tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
fanotify: Allow copying of file handle to userspace
When file handle is embedded inside fanotify_event and usercopy checks
are enabled, we get a warning like:
Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
from SLAB object 'fanotify_event' (offset 40, size 8)!
WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110
mm/usercopy.c:78
Annotate handling in fanotify_event properly to mark copying it to
userspace is fine.
Reported-by: syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com
Fixes: a8b13aa20afb ("fanotify: enable FAN_REPORT_FID init flag")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
+11
-1
+11
-1
fs/notify/fanotify/fanotify_user.c
+11
-1
fs/notify/fanotify/fanotify_user.c
···
208
208
{
209
209
struct fanotify_event_info_fid info = { };
210
210
struct file_handle handle = { };
211
+
unsigned char bounce[FANOTIFY_INLINE_FH_LEN], *fh;
211
212
size_t fh_len = event->fh_len;
212
213
size_t len = fanotify_event_info_len(event);
213
214
···
234
233
235
234
buf += sizeof(handle);
236
235
len -= sizeof(handle);
237
-
if (copy_to_user(buf, fanotify_event_fh(event), fh_len))
236
+
/*
237
+
* For an inline fh, copy through stack to exclude the copy from
238
+
* usercopy hardening protections.
239
+
*/
240
+
fh = fanotify_event_fh(event);
241
+
if (fh_len <= FANOTIFY_INLINE_FH_LEN) {
242
+
memcpy(bounce, fh, fh_len);
243
+
fh = bounce;
244
+
}
245
+
if (copy_to_user(buf, fh, fh_len))
238
246
return -EFAULT;
239
247
240
248
/* Pad with 0's */