summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJens Axboe <axboe@kernel.dk>2021-02-12 14:02:54 -0700
committerJens Axboe <axboe@kernel.dk>2021-02-12 14:02:54 -0700
commite06aa2e94f0532d04bad7713eb7c6a32ab9ba674 (patch)
tree0be1f9d825fd7ce8ad50ad1d81bb90179249064e
parent5be9ad1e4287e1742fd8d253267c86446441bdaf (diff)
downloadlinux-e06aa2e94f0532d04bad7713eb7c6a32ab9ba674.tar.bz2
io-wq: clear out worker ->fs and ->files
By default, kernel threads have init_fs and init_files assigned. In the past, this has triggered security problems, as commands that don't ask for (and hence don't get assigned) fs/files from the originating task can then attempt path resolution etc with access to parts of the system they should not be able to. Rather than add checks in the fs code for misuse, just set these to NULL. If we do attempt to use them, then the resulting code will oops rather than provide access to something that it should not permit. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Jens Axboe <axboe@kernel.dk>
-rw-r--r--fs/io-wq.c14
1 files changed, 6 insertions, 8 deletions
diff --git a/fs/io-wq.c b/fs/io-wq.c
index 63ef195b1acb..c36bbcd823ce 100644
--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -64,9 +64,7 @@ struct io_worker {
#endif
const struct cred *cur_creds;
const struct cred *saved_creds;
- struct files_struct *restore_files;
struct nsproxy *restore_nsproxy;
- struct fs_struct *restore_fs;
};
#if BITS_PER_LONG == 64
@@ -156,19 +154,19 @@ static bool __io_worker_unuse(struct io_wqe *wqe, struct io_worker *worker)
worker->cur_creds = worker->saved_creds = NULL;
}
- if (current->files != worker->restore_files) {
+ if (current->files) {
__acquire(&wqe->lock);
raw_spin_unlock_irq(&wqe->lock);
dropped_lock = true;
task_lock(current);
- current->files = worker->restore_files;
+ current->files = NULL;
current->nsproxy = worker->restore_nsproxy;
task_unlock(current);
}
- if (current->fs != worker->restore_fs)
- current->fs = worker->restore_fs;
+ if (current->fs)
+ current->fs = NULL;
/*
* If we have an active mm, we need to drop the wq lock before unusing
@@ -329,11 +327,11 @@ static void io_worker_start(struct io_wqe *wqe, struct io_worker *worker)
allow_kernel_signal(SIGINT);
current->flags |= PF_IO_WORKER;
+ current->fs = NULL;
+ current->files = NULL;
worker->flags |= (IO_WORKER_F_UP | IO_WORKER_F_RUNNING);
- worker->restore_files = current->files;
worker->restore_nsproxy = current->nsproxy;
- worker->restore_fs = current->fs;
io_wqe_inc_running(wqe, worker);
}