From: Christian Brauner brauner@kernel.org
[ Upstream commit f8527a29f4619f74bc30a9845ea87abb9a6faa1e ]
Validate extensible ioctls stricter than we do now.
Reviewed-by: Jan Kara jack@suse.cz Signed-off-by: Christian Brauner brauner@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Based on my comprehensive analysis of this commit and its context, here is my assessment:
## **Backport Status: YES**
### **Detailed Analysis**
#### **Nature of the Change**
This commit fixes a **security bug** in the namespace filesystem (nsfs) ioctl validation code. The bug was a tautological comparison `(_IOC_TYPE(cmd) == _IOC_TYPE(cmd))` that always evaluated to true, providing **zero actual validation** for extensible ioctls.
**Specific code changes (fs/nsfs.c:154-178):** - Lines 171-174: For `NS_MNT_GET_INFO`, `NS_MNT_GET_NEXT`, and `NS_MNT_GET_PREV` ioctls - **Before**: `return (_IOC_TYPE(cmd) == _IOC_TYPE(cmd));` — meaningless tautology - **After**: `return extensible_ioctl_valid(cmd, NS_MNT_GET_*, MNT_NS_INFO_SIZE_VER0);` — proper validation
The `extensible_ioctl_valid()` helper validates: 1. `_IOC_DIR` (direction: read/write) 2. `_IOC_TYPE` (ioctl type matches expected) 3. `_IOC_NR` (ioctl number matches expected) 4. `_IOC_SIZE` (size is at least the minimum required)
#### **Bug History and Context**
1. **Introduced**: Commit 7fd511f8c911ab (Feb 19, 2025) added ioctl validation but accidentally introduced the tautological bug 2. **Fixed in two parts**: - Commit 6805ac4900ab2: Fixed regular ioctls (changed to `return true`) - **This commit (197003b7aea34)**: Fixed extensible ioctls with proper validation 3. **Related fix**: Commit 8c6627fbfe7c1 fixed the same issue in pidfs and added the `extensible_ioctl_valid()` helper
#### **Security Impact Assessment**
**Severity: MEDIUM-HIGH**
1. **Validation Bypass**: Malformed ioctl commands would be accepted, allowing: - Buffer size mismatches (too small → information disclosure; too large → buffer overflow potential) - Wrong direction flags (read/write confusion) - Type confusion attacks
2. **Attack Surface**: The affected ioctls handle **mount namespace traversal**: - `NS_MNT_GET_INFO`: Get namespace information - `NS_MNT_GET_NEXT/PREV`: Traverse namespace hierarchy
These are critical for **container isolation** security boundaries.
3. **Exploitation Scenarios**: - Container escape through namespace boundary violations - Information disclosure about host/other containers - Privilege escalation through namespace manipulation - Stack/kernel memory leaks via undersized buffers
4. **Affected Users**: - **Critical risk**: Multi-tenant container platforms (Kubernetes, Docker, cloud environments) - **High risk**: Any system using Linux namespaces for isolation - **Medium risk**: Desktop systems using containerized applications (Flatpak, Snap, systemd services)
#### **Why This Should Be Backported**
**Meets all stable kernel criteria:**
1. ✅ **Important bugfix**: Fixes validation bypass in security-critical code 2. ✅ **Minimal code change**: Only 3 lines changed, replacing broken check with proper validation 3. ✅ **Low regression risk**: Adds stricter validation (might reject invalid calls that previously passed, but those were bugs anyway) 4. ✅ **Confined to subsystem**: Changes only affect nsfs ioctl validation 5. ✅ **Security hardening**: Prevents potential container escapes and privilege escalation 6. ✅ **Already selected for stable**: This commit has `Signed-off-by: Sasha Levin sashal@kernel.org`, indicating it's already been backported to stable trees
**Additional factors:**
- **No architectural changes**: Pure bugfix with no feature additions - **Clear security benefit**: Restores intended validation behavior - **Widely deployed**: Namespaces are fundamental to modern Linux (containers are ubiquitous) - **Part of security series**: Related to systematic validation hardening across kernel - **Reviewed by maintainers**: Jan Kara reviewed, Christian Brauner (VFS maintainer) authored
#### **Backporting Considerations**
**Dependency**: This commit requires `extensible_ioctl_valid()` to be present in `include/linux/fs.h` (added in commit 8c6627fbfe7c1 "pidfs: validate extensible ioctls"). Both commits should be backported together or in order.
**Risk of NOT backporting**: Container environments remain vulnerable to validation bypass attacks, potentially allowing namespace isolation violations and container escapes in multi-tenant environments.
### **Conclusion**
This is a clear **YES for backporting**. It fixes an actual security bug that affects the validation of ioctl commands controlling namespace operations—a fundamental security boundary in modern Linux. The fix is minimal, well-contained, low-risk, and addresses a real vulnerability in container isolation mechanisms that are widely deployed across the Linux ecosystem.
fs/nsfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nsfs.c b/fs/nsfs.c index 59aa801347a7d..34f0b35d3ead7 100644 --- a/fs/nsfs.c +++ b/fs/nsfs.c @@ -169,9 +169,11 @@ static bool nsfs_ioctl_valid(unsigned int cmd) /* Extensible ioctls require some extra handling. */ switch (_IOC_NR(cmd)) { case _IOC_NR(NS_MNT_GET_INFO): + return extensible_ioctl_valid(cmd, NS_MNT_GET_INFO, MNT_NS_INFO_SIZE_VER0); case _IOC_NR(NS_MNT_GET_NEXT): + return extensible_ioctl_valid(cmd, NS_MNT_GET_NEXT, MNT_NS_INFO_SIZE_VER0); case _IOC_NR(NS_MNT_GET_PREV): - return (_IOC_TYPE(cmd) == _IOC_TYPE(cmd)); + return extensible_ioctl_valid(cmd, NS_MNT_GET_PREV, MNT_NS_INFO_SIZE_VER0); }
return false;