[SRU,Focal,0/1] CVE-2023-2269

Message ID	20230728194016.91196-1-yuxuan.luo@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Yuxuan Luo <yuxuan.luo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH 0/1] CVE-2023-2269 Date: Fri, 28 Jul 2023 15:40:15 -0400 Message-Id: <20230728194016.91196-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-2269 \| expand [SRU,Focal,0/1] CVE-2023-2269 [SRU,Focal,1/1] dm ioctl: fix nested locking in table_clear() to remove deadlock concern

Message ID

20230728194016.91196-1-yuxuan.luo@canonical.com

Headers

From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Focal][PATCH 0/1] CVE-2023-2269
Date: Fri, 28 Jul 2023 15:40:15 -0400
Message-Id: <20230728194016.91196-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-2269 | expand

Message

Yuxuan Luo July 28, 2023, 7:40 p.m. UTC

[Impact]
A denial of service problem was found, due to a possible recursive
locking scenario, resulting in a deadlock in table_clear in
drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing
sub-component.

[Backport]
Clean cherry pick.

[Test]
Tested against the following script to verify that the verity
functionality is not broken and ioctl is still working as intended:

```bash
IMG_SIZE=50M
VERITY_DEV=''
HASH_DEV=''
TARGET_DIR=/mnt/dmtest
ROOT_HASH=''
PARAM=''

# Prepare two loop devices
truncate -s $IMG_SIZE verity.img hash.img

losetup -f verity.img
VERITY_DEV=$(sudo losetup -j verity.img | awk -F: '{print $1}')
losetup -f hash.img
HASH_DEV=$(sudo losetup -j hash.img | awk -F: '{print $1}')

# Create the verity device
ROOT_HASH=`veritysetup format $VERITY_DEV $HASH_DEV
          | tail -n 1
          | awk '{print $3}'`
veritysetup create vroot $VERITY_DEV $HASH_DEV $ROOT_HASH

# Reload the verity device
PARAM=$(sudo dmsetup table | awk '{ret = $2 " " $3; print ret}')
dmsetup suspend vroot

# Expect this command to fail
dmsetup reload vroot --table "$PARAM linear $VERITY_DEV 0"
```

[Potential Regression]
Expect low regression potential.

Mike Snitzer (1):
  dm ioctl: fix nested locking in table_clear() to remove deadlock
    concern

 drivers/md/dm-ioctl.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Tim Gardner July 31, 2023, 2:30 p.m. UTC | #1

On 7/28/23 1:40 PM, Yuxuan Luo wrote:
> [Impact]
> A denial of service problem was found, due to a possible recursive
> locking scenario, resulting in a deadlock in table_clear in
> drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing
> sub-component.
> 
> [Backport]
> Clean cherry pick.
> 
> [Test]
> Tested against the following script to verify that the verity
> functionality is not broken and ioctl is still working as intended:
> 
> ```bash
> IMG_SIZE=50M
> VERITY_DEV=''
> HASH_DEV=''
> TARGET_DIR=/mnt/dmtest
> ROOT_HASH=''
> PARAM=''
> 
> # Prepare two loop devices
> truncate -s $IMG_SIZE verity.img hash.img
> 
> losetup -f verity.img
> VERITY_DEV=$(sudo losetup -j verity.img | awk -F: '{print $1}')
> losetup -f hash.img
> HASH_DEV=$(sudo losetup -j hash.img | awk -F: '{print $1}')
> 
> # Create the verity device
> ROOT_HASH=`veritysetup format $VERITY_DEV $HASH_DEV
>            | tail -n 1
>            | awk '{print $3}'`
> veritysetup create vroot $VERITY_DEV $HASH_DEV $ROOT_HASH
> 
> # Reload the verity device
> PARAM=$(sudo dmsetup table | awk '{ret = $2 " " $3; print ret}')
> dmsetup suspend vroot
> 
> # Expect this command to fail
> dmsetup reload vroot --table "$PARAM linear $VERITY_DEV 0"
> ```
> 
> [Potential Regression]
> Expect low regression potential.
> 
> Mike Snitzer (1):
>    dm ioctl: fix nested locking in table_clear() to remove deadlock
>      concern
> 
>   drivers/md/dm-ioctl.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>

Cengiz Can July 31, 2023, 6:58 p.m. UTC | #2

On Fri, 2023-07-28 at 15:40 -0400, Yuxuan Luo wrote:
> [Impact]
> A denial of service problem was found, due to a possible recursive
> locking scenario, resulting in a deadlock in table_clear in
> drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing
> sub-component.
> 
> [Backport]
> Clean cherry pick.
> 
> [Test]
> Tested against the following script to verify that the verity
> functionality is not broken and ioctl is still working as intended:
> 
> ```bash
> IMG_SIZE=50M
> VERITY_DEV=''
> HASH_DEV=''
> TARGET_DIR=/mnt/dmtest
> ROOT_HASH=''
> PARAM=''
> 
> # Prepare two loop devices
> truncate -s $IMG_SIZE verity.img hash.img
> 
> losetup -f verity.img
> VERITY_DEV=$(sudo losetup -j verity.img | awk -F: '{print $1}')
> losetup -f hash.img
> HASH_DEV=$(sudo losetup -j hash.img | awk -F: '{print $1}')
> 
> # Create the verity device
> ROOT_HASH=`veritysetup format $VERITY_DEV $HASH_DEV
>           | tail -n 1
>           | awk '{print $3}'`
> veritysetup create vroot $VERITY_DEV $HASH_DEV $ROOT_HASH
> 
> # Reload the verity device
> PARAM=$(sudo dmsetup table | awk '{ret = $2 " " $3; print ret}')
> dmsetup suspend vroot
> 
> # Expect this command to fail
> dmsetup reload vroot --table "$PARAM linear $VERITY_DEV 0"
> ```
> 
> [Potential Regression]
> Expect low regression potential.
> 
> Mike Snitzer (1):
>   dm ioctl: fix nested locking in table_clear() to remove deadlock
>     concern

Acked-by: Cengiz Can <cengiz.can@canonical.com>

> 
>  drivers/md/dm-ioctl.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> -- 
> 2.34.1
> 
>

Stefan Bader Aug. 2, 2023, 9:18 a.m. UTC | #3

On 28.07.23 21:40, Yuxuan Luo wrote:
> [Impact]
> A denial of service problem was found, due to a possible recursive
> locking scenario, resulting in a deadlock in table_clear in
> drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing
> sub-component.
> 
> [Backport]
> Clean cherry pick.
> 
> [Test]
> Tested against the following script to verify that the verity
> functionality is not broken and ioctl is still working as intended:
> 
> ```bash
> IMG_SIZE=50M
> VERITY_DEV=''
> HASH_DEV=''
> TARGET_DIR=/mnt/dmtest
> ROOT_HASH=''
> PARAM=''
> 
> # Prepare two loop devices
> truncate -s $IMG_SIZE verity.img hash.img
> 
> losetup -f verity.img
> VERITY_DEV=$(sudo losetup -j verity.img | awk -F: '{print $1}')
> losetup -f hash.img
> HASH_DEV=$(sudo losetup -j hash.img | awk -F: '{print $1}')
> 
> # Create the verity device
> ROOT_HASH=`veritysetup format $VERITY_DEV $HASH_DEV
>            | tail -n 1
>            | awk '{print $3}'`
> veritysetup create vroot $VERITY_DEV $HASH_DEV $ROOT_HASH
> 
> # Reload the verity device
> PARAM=$(sudo dmsetup table | awk '{ret = $2 " " $3; print ret}')
> dmsetup suspend vroot
> 
> # Expect this command to fail
> dmsetup reload vroot --table "$PARAM linear $VERITY_DEV 0"
> ```
> 
> [Potential Regression]
> Expect low regression potential.
> 
> Mike Snitzer (1):
>    dm ioctl: fix nested locking in table_clear() to remove deadlock
>      concern
> 
>   drivers/md/dm-ioctl.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
> 

Rejected for the following reasons:
Patch was already applied (could reverse-apply) to Focal as a pending 
stable commit. I have just adjusted the existing commit message to 
include the CVE number.

-Stefan