mbox series

[F/G/Unstable,0/1] aufs: fix for CVE-2020-11935

Message ID 20200629183122.1533457-1-mfo@canonical.com
Headers show
Series aufs: fix for CVE-2020-11935 | expand

Message

Mauricio Faria de Oliveira June 29, 2020, 6:31 p.m. UTC
[Impact]

 * This patch contains the fix for aufs's CVE-2020-11935.
 
 * The aufs filesystem might hit a kernel BUG() message
   under high load.

 * This may trigger a kernel panic/crash if panic_on_oops
   is enabled.  Otherwise, no harmful behavior is noticed.
   
 * One workaround is to clean the inode cache periodically:
   $ echo 2 | sudo tee /proc/sys/vm/drop-caches
   
[Fix]

 * The issue is fixed with 2 patches in aufs4-linux.git:
   - 515a586eeef3 aufs: do not call i_readcount_inc()
   - f10aea57d39d aufs: bugfix, IMA i_readcount

 * The first addresses the issue, and the second addresses a
   regression in the aufs feature to change RW branches to RO.

 * The aufs patches for v5.3+ have an equivalent fix to the
   second patch; it is present in Focal and later (not Eoan)
   (and on ubuntu-unstable/master & /master-5.8 as of Jun 29)
   - 1d26f910c53f aufs: for v5.3-rc1, maintain i_readcount
     (in aufs5-linux.git)

 * So, X/B/D/E need patches 1 and 2.
 * And F/G/Unstable need patch 1 only.
   
[Test Case]

 * Test cases are available internally, if needed.
   
[Regression Potential]

 * This changes the core path that aufs opens files, so there
   is a risk of regression; however, the fix changes aufs for
   how other filesystems work, so this generally is OK to do.
   In any case, regressions would likely happen in open() or
   close().
 
 * The aufs maintainer has access to an internal test-suite
   used to validate aufs changes, used to identify the first
   regression (in the branch RW/RO mode change), and then to
   validate/publish the patches upstream; should be good now.
   
 * This has also been tested with 'stress-ng --class filesystem'
   and with 'xfstests -overlay' (patch to use aufs vs overlayfs)
   on Xenial/Bionic/Focal (-proposed vs. -proposed + patches).
   No regressions observed in stress-ng/xfstests log or dmesg.
   (Also build-tested on Disco/Eoan.)

[Other Info]

 * Applied on Unstable (branches master and master-5.8)
 * Not required on Groovy (still 5.4; should sync from Unstable)
 * Required on LTS releases: Bionic and Focal and Xenial.
 * Required on other releases: Disco and Eoan (for custom kernels)

 * Sorry for the submission after scheduled last day for patches.
   Really wanted to have this upstream first specially given the
   maintainer's internal test-suite (that catched one regression
   not hit in my tests, because it's on corner case/feature path.)

Mauricio Faria de Oliveira (1):
  aufs: do not call i_readcount_inc()

 fs/aufs/vfsub.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

Comments

Thadeu Lima de Souza Cascardo June 29, 2020, 6:54 p.m. UTC | #1
These should rather be applied as "UBUNTU: SAUCE:", despite the cherry picked
line from aufs repo, as this is not upstream.

Besides that:
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Kamal Mostafa June 29, 2020, 9:30 p.m. UTC | #2
As mentioned by Cascardo, these need to be "UBUNTU: SAUCE:".

Otherwise,

Acked-by: Kamal Mostafa <kamal@canonical.com>

 -Kamal

On Mon, Jun 29, 2020 at 03:31:21PM -0300, Mauricio Faria de Oliveira wrote:
> [Impact]
> 
>  * This patch contains the fix for aufs's CVE-2020-11935.
>  
>  * The aufs filesystem might hit a kernel BUG() message
>    under high load.
> 
>  * This may trigger a kernel panic/crash if panic_on_oops
>    is enabled.  Otherwise, no harmful behavior is noticed.
>    
>  * One workaround is to clean the inode cache periodically:
>    $ echo 2 | sudo tee /proc/sys/vm/drop-caches
>    
> [Fix]
> 
>  * The issue is fixed with 2 patches in aufs4-linux.git:
>    - 515a586eeef3 aufs: do not call i_readcount_inc()
>    - f10aea57d39d aufs: bugfix, IMA i_readcount
> 
>  * The first addresses the issue, and the second addresses a
>    regression in the aufs feature to change RW branches to RO.
> 
>  * The aufs patches for v5.3+ have an equivalent fix to the
>    second patch; it is present in Focal and later (not Eoan)
>    (and on ubuntu-unstable/master & /master-5.8 as of Jun 29)
>    - 1d26f910c53f aufs: for v5.3-rc1, maintain i_readcount
>      (in aufs5-linux.git)
> 
>  * So, X/B/D/E need patches 1 and 2.
>  * And F/G/Unstable need patch 1 only.
>    
> [Test Case]
> 
>  * Test cases are available internally, if needed.
>    
> [Regression Potential]
> 
>  * This changes the core path that aufs opens files, so there
>    is a risk of regression; however, the fix changes aufs for
>    how other filesystems work, so this generally is OK to do.
>    In any case, regressions would likely happen in open() or
>    close().
>  
>  * The aufs maintainer has access to an internal test-suite
>    used to validate aufs changes, used to identify the first
>    regression (in the branch RW/RO mode change), and then to
>    validate/publish the patches upstream; should be good now.
>    
>  * This has also been tested with 'stress-ng --class filesystem'
>    and with 'xfstests -overlay' (patch to use aufs vs overlayfs)
>    on Xenial/Bionic/Focal (-proposed vs. -proposed + patches).
>    No regressions observed in stress-ng/xfstests log or dmesg.
>    (Also build-tested on Disco/Eoan.)
> 
> [Other Info]
> 
>  * Applied on Unstable (branches master and master-5.8)
>  * Not required on Groovy (still 5.4; should sync from Unstable)
>  * Required on LTS releases: Bionic and Focal and Xenial.
>  * Required on other releases: Disco and Eoan (for custom kernels)
> 
>  * Sorry for the submission after scheduled last day for patches.
>    Really wanted to have this upstream first specially given the
>    maintainer's internal test-suite (that catched one regression
>    not hit in my tests, because it's on corner case/feature path.)
> 
> Mauricio Faria de Oliveira (1):
>   aufs: do not call i_readcount_inc()
> 
>  fs/aufs/vfsub.c | 9 +--------
>  1 file changed, 1 insertion(+), 8 deletions(-)
> 
> -- 
> 2.25.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Khaled Elmously June 30, 2020, 2:52 a.m. UTC | #3
On 2020-06-29 15:31:21 , Mauricio Faria de Oliveira wrote:
> [Impact]
> 
>  * This patch contains the fix for aufs's CVE-2020-11935.
>  
>  * The aufs filesystem might hit a kernel BUG() message
>    under high load.
> 
>  * This may trigger a kernel panic/crash if panic_on_oops
>    is enabled.  Otherwise, no harmful behavior is noticed.
>    
>  * One workaround is to clean the inode cache periodically:
>    $ echo 2 | sudo tee /proc/sys/vm/drop-caches
>    
> [Fix]
> 
>  * The issue is fixed with 2 patches in aufs4-linux.git:
>    - 515a586eeef3 aufs: do not call i_readcount_inc()
>    - f10aea57d39d aufs: bugfix, IMA i_readcount
> 
>  * The first addresses the issue, and the second addresses a
>    regression in the aufs feature to change RW branches to RO.
> 
>  * The aufs patches for v5.3+ have an equivalent fix to the
>    second patch; it is present in Focal and later (not Eoan)
>    (and on ubuntu-unstable/master & /master-5.8 as of Jun 29)
>    - 1d26f910c53f aufs: for v5.3-rc1, maintain i_readcount
>      (in aufs5-linux.git)
> 
>  * So, X/B/D/E need patches 1 and 2.
>  * And F/G/Unstable need patch 1 only.
>    
> [Test Case]
> 
>  * Test cases are available internally, if needed.
>    
> [Regression Potential]
> 
>  * This changes the core path that aufs opens files, so there
>    is a risk of regression; however, the fix changes aufs for
>    how other filesystems work, so this generally is OK to do.
>    In any case, regressions would likely happen in open() or
>    close().
>  
>  * The aufs maintainer has access to an internal test-suite
>    used to validate aufs changes, used to identify the first
>    regression (in the branch RW/RO mode change), and then to
>    validate/publish the patches upstream; should be good now.
>    
>  * This has also been tested with 'stress-ng --class filesystem'
>    and with 'xfstests -overlay' (patch to use aufs vs overlayfs)
>    on Xenial/Bionic/Focal (-proposed vs. -proposed + patches).
>    No regressions observed in stress-ng/xfstests log or dmesg.
>    (Also build-tested on Disco/Eoan.)
> 
> [Other Info]
> 
>  * Applied on Unstable (branches master and master-5.8)
>  * Not required on Groovy (still 5.4; should sync from Unstable)
>  * Required on LTS releases: Bionic and Focal and Xenial.
>  * Required on other releases: Disco and Eoan (for custom kernels)
> 
>  * Sorry for the submission after scheduled last day for patches.
>    Really wanted to have this upstream first specially given the
>    maintainer's internal test-suite (that catched one regression
>    not hit in my tests, because it's on corner case/feature path.)
> 
> Mauricio Faria de Oliveira (1):
>   aufs: do not call i_readcount_inc()
> 
>  fs/aufs/vfsub.c | 9 +--------
>  1 file changed, 1 insertion(+), 8 deletions(-)
> 
> -- 
> 2.25.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Seth Forshee July 1, 2020, 9:05 p.m. UTC | #4
On Mon, Jun 29, 2020 at 03:31:21PM -0300, Mauricio Faria de Oliveira wrote:
> [Impact]
> 
>  * This patch contains the fix for aufs's CVE-2020-11935.
>  
>  * The aufs filesystem might hit a kernel BUG() message
>    under high load.
> 
>  * This may trigger a kernel panic/crash if panic_on_oops
>    is enabled.  Otherwise, no harmful behavior is noticed.
>    
>  * One workaround is to clean the inode cache periodically:
>    $ echo 2 | sudo tee /proc/sys/vm/drop-caches
>    
> [Fix]
> 
>  * The issue is fixed with 2 patches in aufs4-linux.git:
>    - 515a586eeef3 aufs: do not call i_readcount_inc()
>    - f10aea57d39d aufs: bugfix, IMA i_readcount
> 
>  * The first addresses the issue, and the second addresses a
>    regression in the aufs feature to change RW branches to RO.
> 
>  * The aufs patches for v5.3+ have an equivalent fix to the
>    second patch; it is present in Focal and later (not Eoan)
>    (and on ubuntu-unstable/master & /master-5.8 as of Jun 29)
>    - 1d26f910c53f aufs: for v5.3-rc1, maintain i_readcount
>      (in aufs5-linux.git)
> 
>  * So, X/B/D/E need patches 1 and 2.
>  * And F/G/Unstable need patch 1 only.
>    
> [Test Case]
> 
>  * Test cases are available internally, if needed.
>    
> [Regression Potential]
> 
>  * This changes the core path that aufs opens files, so there
>    is a risk of regression; however, the fix changes aufs for
>    how other filesystems work, so this generally is OK to do.
>    In any case, regressions would likely happen in open() or
>    close().
>  
>  * The aufs maintainer has access to an internal test-suite
>    used to validate aufs changes, used to identify the first
>    regression (in the branch RW/RO mode change), and then to
>    validate/publish the patches upstream; should be good now.
>    
>  * This has also been tested with 'stress-ng --class filesystem'
>    and with 'xfstests -overlay' (patch to use aufs vs overlayfs)
>    on Xenial/Bionic/Focal (-proposed vs. -proposed + patches).
>    No regressions observed in stress-ng/xfstests log or dmesg.
>    (Also build-tested on Disco/Eoan.)
> 
> [Other Info]
> 
>  * Applied on Unstable (branches master and master-5.8)
>  * Not required on Groovy (still 5.4; should sync from Unstable)
>  * Required on LTS releases: Bionic and Focal and Xenial.
>  * Required on other releases: Disco and Eoan (for custom kernels)
> 
>  * Sorry for the submission after scheduled last day for patches.
>    Really wanted to have this upstream first specially given the
>    maintainer's internal test-suite (that catched one regression
>    not hit in my tests, because it's on corner case/feature path.)

Applied to unstable/master-next, thanks!