| Message ID | 20191107160825.30000-1-seth.forshee@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2019-15794: ovl/shiftfs refcount underflow | expand |
On 2019-11-07 10:08:23, Seth Forshee wrote: > BugLink: https://bugs.launchpad.net/bugs/1850994 > > Impact: overlayfs and shiftfs both replace vma->vm_file in their mmap > handlers. On error the original value is not restored, and the reference > is put for the file to which vm_file points. On upstream kernels this is > not an issue, as no callers dereference vm_file dereference vm_file > following after call_mmap() returns an error. However, the aufs patchs > change mmap_region() to replace the fput() using a local variable with > vma_fput(), which will fput() vm_file, leading to a refcount underflow. > > Fix: Restore the original vma_file value on error. > > Test Case: A reproducer is provided in the original bug report. > > Regression Potential: Minimal. As stated above, other callers of > call_mmap() do not dereference vma->vm_file when it returns an error, > and the one which does is fixed by these patches. > > Notes: Supported kernels prior to disco are not affected as overlayfs > did not support mmap until 4.19, and shiftfs was not present in Ubuntu > kernels before disco. The issue is mitigated for overlayfs by another > bug which is preventing unprivileged mounting; a patch for this issue > will be sent separately. Both patches look good. Acked-by: Tyler Hicks <tyhicks@canonical.com> Thanks! Tyler > > Thanks, > Seth > > > Seth Forshee (2): > UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails > UBUNTU: SAUCE: ovl: Restore vm_file value when lower fs mmap fails > > fs/overlayfs/file.c | 6 +++++- > fs/shiftfs.c | 15 +++++++++++---- > 2 files changed, 16 insertions(+), 5 deletions(-) > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 07.11.19 17:08, Seth Forshee wrote: > BugLink: https://bugs.launchpad.net/bugs/1850994 > > Impact: overlayfs and shiftfs both replace vma->vm_file in their mmap > handlers. On error the original value is not restored, and the reference > is put for the file to which vm_file points. On upstream kernels this is > not an issue, as no callers dereference vm_file dereference vm_file > following after call_mmap() returns an error. However, the aufs patchs > change mmap_region() to replace the fput() using a local variable with > vma_fput(), which will fput() vm_file, leading to a refcount underflow. > > Fix: Restore the original vma_file value on error. > > Test Case: A reproducer is provided in the original bug report. > > Regression Potential: Minimal. As stated above, other callers of > call_mmap() do not dereference vma->vm_file when it returns an error, > and the one which does is fixed by these patches. > > Notes: Supported kernels prior to disco are not affected as overlayfs > did not support mmap until 4.19, and shiftfs was not present in Ubuntu > kernels before disco. The issue is mitigated for overlayfs by another > bug which is preventing unprivileged mounting; a patch for this issue > will be sent separately. > > Thanks, > Seth > > > Seth Forshee (2): > UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails > UBUNTU: SAUCE: ovl: Restore vm_file value when lower fs mmap fails > > fs/overlayfs/file.c | 6 +++++- > fs/shiftfs.c | 15 +++++++++++---- > 2 files changed, 16 insertions(+), 5 deletions(-) > > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 2019-11-07 10:08:23 , Seth Forshee wrote: > BugLink: https://bugs.launchpad.net/bugs/1850994 > > Impact: overlayfs and shiftfs both replace vma->vm_file in their mmap > handlers. On error the original value is not restored, and the reference > is put for the file to which vm_file points. On upstream kernels this is > not an issue, as no callers dereference vm_file dereference vm_file > following after call_mmap() returns an error. However, the aufs patchs > change mmap_region() to replace the fput() using a local variable with > vma_fput(), which will fput() vm_file, leading to a refcount underflow. > > Fix: Restore the original vma_file value on error. > > Test Case: A reproducer is provided in the original bug report. > > Regression Potential: Minimal. As stated above, other callers of > call_mmap() do not dereference vma->vm_file when it returns an error, > and the one which does is fixed by these patches. > > Notes: Supported kernels prior to disco are not affected as overlayfs > did not support mmap until 4.19, and shiftfs was not present in Ubuntu > kernels before disco. The issue is mitigated for overlayfs by another > bug which is preventing unprivileged mounting; a patch for this issue > will be sent separately. > > Thanks, > Seth > > > Seth Forshee (2): > UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails > UBUNTU: SAUCE: ovl: Restore vm_file value when lower fs mmap fails > > fs/overlayfs/file.c | 6 +++++- > fs/shiftfs.c | 15 +++++++++++---- > 2 files changed, 16 insertions(+), 5 deletions(-) > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team