Message ID | 20190828152839.5463-2-connor.kuehl@canonical.com |
---|---|
State | New |
Headers | show |
Series | Fix for CVE-2016-10905 | expand |
On 2019-08-28 08:28:39, Connor Kuehl wrote: > From: Bob Peterson <rpeterso@redhat.com> > > CVE-2016-10905 > > Before this patch, function read_rindex_entry would set a rgrp > glock's gl_object pointer to itself before inserting the rgrp into > the rgrp rbtree. The problem is: if another process was also reading > the rgrp in, and had already inserted its newly created rgrp, then > the second call to read_rindex_entry would overwrite that value, > then return a bad return code to the caller. Later, other functions > would reference the now-freed rgrp memory by way of gl_object. > In some cases, that could result in gfs2_rgrp_brelse being called > twice for the same rgrp: once for the failed attempt and once for > the "real" rgrp release. Eventually the kernel would panic. > There are also a number of other things that could go wrong when > a kernel module is accessing freed storage. For example, this could > result in rgrp corruption because the fake rgrp would point to a > fake bitmap in memory too, causing gfs2_inplace_reserve to search > some random memory for free blocks, and find some, since we were > never setting rgd->rd_bits to NULL before freeing it. > > This patch fixes the problem by not setting gl_object until we > have successfully inserted the rgrp into the rbtree. Also, it sets > rd_bits to NULL as it frees them, which will ensure any accidental > access to the wrong rgrp will result in a kernel panic rather than > file system corruption, which is preferred. > > Signed-off-by: Bob Peterson <rpeterso@redhat.com> > (backported from commit 36e4ad0316c017d5b271378ed9a1c9a4b77fab5f) > [ Connor Kuehl: Minor context adjustment. The hunk in > read_rindex_entry() expected 'PAGE_CACHE_ALIGN' to be 'PAGE_ALIGN' but > that rename is introduced in a mainline patch that is not in Xenial: > 09cbfeaf1a5a "mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} > macros" ] > Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com> Acked-by: Tyler Hicks <tyhicks@canonical.com> Thanks! Tyler > --- > fs/gfs2/rgrp.c | 13 ++++++++----- > 1 file changed, 8 insertions(+), 5 deletions(-) > > diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c > index ef24894edecc..9c159e6ad116 100644 > --- a/fs/gfs2/rgrp.c > +++ b/fs/gfs2/rgrp.c > @@ -739,6 +739,7 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp) > > gfs2_free_clones(rgd); > kfree(rgd->rd_bits); > + rgd->rd_bits = NULL; > return_all_reservations(rgd); > kmem_cache_free(gfs2_rgrpd_cachep, rgd); > } > @@ -933,10 +934,6 @@ static int read_rindex_entry(struct gfs2_inode *ip) > if (error) > goto fail; > > - rgd->rd_gl->gl_object = rgd; > - rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_CACHE_MASK; > - rgd->rd_gl->gl_vm.end = PAGE_CACHE_ALIGN((rgd->rd_addr + > - rgd->rd_length) * bsize) - 1; > rgd->rd_rgl = (struct gfs2_rgrp_lvb *)rgd->rd_gl->gl_lksb.sb_lvbptr; > rgd->rd_flags &= ~(GFS2_RDF_UPTODATE | GFS2_RDF_PREFERRED); > if (rgd->rd_data > sdp->sd_max_rg_data) > @@ -944,14 +941,20 @@ static int read_rindex_entry(struct gfs2_inode *ip) > spin_lock(&sdp->sd_rindex_spin); > error = rgd_insert(rgd); > spin_unlock(&sdp->sd_rindex_spin); > - if (!error) > + if (!error) { > + rgd->rd_gl->gl_object = rgd; > + rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK; > + rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr + > + rgd->rd_length) * bsize) - 1; > return 0; > + } > > error = 0; /* someone else read in the rgrp; free it and ignore it */ > gfs2_glock_put(rgd->rd_gl); > > fail: > kfree(rgd->rd_bits); > + rgd->rd_bits = NULL; > kmem_cache_free(gfs2_rgrpd_cachep, rgd); > return error; > } > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 8/28/19 5:28 PM, Connor Kuehl wrote: > From: Bob Peterson <rpeterso@redhat.com> > > CVE-2016-10905 > > Before this patch, function read_rindex_entry would set a rgrp > glock's gl_object pointer to itself before inserting the rgrp into > the rgrp rbtree. The problem is: if another process was also reading > the rgrp in, and had already inserted its newly created rgrp, then > the second call to read_rindex_entry would overwrite that value, > then return a bad return code to the caller. Later, other functions > would reference the now-freed rgrp memory by way of gl_object. > In some cases, that could result in gfs2_rgrp_brelse being called > twice for the same rgrp: once for the failed attempt and once for > the "real" rgrp release. Eventually the kernel would panic. > There are also a number of other things that could go wrong when > a kernel module is accessing freed storage. For example, this could > result in rgrp corruption because the fake rgrp would point to a > fake bitmap in memory too, causing gfs2_inplace_reserve to search > some random memory for free blocks, and find some, since we were > never setting rgd->rd_bits to NULL before freeing it. > > This patch fixes the problem by not setting gl_object until we > have successfully inserted the rgrp into the rbtree. Also, it sets > rd_bits to NULL as it frees them, which will ensure any accidental > access to the wrong rgrp will result in a kernel panic rather than > file system corruption, which is preferred. > > Signed-off-by: Bob Peterson <rpeterso@redhat.com> > (backported from commit 36e4ad0316c017d5b271378ed9a1c9a4b77fab5f) > [ Connor Kuehl: Minor context adjustment. The hunk in > read_rindex_entry() expected 'PAGE_CACHE_ALIGN' to be 'PAGE_ALIGN' but > that rename is introduced in a mainline patch that is not in Xenial: > 09cbfeaf1a5a "mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} > macros" ] > Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > fs/gfs2/rgrp.c | 13 ++++++++----- > 1 file changed, 8 insertions(+), 5 deletions(-) > > diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c > index ef24894edecc..9c159e6ad116 100644 > --- a/fs/gfs2/rgrp.c > +++ b/fs/gfs2/rgrp.c > @@ -739,6 +739,7 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp) > > gfs2_free_clones(rgd); > kfree(rgd->rd_bits); > + rgd->rd_bits = NULL; > return_all_reservations(rgd); > kmem_cache_free(gfs2_rgrpd_cachep, rgd); > } > @@ -933,10 +934,6 @@ static int read_rindex_entry(struct gfs2_inode *ip) > if (error) > goto fail; > > - rgd->rd_gl->gl_object = rgd; > - rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_CACHE_MASK; > - rgd->rd_gl->gl_vm.end = PAGE_CACHE_ALIGN((rgd->rd_addr + > - rgd->rd_length) * bsize) - 1; > rgd->rd_rgl = (struct gfs2_rgrp_lvb *)rgd->rd_gl->gl_lksb.sb_lvbptr; > rgd->rd_flags &= ~(GFS2_RDF_UPTODATE | GFS2_RDF_PREFERRED); > if (rgd->rd_data > sdp->sd_max_rg_data) > @@ -944,14 +941,20 @@ static int read_rindex_entry(struct gfs2_inode *ip) > spin_lock(&sdp->sd_rindex_spin); > error = rgd_insert(rgd); > spin_unlock(&sdp->sd_rindex_spin); > - if (!error) > + if (!error) { > + rgd->rd_gl->gl_object = rgd; > + rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK; > + rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr + > + rgd->rd_length) * bsize) - 1; > return 0; > + } > > error = 0; /* someone else read in the rgrp; free it and ignore it */ > gfs2_glock_put(rgd->rd_gl); > > fail: > kfree(rgd->rd_bits); > + rgd->rd_bits = NULL; > kmem_cache_free(gfs2_rgrpd_cachep, rgd); > return error; > } >
diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c index ef24894edecc..9c159e6ad116 100644 --- a/fs/gfs2/rgrp.c +++ b/fs/gfs2/rgrp.c @@ -739,6 +739,7 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp) gfs2_free_clones(rgd); kfree(rgd->rd_bits); + rgd->rd_bits = NULL; return_all_reservations(rgd); kmem_cache_free(gfs2_rgrpd_cachep, rgd); } @@ -933,10 +934,6 @@ static int read_rindex_entry(struct gfs2_inode *ip) if (error) goto fail; - rgd->rd_gl->gl_object = rgd; - rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_CACHE_MASK; - rgd->rd_gl->gl_vm.end = PAGE_CACHE_ALIGN((rgd->rd_addr + - rgd->rd_length) * bsize) - 1; rgd->rd_rgl = (struct gfs2_rgrp_lvb *)rgd->rd_gl->gl_lksb.sb_lvbptr; rgd->rd_flags &= ~(GFS2_RDF_UPTODATE | GFS2_RDF_PREFERRED); if (rgd->rd_data > sdp->sd_max_rg_data) @@ -944,14 +941,20 @@ static int read_rindex_entry(struct gfs2_inode *ip) spin_lock(&sdp->sd_rindex_spin); error = rgd_insert(rgd); spin_unlock(&sdp->sd_rindex_spin); - if (!error) + if (!error) { + rgd->rd_gl->gl_object = rgd; + rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK; + rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr + + rgd->rd_length) * bsize) - 1; return 0; + } error = 0; /* someone else read in the rgrp; free it and ignore it */ gfs2_glock_put(rgd->rd_gl); fail: kfree(rgd->rd_bits); + rgd->rd_bits = NULL; kmem_cache_free(gfs2_rgrpd_cachep, rgd); return error; }