Re: KASAN: use-after-free Read in sock_release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 30, 2017 at 05:18:33AM -0800, Christoph Hellwig wrote:
> On Thu, Nov 30, 2017 at 02:07:19AM +0000, Al Viro wrote:
> > Incidentally, grepping for sys_close() shows another piece of fun in
> > net/netfilter/xt_bpf.c.  Folks, ONCE DESCRIPTOR IS INSTALLED, THAT'S
> > IT; THERE'S NO REMOVING IT ON FAILURE EXITS.  sys_close() should
> > never, ever be used that way.  Sigh...
> 
> Would be great do unexport the thing.  Except that we also have
> binfmt_misc (which looks legit) and autofs4, which on crack decided
> that close() isn't a fun syscall, they'd much rather have an ioctl
> that does exactly the same..

Yes, since binfmt_misc one is guaranteed that its descriptor table is
not shared - all callchains go through do_execveat_common(), where we'd
use unshare_files().  autofs one is... not in good taste, but still
safe; there the descriptor is preexisting and it's essentially a weird
way of spelling close(2).  References from syscall tables are, of course,
OK.  init/*.c uses are done pretty much from userland - they could have
been straight syscalls, if not for the lack of klibc in kernel tree.
Everything else, though...

IMO we need a whack-a-mole list somewhere; "new callers of sys_close()
anywhere outside of init/* and syscall tables" definitely should be
on it...



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux