linux/fs/notify
Dan Carpenter 60765e43e4 fanotify: Fix stale file descriptor in copy_event_to_user()
commit ee12595147 upstream.

This code calls fd_install() which gives the userspace access to the fd.
Then if copy_info_records_to_user() fails it calls put_unused_fd(fd) but
that will not release it and leads to a stale entry in the file
descriptor table.

Generally you can't trust the fd after a call to fd_install().  The fix
is to delay the fd_install() until everything else has succeeded.

Fortunately it requires CAP_SYS_ADMIN to reach this code so the security
impact is less.

Fixes: f644bc449b ("fanotify: fix copy_event_to_user() fid error clean up")
Link: https://lore.kernel.org/r/20220128195656.GA26981@kili
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-05 12:38:59 +01:00
..
dnotify \n 2020-12-17 10:56:27 -08:00
fanotify fanotify: Fix stale file descriptor in copy_event_to_user() 2022-02-05 12:38:59 +01:00
inotify ucounts: add missing data type changes 2021-08-09 15:45:02 -05:00
fdinfo.c fanotify: fix permission model of unprivileged group 2021-05-25 12:21:14 +02:00
fdinfo.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fsnotify.c fsnotify: count all objects with attached connectors 2021-08-11 13:50:48 +02:00
fsnotify.h fsnotify: count all objects with attached connectors 2021-08-11 13:50:48 +02:00
group.c fanotify: configurable limits via sysfs 2021-03-16 16:49:31 +01:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mark.c fsnotify: fix sb_connectors leak 2021-09-10 09:46:48 -07:00
notification.c fsnotify: use hash table for faster events merge 2021-03-16 16:37:51 +01:00