linux/fs/notify
Dan Carpenter ee12595147 fanotify: Fix stale file descriptor in copy_event_to_user()
This code calls fd_install() which gives the userspace access to the fd.
Then if copy_info_records_to_user() fails it calls put_unused_fd(fd) but
that will not release it and leads to a stale entry in the file
descriptor table.

Generally you can't trust the fd after a call to fd_install().  The fix
is to delay the fd_install() until everything else has succeeded.

Fortunately it requires CAP_SYS_ADMIN to reach this code so the security
impact is less.

Fixes: f644bc449b ("fanotify: fix copy_event_to_user() fid error clean up")
Link: https://lore.kernel.org/r/20220128195656.GA26981@kili
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Jan Kara <jack@suse.cz>
2022-02-01 12:52:07 +01:00
..
dnotify dnotify: move dnotify sysctl to dnotify.c 2022-01-22 08:33:34 +02:00
fanotify fanotify: Fix stale file descriptor in copy_event_to_user() 2022-02-01 12:52:07 +01:00
inotify inotify: simplify subdirectory registration with register_sysctl() 2022-01-22 08:33:35 +02:00
fdinfo.c fanotify: fix permission model of unprivileged group 2021-05-25 12:21:14 +02:00
fdinfo.h
fsnotify.c fsnotify: generate FS_RENAME event with rich information 2021-12-15 14:04:27 +01:00
fsnotify.h fsnotify: count all objects with attached connectors 2021-08-11 13:50:48 +02:00
group.c fsnotify: clarify object type argument 2021-12-15 14:04:03 +01:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile
mark.c fsnotify: separate mark iterator type from object type enum 2021-12-15 14:04:06 +01:00
notification.c fsnotify: Pass group argument to free_event 2021-10-27 12:34:18 +02:00