Headline
CVE-2021-4083: git/torvalds/linux.git - Linux kernel source tree
A read-after-free memory flaw was found in the Linux kernel’s garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.16-rc4.
author
Linus Torvalds [email protected]
2021-12-01 10:06:14 -0800
committer
Linus Torvalds [email protected]
2021-12-03 10:06:58 -0800
commit
054aa8d439b9185d4f5eb9a90282d1ce74772969 (patch)
tree
b1ee875baaf4ebe45939d4fdbef6dda8e9954aed
parent
5f58da2befa58edf3a70b91ed87ed9bf77f1e70e (diff)
download
linux-054aa8d439b9.tar.gz
fget: check that the fd still exists after getting a ref to it
Jann Horn points out that there is another possible race wrt Unix domain socket garbage collection, somewhat reminiscent of the one fixed in commit cbcf01128d0a (“af_unix: fix garbage collect vs MSG_PEEK”). See the extended comment about the garbage collection requirements added to unix_peek_fds() by that commit for details. The race comes from how we can locklessly look up a file descriptor just as it is in the process of being closed, and with the right artificial timing (Jann added a few strategic 'mdelay(500)' calls to do that), the Unix domain socket garbage collector could see the reference count decrement of the close() happen before fget() took its reference to the file and the file was attached onto a new file descriptor. This is all (intentionally) correct on the ‘struct file *’ side, with RCU lookups and lockless reference counting very much part of the design. Getting that reference count out of order isn’t a problem per se. But the garbage collector can get confused by seeing this situation of having seen a file not having any remaining external references and then seeing it being attached to an fd. In commit cbcf01128d0a (“af_unix: fix garbage collect vs MSG_PEEK”) the fix was to serialize the file descriptor install with the garbage collector by taking and releasing the unix_gc_lock. That’s not really an option here, but since this all happens when we are in the process of looking up a file descriptor, we can instead simply just re-check that the file hasn’t been closed in the meantime, and just re-do the lookup if we raced with a concurrent close() of the same file descriptor. Reported-and-tested-by: Jann Horn [email protected] Acked-by: Miklos Szeredi [email protected] Signed-off-by: Linus Torvalds [email protected]
-rw-r–r--
fs/file.c
4
1 files changed, 4 insertions, 0 deletions
diff --git a/fs/file.c b/fs/file.c
index 8627dacfc4246…ad4a8bf3cf109 100644
— a/fs/file.c
+++ b/fs/file.c
@@ -858,6 +858,10 @@ loop:
file = NULL;
else if (!get_file_rcu_many(file, refs))
goto loop;
+ else if (files_lookup_fd_raw(files, fd) != file) {
+ fput_many(file, refs);
+ goto loop;
+ }
}
rcu_read_unlock();