From: Zhihao Cheng chengzhihao1@huawei.com

hulk inclusion category: bugfix bugzilla: 186543, https://gitee.com/openeuler/kernel/issues/I5BGFA CVE: NA

--------------------------------

Following process will trigger an use-after-free problem:

1. open /proc/sysvipc/msg and lock it by file lock fcntl_setlk do_lock_file_wait vfs_lock_file posix_lock_file locks_insert_lock_ctx locks_insert_global_locks // Added to lock list 2. Close /proc/sysvipc/msg by io_uring filp_close(close->put_file, req->work.files) // req->work.files equals NULL，io_grab_files() initialize it, non-async operations won't invokes the function. locks_remove_posix(filp, NULL) lock.fl_owner = NULL vfs_lock_file posix_lock_file posix_same_owner // Return false according to fl_owner. locks_delete_lock_ctx(fl, &dispose) and locks_dispose_list won't be executed, flock is not removed from lock list fput(filp) // release filp 3. Read /proc/locks seq_read locks_start // Get flock from lock list locks_show lock_get_status file_inode(f->file) // Access released file, UAF occurs!

Fix it by passing current->files when req->work.files is uninitialized, because io-sq thread shares same files with uring_fd task, so it still works in SQPOLL mode.

Signed-off-by: Zhihao Cheng chengzhihao1@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- fs/io_uring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c index c104425b2557..7ae8ba98e73b 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -3903,7 +3903,7 @@ static int io_close(struct io_kiocb *req, bool force_nonblock, }

/* No ->flush() or already async, safely close from here */ - ret = filp_close(close->put_file, req->work.files); + ret = filp_close(close->put_file, req->work.files ? : current->files); if (ret < 0) req_set_fail_links(req); fput(close->put_file);