From patchwork Wed Jan 31 16:47:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Benjamin M Romer X-Patchwork-Id: 868018 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zWq1m6pvCz9s71; Thu, 1 Feb 2018 03:48:12 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1egvYO-0004K1-JC; Wed, 31 Jan 2018 16:48:08 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1egvYL-0004I3-Kd for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 16:48:05 +0000 Received: from mail-qk0-f199.google.com ([209.85.220.199]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1egvYL-0000Qj-AC for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 16:48:05 +0000 Received: by mail-qk0-f199.google.com with SMTP id 19so10545574qkk.20 for ; Wed, 31 Jan 2018 08:48:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cVmvbi/KaOyXFXKCv64j/O1Mw5yjTOcfAI5F6OQXhOg=; b=itVZdy+rJRUCtFi68FxsrMhnz6YZZhqE3NYteydJ+S9MQbEQ3BpyZG2dkp0Lj25bQa BgetNUFAwpWt4OqXRITimB+5ewHKE/zpSXBX+pMrIF/BOB1iZrqy/zs9CLiMTfdgpmf+ tTMk1oZHOMk7mI2Tr7VINdz/taxZt8VIt+ZxWkZ5sBTgr7gV5QlfKwSFJUpDiNJqaOeD jxF6nsQkB2xju1K0olvmieM6eY6YjfoTh2SkQ0/cg/Ms6DBU8FoId2IuAyzm/AHqKlms ZLg2TM0OzSxOP52D+VHB7G8Y7ip8m0Gu2JViA8X1SUbnPxu/X0k9X8A1fns2yryjtybJ H6eg== X-Gm-Message-State: AKwxytd2hqrSOQYjQTa4YsyKVhmL2BsxOHmLivKNUMytQKw5oOeqtOq2 ElTF6qo/V5jMrln1eQ9eE4IdIyzRcylbBEuIGh/azpJ/VzPwJ3WpBldL0tvInkZETUXUp1WoFjf u4nj7x4oq3ixhPJLf5WT+IAVhlkqn5X1LFnGodtcm8g== X-Received: by 10.55.42.21 with SMTP id q21mr47601967qkh.282.1517417284101; Wed, 31 Jan 2018 08:48:04 -0800 (PST) X-Google-Smtp-Source: AH8x226i8QmdVjmN34Bxs5Dr4AiGBbFjvBBpwD+Wr0xuZFRuA4OEHfOdbyjhZJyOyK8crVYnU+JiYQ== X-Received: by 10.55.42.21 with SMTP id q21mr47601937qkh.282.1517417283761; Wed, 31 Jan 2018 08:48:03 -0800 (PST) Received: from beast (c-68-80-13-9.hsd1.pa.comcast.net. [68.80.13.9]) by smtp.gmail.com with ESMTPSA id y9sm12841464qti.7.2018.01.31.08.48.00 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 31 Jan 2018 08:48:01 -0800 (PST) Received: from ben by beast with local (Exim 4.89) (envelope-from ) id 1egvYG-0005DQ-2q for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 11:48:00 -0500 From: Benjamin M Romer To: kernel-team@lists.ubuntu.com Subject: [trusty][PATCH 1/1] loop: fix concurrent lo_open/lo_release Date: Wed, 31 Jan 2018 11:47:59 -0500 Message-Id: <20180131164759.20006-2-benjamin.romer@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180131164759.20006-1-benjamin.romer@canonical.com> References: <20180131164759.20006-1-benjamin.romer@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Linus Torvalds 范龙飞 reports that KASAN can report a use-after-free in __lock_acquire. The reason is due to insufficient serialization in lo_release(), which will continue to use the loop device even after it has decremented the lo_refcnt to zero. In the meantime, another process can come in, open the loop device again as it is being shut down. Confusion ensues. Reported-by: 范龙飞 Signed-off-by: Linus Torvalds Signed-off-by: Jens Axboe CVE-2018-5344 (cherry picked from commit ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5) [ ben_r: patch needed to be fuzzed to apply. ] Signed-off-by: Benjamin M Romer Acked-by: Stefan Bader --- drivers/block/loop.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/block/loop.c b/drivers/block/loop.c index 2e229ac..abcb856 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -1529,9 +1529,8 @@ out: return err; } -static void lo_release(struct gendisk *disk, fmode_t mode) +static void __lo_release(struct loop_device *lo) { - struct loop_device *lo = disk->private_data; int err; mutex_lock(&lo->lo_ctl_mutex); @@ -1559,6 +1558,13 @@ out: mutex_unlock(&lo->lo_ctl_mutex); } +static void lo_release(struct gendisk *disk, fmode_t mode) +{ + mutex_lock(&loop_index_mutex); + __lo_release(disk->private_data); + mutex_unlock(&loop_index_mutex); +} + static const struct block_device_operations lo_fops = { .owner = THIS_MODULE, .open = lo_open,