From: Dan Carpenter dan.carpenter@oracle.com
commit ee12595147ac1fbfb5bcb23837e26dd58d94b15d upstream.
This code calls fd_install() which gives the userspace access to the fd. Then if copy_info_records_to_user() fails it calls put_unused_fd(fd) but that will not release it and leads to a stale entry in the file descriptor table.
Generally you can't trust the fd after a call to fd_install(). The fix is to delay the fd_install() until everything else has succeeded.
Fortunately it requires CAP_SYS_ADMIN to reach this code so the security impact is less.
Fixes: f644bc449b37 ("fanotify: fix copy_event_to_user() fid error clean up") Link: https://lore.kernel.org/r/20220128195656.GA26981@kili Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Reviewed-by: Mathias Krause minipli@grsecurity.net Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/notify/fanotify/fanotify_user.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c @@ -656,9 +656,6 @@ static ssize_t copy_event_to_user(struct if (fanotify_is_perm_event(event->mask)) FANOTIFY_PERM(event)->fd = fd;
- if (f) - fd_install(fd, f); - if (info_mode) { ret = copy_info_records_to_user(event, info, info_mode, pidfd, buf, count); @@ -666,6 +663,9 @@ static ssize_t copy_event_to_user(struct goto out_close_fd; }
+ if (f) + fd_install(fd, f); + return metadata.event_len;
out_close_fd: