forked from Minki/linux
vfs: move_mount: reject moving kernel internal mounts
sys_move_mount() crashes by dereferencing the pointer MNT_NS_INTERNAL,
a.k.a. ERR_PTR(-EINVAL), if the old mount is specified by fd for a
kernel object with an internal mount, such as a pipe or memfd.
Fix it by checking for this case and returning -EINVAL.
[AV: what we want is is_mounted(); use that instead of making the
condition even more convoluted]
Reproducer:
#include <unistd.h>
#define __NR_move_mount 429
#define MOVE_MOUNT_F_EMPTY_PATH 0x00000004
int main()
{
int fds[2];
pipe(fds);
syscall(__NR_move_mount, fds[0], "", -1, "/", MOVE_MOUNT_F_EMPTY_PATH);
}
Reported-by: syzbot+6004acbaa1893ad013f0@syzkaller.appspotmail.com
Fixes: 2db154b3ea
("vfs: syscall: Add move_mount(2) to move mounts around")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
parent
d728cf7916
commit
570d7a98e7
@ -2596,11 +2596,12 @@ static int do_move_mount(struct path *old_path, struct path *new_path)
|
||||
if (!check_mnt(p))
|
||||
goto out;
|
||||
|
||||
/* The thing moved should be either ours or completely unattached. */
|
||||
if (attached && !check_mnt(old))
|
||||
/* The thing moved must be mounted... */
|
||||
if (!is_mounted(&old->mnt))
|
||||
goto out;
|
||||
|
||||
if (!attached && !(ns && is_anon_ns(ns)))
|
||||
/* ... and either ours or the root of anon namespace */
|
||||
if (!(attached ? check_mnt(old) : is_anon_ns(ns)))
|
||||
goto out;
|
||||
|
||||
if (old->mnt.mnt_flags & MNT_LOCKED)
|
||||
|
Loading…
Reference in New Issue
Block a user