Re: inotify cookie regression/info leak in latest mainline
From: Jan Kara
Date: Mon Feb 17 2014 - 08:00:04 EST
Hello,
On Sat 15-02-14 22:39:38, Vegard Nossum wrote:
> It would seem that
>
> commit 7053aee26a3548ebaba046ae2e52396ccf56ac6c
> Author: Jan Kara <jack@xxxxxxx>
> Date: Tue Jan 21 15:48:14 2014 -0800
>
> fsnotify: do not share events between notification groups
>
> introduced a bug where the cookie field of struct inotify_event
> never gets initialised. In particular, it used to be initialised
> when send_to_group() called fsnotify_create_event(), but that no
> longer happens, and the 'cookie' parameter of send_to_group() never
> gets used.
>
> The problem manifests itself in copy_event_to_user() where the
> cookie field is copied to userspace without being initialised.
>
> I tested this with a simple userspace program, I seem to get mostly
> 0xffff8800 in the cookie field for non-move events (which should
> always have 0 here).
That's a really embarassing bug. I've extented LTP inotify tests to
verify the cookie value is sane (so far the tests completely ignored the
value which is why I didn't notice the breakage).
Attached patch fixes the problem for me. I'll send it to Linus tomorrow.
Thanks for spotting the problem!
Honza
--
Jan Kara <jack@xxxxxxx>
SUSE Labs, CR