Powered by Linux