fanotify: Fix use after free for permission events

Currently struct fanotify_event_info has been destroyed immediately after reporting its contents to userspace. However that is wrong for permission events because those need to stay around until userspace provides response which is filled back in fanotify_event_info. So change to code to free permission events only after we have got the response from userspace. Reported-and-tested-by: Jiri Kosina <jkosina@suse.cz> Reported-and-tested-by: Dave Jones <davej@fedoraproject.org> Signed-off-by: Jan Kara <jack@suse.cz>
author: Jan Kara <jack@suse.cz> 2014-01-28 15:38:06 -0500
committer: Jan Kara <jack@suse.cz> 2014-01-29 07:57:17 -0500
commit: 85816794240b9659e66e4d9b0df7c6e814e5f603 (patch)
tree: dd9a5103e62f15e74b2d7729e972d141845462aa
parent: 83c0e1b442b488571f4fef4a91c2fe52eed6c705 (diff)
3 files changed, 17 insertions, 2 deletions
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index c7e5e8f54748..0e792f5e3147 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -192,14 +192,17 @@ static int fanotify_handle_event(struct fsnotify_group *group,
        ret = fsnotify_add_notify_event(group, fsn_event, fanotify_merge);
        if (ret) {
+                BUG_ON(mask & FAN_ALL_PERM_EVENTS);
                /* Our event wasn't used in the end. Free it. */
                fsnotify_destroy_event(group, fsn_event);
                ret = 0;
        }
 #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
-        if (mask & FAN_ALL_PERM_EVENTS)
+        if (mask & FAN_ALL_PERM_EVENTS) {
                ret = fanotify_get_response_from_access(group, event);
+                fsnotify_destroy_event(group, fsn_event);
+        }
 #endif
        return ret;
 }
diff --git a/fs/notify/fanotify/fanotify.h b/fs/notify/fanotify/fanotify.h
index 0e90174a116a..32a2f034fb94 100644
--- a/fs/notify/fanotify/fanotify.h
+++ b/fs/notify/fanotify/fanotify.h
@@ -4,6 +4,13 @@
 extern struct kmem_cache *fanotify_event_cachep;
+/*
+ * Lifetime of the structure differs for normal and permission events. In both
+ * cases the structure is allocated in fanotify_handle_event(). For normal
+ * events the structure is freed immediately after reporting it to userspace.
+ * For permission events we free it only after we receive response from
+ * userspace.
+ */
 struct fanotify_event_info {
        struct fsnotify_event fse;
        /*
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 1fd66abe5740..b6175fa11bf8 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -319,7 +319,12 @@ static ssize_t fanotify_read(struct file *file, char __user *buf,
                        if (IS_ERR(kevent))
                                break;
                        ret = copy_event_to_user(group, kevent, buf);
-                        fsnotify_destroy_event(group, kevent);
+                        /*
+                         * Permission events get destroyed after we
+                         * receive response
+                         */
+                        if (!(kevent->mask & FAN_ALL_PERM_EVENTS))
+                                fsnotify_destroy_event(group, kevent);
                        if (ret < 0)
                                break;
                        buf += ret;
author	Jan Kara <jack@suse.cz>	2014-01-28 15:38:06 -0500
committer	Jan Kara <jack@suse.cz>	2014-01-29 07:57:17 -0500
commit	85816794240b9659e66e4d9b0df7c6e814e5f603 (patch)
tree	dd9a5103e62f15e74b2d7729e972d141845462aa
parent	83c0e1b442b488571f4fef4a91c2fe52eed6c705 (diff)