[Xenial,SRU,CVE-2016-10905,1/1] GFS2: don't set rgrp gl_object until it's inserted into rgrp tree

From: Bob Peterson <rpeterso@redhat.com>

CVE-2016-10905

Before this patch, function read_rindex_entry would set a rgrp
glock's gl_object pointer to itself before inserting the rgrp into
the rgrp rbtree. The problem is: if another process was also reading
the rgrp in, and had already inserted its newly created rgrp, then
the second call to read_rindex_entry would overwrite that value,
then return a bad return code to the caller. Later, other functions
would reference the now-freed rgrp memory by way of gl_object.
In some cases, that could result in gfs2_rgrp_brelse being called
twice for the same rgrp: once for the failed attempt and once for
the "real" rgrp release. Eventually the kernel would panic.
There are also a number of other things that could go wrong when
a kernel module is accessing freed storage. For example, this could
result in rgrp corruption because the fake rgrp would point to a
fake bitmap in memory too, causing gfs2_inplace_reserve to search
some random memory for free blocks, and find some, since we were
never setting rgd->rd_bits to NULL before freeing it.

This patch fixes the problem by not setting gl_object until we
have successfully inserted the rgrp into the rbtree. Also, it sets
rd_bits to NULL as it frees them, which will ensure any accidental
access to the wrong rgrp will result in a kernel panic rather than
file system corruption, which is preferred.

Signed-off-by: Bob Peterson <rpeterso@redhat.com>
(backported from commit 36e4ad0316c017d5b271378ed9a1c9a4b77fab5f)
[ Connor Kuehl: Minor context adjustment. The hunk in
  read_rindex_entry() expected 'PAGE_CACHE_ALIGN' to be 'PAGE_ALIGN' but
  that rename is introduced in a mainline patch that is not in Xenial:
  09cbfeaf1a5a "mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release}
  macros" ]
Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
---
 fs/gfs2/rgrp.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

On 2019-08-28 08:28:39, Connor Kuehl wrote:
> From: Bob Peterson <rpeterso@redhat.com>
> 
> CVE-2016-10905
> 
> Before this patch, function read_rindex_entry would set a rgrp
> glock's gl_object pointer to itself before inserting the rgrp into
> the rgrp rbtree. The problem is: if another process was also reading
> the rgrp in, and had already inserted its newly created rgrp, then
> the second call to read_rindex_entry would overwrite that value,
> then return a bad return code to the caller. Later, other functions
> would reference the now-freed rgrp memory by way of gl_object.
> In some cases, that could result in gfs2_rgrp_brelse being called
> twice for the same rgrp: once for the failed attempt and once for
> the "real" rgrp release. Eventually the kernel would panic.
> There are also a number of other things that could go wrong when
> a kernel module is accessing freed storage. For example, this could
> result in rgrp corruption because the fake rgrp would point to a
> fake bitmap in memory too, causing gfs2_inplace_reserve to search
> some random memory for free blocks, and find some, since we were
> never setting rgd->rd_bits to NULL before freeing it.
> 
> This patch fixes the problem by not setting gl_object until we
> have successfully inserted the rgrp into the rbtree. Also, it sets
> rd_bits to NULL as it frees them, which will ensure any accidental
> access to the wrong rgrp will result in a kernel panic rather than
> file system corruption, which is preferred.
> 
> Signed-off-by: Bob Peterson <rpeterso@redhat.com>
> (backported from commit 36e4ad0316c017d5b271378ed9a1c9a4b77fab5f)
> [ Connor Kuehl: Minor context adjustment. The hunk in
>   read_rindex_entry() expected 'PAGE_CACHE_ALIGN' to be 'PAGE_ALIGN' but
>   that rename is introduced in a mainline patch that is not in Xenial:
>   09cbfeaf1a5a "mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release}
>   macros" ]
> Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>

Acked-by: Tyler Hicks <tyhicks@canonical.com>

Thanks!

Tyler

> ---
>  fs/gfs2/rgrp.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
> index ef24894edecc..9c159e6ad116 100644
> --- a/fs/gfs2/rgrp.c
> +++ b/fs/gfs2/rgrp.c
> @@ -739,6 +739,7 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp)
>  
>  		gfs2_free_clones(rgd);
>  		kfree(rgd->rd_bits);
> +		rgd->rd_bits = NULL;
>  		return_all_reservations(rgd);
>  		kmem_cache_free(gfs2_rgrpd_cachep, rgd);
>  	}
> @@ -933,10 +934,6 @@ static int read_rindex_entry(struct gfs2_inode *ip)
>  	if (error)
>  		goto fail;
>  
> -	rgd->rd_gl->gl_object = rgd;
> -	rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_CACHE_MASK;
> -	rgd->rd_gl->gl_vm.end = PAGE_CACHE_ALIGN((rgd->rd_addr +
> -						  rgd->rd_length) * bsize) - 1;
>  	rgd->rd_rgl = (struct gfs2_rgrp_lvb *)rgd->rd_gl->gl_lksb.sb_lvbptr;
>  	rgd->rd_flags &= ~(GFS2_RDF_UPTODATE | GFS2_RDF_PREFERRED);
>  	if (rgd->rd_data > sdp->sd_max_rg_data)
> @@ -944,14 +941,20 @@ static int read_rindex_entry(struct gfs2_inode *ip)
>  	spin_lock(&sdp->sd_rindex_spin);
>  	error = rgd_insert(rgd);
>  	spin_unlock(&sdp->sd_rindex_spin);
> -	if (!error)
> +	if (!error) {
> +		rgd->rd_gl->gl_object = rgd;
> +		rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK;
> +		rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr +
> +						    rgd->rd_length) * bsize) - 1;
>  		return 0;
> +	}
>  
>  	error = 0; /* someone else read in the rgrp; free it and ignore it */
>  	gfs2_glock_put(rgd->rd_gl);
>  
>  fail:
>  	kfree(rgd->rd_bits);
> +	rgd->rd_bits = NULL;
>  	kmem_cache_free(gfs2_rgrpd_cachep, rgd);
>  	return error;
>  }
> -- 
> 2.17.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

On 8/28/19 5:28 PM, Connor Kuehl wrote:
> From: Bob Peterson <rpeterso@redhat.com>
> 
> CVE-2016-10905
> 
> Before this patch, function read_rindex_entry would set a rgrp
> glock's gl_object pointer to itself before inserting the rgrp into
> the rgrp rbtree. The problem is: if another process was also reading
> the rgrp in, and had already inserted its newly created rgrp, then
> the second call to read_rindex_entry would overwrite that value,
> then return a bad return code to the caller. Later, other functions
> would reference the now-freed rgrp memory by way of gl_object.
> In some cases, that could result in gfs2_rgrp_brelse being called
> twice for the same rgrp: once for the failed attempt and once for
> the "real" rgrp release. Eventually the kernel would panic.
> There are also a number of other things that could go wrong when
> a kernel module is accessing freed storage. For example, this could
> result in rgrp corruption because the fake rgrp would point to a
> fake bitmap in memory too, causing gfs2_inplace_reserve to search
> some random memory for free blocks, and find some, since we were
> never setting rgd->rd_bits to NULL before freeing it.
> 
> This patch fixes the problem by not setting gl_object until we
> have successfully inserted the rgrp into the rbtree. Also, it sets
> rd_bits to NULL as it frees them, which will ensure any accidental
> access to the wrong rgrp will result in a kernel panic rather than
> file system corruption, which is preferred.
> 
> Signed-off-by: Bob Peterson <rpeterso@redhat.com>
> (backported from commit 36e4ad0316c017d5b271378ed9a1c9a4b77fab5f)
> [ Connor Kuehl: Minor context adjustment. The hunk in
>   read_rindex_entry() expected 'PAGE_CACHE_ALIGN' to be 'PAGE_ALIGN' but
>   that rename is introduced in a mainline patch that is not in Xenial:
>   09cbfeaf1a5a "mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release}
>   macros" ]
> Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

> ---
>  fs/gfs2/rgrp.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
> index ef24894edecc..9c159e6ad116 100644
> --- a/fs/gfs2/rgrp.c
> +++ b/fs/gfs2/rgrp.c
> @@ -739,6 +739,7 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp)
>  
>  		gfs2_free_clones(rgd);
>  		kfree(rgd->rd_bits);
> +		rgd->rd_bits = NULL;
>  		return_all_reservations(rgd);
>  		kmem_cache_free(gfs2_rgrpd_cachep, rgd);
>  	}
> @@ -933,10 +934,6 @@ static int read_rindex_entry(struct gfs2_inode *ip)
>  	if (error)
>  		goto fail;
>  
> -	rgd->rd_gl->gl_object = rgd;
> -	rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_CACHE_MASK;
> -	rgd->rd_gl->gl_vm.end = PAGE_CACHE_ALIGN((rgd->rd_addr +
> -						  rgd->rd_length) * bsize) - 1;
>  	rgd->rd_rgl = (struct gfs2_rgrp_lvb *)rgd->rd_gl->gl_lksb.sb_lvbptr;
>  	rgd->rd_flags &= ~(GFS2_RDF_UPTODATE | GFS2_RDF_PREFERRED);
>  	if (rgd->rd_data > sdp->sd_max_rg_data)
> @@ -944,14 +941,20 @@ static int read_rindex_entry(struct gfs2_inode *ip)
>  	spin_lock(&sdp->sd_rindex_spin);
>  	error = rgd_insert(rgd);
>  	spin_unlock(&sdp->sd_rindex_spin);
> -	if (!error)
> +	if (!error) {
> +		rgd->rd_gl->gl_object = rgd;
> +		rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK;
> +		rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr +
> +						    rgd->rd_length) * bsize) - 1;
>  		return 0;
> +	}
>  
>  	error = 0; /* someone else read in the rgrp; free it and ignore it */
>  	gfs2_glock_put(rgd->rd_gl);
>  
>  fail:
>  	kfree(rgd->rd_bits);
> +	rgd->rd_bits = NULL;
>  	kmem_cache_free(gfs2_rgrpd_cachep, rgd);
>  	return error;
>  }
>