From patchwork Thu Nov 7 16:08:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1191255 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4787lt5qljz9sR0; Fri, 8 Nov 2019 03:15:06 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iSkR5-0007G8-7n; Thu, 07 Nov 2019 16:15:03 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iSkR2-0007Ex-TC for kernel-team@lists.ubuntu.com; Thu, 07 Nov 2019 16:15:00 +0000 Received: from mail-yb1-f200.google.com ([209.85.219.200]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iSkR2-0006X7-Lm for kernel-team@lists.ubuntu.com; Thu, 07 Nov 2019 16:15:00 +0000 Received: by mail-yb1-f200.google.com with SMTP id y64so2324757ybf.2 for ; Thu, 07 Nov 2019 08:15:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UTum9mMlDxagA/g0SW09IPw0T6SoAbMMya4C/yTAcaI=; b=FY1KMWLqKFl+k4clrQD5SxqGbWNYWpTKMWOHPnrmEE8eHF1URTPfJon2ZHryZ0JsLN vJ3mskAf3s7/MKMfXeYpU8uCxhp9Bvu2x3n1ZtMG3DfWOqsuOwEiHQCoJQgW5/b08ghx Mc2S1cX924aMH68ZA0b7JyRbH5QxHAsML24Kv2+kIb+fjeUPV34zGqvmEGRkPzBv2SrI 1U7j9ARHeqhozNQrCC8SLxEpvCzDcgAiuK1aY1APMwQlY4yF/WietfyxeIzg9wg9p6lK 9fO5qGXv9ZUCSsMYz3KHGEEopy08fz3ga/klAzrZeRdgTAeCO/1RfJgRLoj/+5bvcIuU 1h+g== X-Gm-Message-State: APjAAAW0ueMRAkUObp1S/fk/whxovfT5mNM6o3EnceiQNLx9xOueRD1/ EHWBkhEedi/kB2tqNLH8k3EVfLL37sOsMZyXbxSDNCThVm5DAjAYDaqr2BErfqi3BkOpepoMI4D d5vTeSfYcHVWWQojS05P+TgMtKoE3Cd1xynOeKsQGJQ== X-Received: by 2002:a25:c386:: with SMTP id t128mr3896724ybf.505.1573143299432; Thu, 07 Nov 2019 08:14:59 -0800 (PST) X-Google-Smtp-Source: APXvYqxFhEnoWnr3hzUD7RCiizGbPUZ0vOvg+8lftL+A6q92AiRxYO3XhpGRiP0t9a+5dC0Tr2rcBg== X-Received: by 2002:a25:c386:: with SMTP id t128mr3896678ybf.505.1573143298908; Thu, 07 Nov 2019 08:14:58 -0800 (PST) Received: from localhost ([136.37.150.243]) by smtp.gmail.com with ESMTPSA id 203sm1048420ywk.29.2019.11.07.08.14.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Nov 2019 08:14:58 -0800 (PST) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/2][SRU][D/E] UBUNTU: SAUCE: ovl: Restore vm_file value when lower fs mmap fails Date: Thu, 7 Nov 2019 10:08:25 -0600 Message-Id: <20191107160825.30000-3-seth.forshee@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191107160825.30000-1-seth.forshee@canonical.com> References: <20191107160825.30000-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1850994 ovl_mmap() overwrites vma->vm_file before calling the lower filesystem mmap but does not restore the original value on failure. This means it is giving a pointer to the lower fs file back to the caller with no reference, which is a bad practice. However, it does not lead to any issues with upstream kernels as no caller accesses vma->vm_file after call_mmap(). With the aufs patches applied the story is different. Whereas mmap_region() previously fput a local variable containing the file it assigned to vm_file, it now calls vma_fput() which will fput vm_file, for which it has no reference, and the reference for the original vm_file is not put. Fix this by restoring vma->vm_file to the original value when the mmap call into the lower fs fails. CVE-2019-15794 Reported-by: Jann Horn Signed-off-by: Seth Forshee --- fs/overlayfs/file.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index 895f2c5565d3..43ad47cc046f 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -334,7 +334,11 @@ static int ovl_mmap(struct file *file, struct vm_area_struct *vma) revert_creds(old_cred); if (ret) { - /* Drop reference count from new vm_file value */ + /* + * Drop reference count from new vm_file value and restore + * original vm_file value + */ + vma->vm_file = file; fput(realfile); } else { /* Drop reference count from previous vm_file value */