Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-10-31 18:09:19 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/fs
History
YueHaibing 7f01560885 fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links 
commit 23da9588037ecdd4901db76a5b79a42b529c4ec3 upstream.

Syzkaller reports:

kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
CPU: 1 PID: 5373 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:put_links+0x101/0x440 fs/proc/proc_sysctl.c:1599
Code: 00 0f 85 3a 03 00 00 48 8b 43 38 48 89 44 24 20 48 83 c0 38 48 89 c2 48 89 44 24 28 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 fe 02 00 00 48 8b 74 24 20 48 c7 c7 60 2a 9d 91
RSP: 0018:ffff8881d828f238 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8881e01b1140 RCX: ffffffff8ee98267
RDX: 0000000000000007 RSI: ffffc90001479000 RDI: ffff8881e01b1178
RBP: dffffc0000000000 R08: ffffed103ee27259 R09: ffffed103ee27259
R10: 0000000000000001 R11: ffffed103ee27258 R12: fffffffffffffff4
R13: 0000000000000006 R14: ffff8881f59838c0 R15: dffffc0000000000
FS:  00007f072254f700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff8b286668 CR3: 00000001f0542002 CR4: 00000000007606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 drop_sysctl_table+0x152/0x9f0 fs/proc/proc_sysctl.c:1629
 get_subdir fs/proc/proc_sysctl.c:1022 [inline]
 __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
 br_netfilter_init+0xbc/0x1000 [br_netfilter]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f072254ec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007f072254ec70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f072254f6bc
R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
Modules linked in: br_netfilter(+) dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb_dw2102 dvb_usb classmate_laptop palmas_regulator cn videobuf2_v4l2 v4l2_common snd_soc_bd28623 mptbase snd_usb_usx2y snd_usbmidi_lib snd_rawmidi wmi libnvdimm lockd sunrpc grace rc_kworld_pc150u rc_core rtc_da9063 sha1_ssse3 i2c_cros_ec_tunnel adxl34x_spi adxl34x nfnetlink lib80211 i5500_temp dvb_as102 dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops udc_core lnbp22 leds_lp3952 hid_roccat_ryos s1d13xxxfb mtd vport_geneve openvswitch nf_conncount nf_nat_ipv6 nsh geneve udp_tunnel ip6_udp_tunnel snd_soc_mt6351 sis_agp phylink snd_soc_adau1761_spi snd_soc_adau1761 snd_soc_adau17x1 snd_soc_core snd_pcm_dmaengine ac97_bus snd_compress snd_soc_adau_utils snd_soc_sigmadsp_regmap snd_soc_sigmadsp raid_class hid_roccat_konepure hid_roccat_common hid_roccat c2port_duramar2150 core mdio_bcm_unimac iptable_security iptable_raw iptable_mangle
 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim devlink vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel joydev mousedev ide_pci_generic piix aesni_intel aes_x86_64 ide_core crypto_simd atkbd cryptd glue_helper serio_raw ata_generic pata_acpi i2c_piix4 floppy sch_fq_codel ip_tables x_tables ipv6 [last unloaded: lm73]
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace 770020de38961fd0 ]---

A new dir entry can be created in get_subdir and its 'header->parent' is
set to NULL.  Only after insert_header success, it will be set to 'dir',
otherwise 'header->parent' is set to NULL and drop_sysctl_table is called.
However in err handling path of get_subdir, drop_sysctl_table also be
called on 'new->header' regardless its value of parent pointer.  Then
put_links is called, which triggers NULL-ptr deref when access member of
header->parent.

In fact we have multiple error paths which call drop_sysctl_table() there,
upon failure on insert_links() we also call drop_sysctl_table().And even
in the successful case on __register_sysctl_table() we still always call
drop_sysctl_table().This patch fix it.

Link: http://lkml.kernel.org/r/20190314085527.13244-1-yuehaibing@huawei.com
Fixes: 0e47c99d7f ("sysctl: Replace root_list with links between sysctl_table_sets")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reported-by: Hulk Robot <hulkci@huawei.com>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: <stable@vger.kernel.org>    [3.4+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-07-27 22:09:00 +02:00
..
9p Merge tag 'LA.BR.1.3.6-03910-8976.0' of https://source.codeaurora.org/quic/la/kernel/msm-3.10 into HEAD 2017-05-26 13:28:48 +02:00
adfs
affs
afs
autofs4
befs
bfs
btrfs Merge tag 'LA.BR.1.3.6-03910-8976.0' of https://source.codeaurora.org/quic/la/kernel/msm-3.10 into HEAD 2017-05-26 13:28:48 +02:00
cachefiles cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) 2019-07-27 21:52:39 +02:00
ceph
cifs This is the 3.10.102 stable release 2017-04-18 17:22:08 +02:00
coda
configfs
cramfs
crypto fscrypt: remove broken support for detecting keyring key revocation 2019-07-27 21:51:53 +02:00
debugfs BACKPORT: dentry name snapshots 2017-12-22 20:25:56 +00:00
devpts This is the 3.10.98 stable release 2017-04-18 17:17:24 +02:00
dlm
ecryptfs eCryptfs: use after free in ecryptfs_release_messaging() 2019-07-27 21:51:50 +02:00
efivarfs efi: Make efivarfs entries immutable by default 2016-03-16 08:41:37 -07:00
efs
exfat Import latest Samsung release 2017-04-18 03:43:52 +02:00
exofs
exportfs
ext2 it's still short a few helpers, but infrastructure should be OK now... 2018-12-03 11:52:03 +01:00
ext3 posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
ext4 ext4: fix data corruption caused by unaligned direct AIO 2019-07-27 22:08:54 +02:00
f2fs f2fs: move dir data flush to write checkpoint process 2019-07-27 22:06:03 +02:00
fat fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() 2019-07-27 21:52:38 +02:00
freevxfs
fscache FS-Cache: fix dereference of NULL user_key_payload 2019-07-27 21:44:20 +02:00
fuse fuse: handle zero sized retrieve correctly 2019-07-27 22:06:05 +02:00
gfs2 posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
hfs Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
hfsplus Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
hostfs uml: fix hostfs mknod() 2016-03-03 15:06:23 -08:00
hpfs Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
hppfs
hugetlbfs mm: larger stack guard gap, between vmas 2017-07-11 00:00:39 +00:00
isofs isofs: fix timestamps beyond 2027 2019-07-27 21:46:04 +02:00
jbd
jbd2 jbd2: if the journal is aborted then don't allow update of the log tail 2019-07-27 21:52:00 +02:00
jffs2 Merge tag 'LA.BR.1.3.6-03910-8976.0' of https://source.codeaurora.org/quic/la/kernel/msm-3.10 into HEAD 2017-05-26 13:28:48 +02:00
jfs posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
lockd lockd: create NSM handles per net namespace 2016-03-03 15:06:20 -08:00
logfs
minix it's still short a few helpers, but infrastructure should be OK now... 2018-12-03 11:52:03 +01:00
ncpfs
nfs This is the 3.10.99 stable release 2017-04-18 17:17:46 +02:00
nfs_common
nfsd nfsd: auth: Fix gid sorting when rootsquash enabled 2019-07-27 21:46:18 +02:00
nilfs2
nls
notify fanotify: fix logic of events on child 2019-07-27 21:52:17 +02:00
ntfs
ocfs2 posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
omfs
openpromfs
proc fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links 2019-07-27 22:09:00 +02:00
pstore pstore/ram: Do not treat empty buffers as valid 2019-07-27 21:53:37 +02:00
qnx4
qnx6
quota
ramfs
reiserfs posix_acl: Clear SGID bit when setting file permissions 2017-04-28 00:00:11 -07:00
romfs
sdcardfs ANDROID: sdcardfs: Add option to not link obb 2019-07-27 21:53:28 +02:00
sdfat sdfat: Capitalize config options 2019-07-27 22:08:28 +02:00
squashfs
sysfs Import latest Samsung release 2017-04-18 03:43:52 +02:00
sysv This is the 3.10.97 stable release 2017-04-18 17:17:20 +02:00
ubifs
udf This is the 3.10.98 stable release 2017-04-18 17:17:24 +02:00
ufs
xfs posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
yaffs2
aio.c fix io_destroy()/aio_complete() race 2019-07-27 21:49:38 +02:00
anon_inodes.c
attr.c vfs: Add setattr2 for filesystems with per mount permissions 2018-02-06 13:12:20 +01:00
bad_inode.c
binfmt_aout.c
binfmt_elf.c binfmt_elf: Respect error return from `regset->active' 2019-07-27 21:51:40 +02:00
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c fs/binfmt_misc.c: do not allow offset overflow 2019-07-27 21:52:50 +02:00
binfmt_script.c
binfmt_som.c
bio-integrity.c
bio.c more bio_map_user_iov() leak fixes 2019-07-27 21:45:37 +02:00
block_dev.c block: protect iterate_bdevs() against concurrent close 2019-07-27 21:42:54 +02:00
buffer.c Import latest Samsung release 2017-04-18 03:43:52 +02:00
char_dev.c
compat.c
compat_binfmt_elf.c
compat_ioctl.c
coredump.c coredump: fix unfreezable coredumping task 2019-07-27 21:42:15 +02:00
coredump.h
dcache.c fs: take_dentry_name_snapshot: avoid kfree under spinlock fixup 2019-07-27 21:45:27 +02:00
dcookies.c
direct-io.c direct-io: Prevent NULL pointer access in submit_page_section 2019-07-27 21:44:19 +02:00
drop_caches.c Import latest Samsung release 2017-04-18 03:43:52 +02:00
eventfd.c
eventpoll.c fs/epoll: drop ovflist branch prediction 2019-07-27 22:06:04 +02:00
exec.c allow build_open_flags() to return an error 2019-07-27 22:08:22 +02:00
fcntl.c vfs: add missing check for __O_TMPFILE in fcntl_init() 2018-12-03 11:52:41 +01:00
fhandle.c
file.c
file_table.c
filesystems.c
fs-writeback.c bdi: Fix oops in wb_workfn() 2019-07-27 21:52:12 +02:00
fs_struct.c sdcardfs: override umask on mkdir and create 2018-02-06 13:12:18 +01:00
generic_acl.c tmpfs: clear S_ISGID when setting posix ACLs 2017-04-22 23:02:57 +02:00
inode.c Fix up non-directory creation in SGID directories 2019-07-27 21:51:41 +02:00
internal.h allow build_open_flags() to return an error 2019-07-27 22:08:22 +02:00
ioctl.c
ioprio.c block: fix use-after-free in sys_ioprio_get() 2016-11-19 20:01:20 -08:00
Kconfig Initial port of sdcardfs 2018-02-06 13:12:17 +01:00
Kconfig.binfmt
libfs.c
locks.c locks: fix locks_mandatory_locked to respect file-private locks 2019-07-27 22:08:10 +02:00
Makefile Initial port of sdcardfs 2018-02-06 13:12:17 +01:00
mbcache.c
mount.h
mpage.c
namei.c allow build_open_flags() to return an error 2019-07-27 22:08:22 +02:00
namespace.c Don't leak MNT_INTERNAL away from internal mounts 2019-07-27 21:52:13 +02:00
no-block.c
open.c allow build_open_flags() to return an error 2019-07-27 22:08:22 +02:00
pipe.c pipe: read buffer limits atomically 2019-07-27 21:49:46 +02:00
pnode.c BACKPORT: smarter propagate_mnt() 2019-07-27 21:51:52 +02:00
pnode.h BACKPORT: smarter propagate_mnt() 2019-07-27 21:51:52 +02:00
posix_acl.c posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
proc_namespace.c vfs: Allow filesystems to access their private mount data 2018-02-06 13:12:19 +01:00
read_write.c
readdir.c fs: readdir: Fix su hide patch for non-iterate filesystems 2017-07-14 21:04:43 +02:00
select.c
seq_file.c Make file credentials available to the seqfile interfaces 2019-07-27 22:05:58 +02:00
signalfd.c
splice.c vfs: fix uninitialized flags in splice_to_pipe() 2019-07-27 21:43:53 +02:00
stack.c
stat.c
statfs.c
super.c vfs: Allow filesystems to access their private mount data 2018-02-06 13:12:19 +01:00
sync.c Import T813XXS2BRC2 kernel source changes 2018-05-26 00:39:42 +02:00
timerfd.c timerfd: Protect the might cancel mechanism proper 2017-11-08 05:33:07 -08:00
utimes.c vfs: Add setattr2 for filesystems with per mount permissions 2018-02-06 13:12:20 +01:00
xattr.c getxattr: use correct xattr length 2019-07-27 21:51:26 +02:00
xattr_acl.c