From patchwork Thu Nov 7 16:08:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1191253 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4787jL0NWfz9sNT; Fri, 8 Nov 2019 03:12:54 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iSkOw-00072n-3I; Thu, 07 Nov 2019 16:12:50 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iSkOv-00072h-6D for kernel-team@lists.ubuntu.com; Thu, 07 Nov 2019 16:12:49 +0000 Received: from mail-yb1-f200.google.com ([209.85.219.200]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iSkOu-0006Bh-Ul for kernel-team@lists.ubuntu.com; Thu, 07 Nov 2019 16:12:49 +0000 Received: by mail-yb1-f200.google.com with SMTP id m73so2282641ybm.15 for ; Thu, 07 Nov 2019 08:12:48 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YbVdvO5L6HxxQOc2OPkN3D3LmuaQymLGiv0KoZHxnZk=; b=JPlb5CuIIrIllLBZmWDEUTlJLOu2VwLmmUOM8kVkISMhiskFJ1T2y2WJ/4NQD/y0yc CmAkeDcieMDIxkdw85ZBAciFAuC8x33rkqksrABXbcY2Qy8Jzo0ZX231P6lQ7WtDY8lv WDspLE7BZIwx6MvctleLRSlxGRF6uVSi/G5tA1pR4va1x/RER+NiK2cI82IKvXVg0rSq yYHMg6ZmeniHvXALXolaNSTqDjjNxbPr5bnOg23ZqerP1WuojUlzBYy4KFlnaQRwhEK1 ucCpLnI41P6xVm5zXEVbmTYEmZbi8+ml3GIZsQ0eq5bBCcwKUoI4DpZRNBkDUN59ubkW ldPg== X-Gm-Message-State: APjAAAXdJhQ1XC0OfnDXpaf4FVsU9J7eUCpDFz6tBmpyf0Fozky1St3b WjoUENA1pStQeFzA/TZ0LZfg9xRoBVZxV4H3pcm3QcPqB9v0qKVpoUvK94pxdbLusaj1fm8+Mwv twWa5Z/XjVSG2jdA+YFXZ/InBStiXV4YAceqPZMKzpQ== X-Received: by 2002:a81:9913:: with SMTP id q19mr2931370ywg.366.1573143167819; Thu, 07 Nov 2019 08:12:47 -0800 (PST) X-Google-Smtp-Source: APXvYqxxVLmQrhSAZz9ImSP+B5xEOgVJnYDZoCyuGhnQMateUUT0AATAHlzp5+8Mogo7FznbuL8yiA== X-Received: by 2002:a81:9913:: with SMTP id q19mr2931336ywg.366.1573143167410; Thu, 07 Nov 2019 08:12:47 -0800 (PST) Received: from localhost ([136.37.150.243]) by smtp.gmail.com with ESMTPSA id 15sm1047977ywb.73.2019.11.07.08.12.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Nov 2019 08:12:46 -0800 (PST) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/2][SRU][D/E] UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails Date: Thu, 7 Nov 2019 10:08:24 -0600 Message-Id: <20191107160825.30000-2-seth.forshee@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191107160825.30000-1-seth.forshee@canonical.com> References: <20191107160825.30000-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1850994 shiftfs_mmap() overwrites vma->vm_file before calling the lower filesystem mmap but does not restore the original value on failure. This means it is giving a pointer to the lower fs file back to the caller with no reference, which is a bad practice. However, it does not lead to any issues with upstream kernels as no caller accesses vma->vm_file after call_mmap(). With the aufs patches applied the story is different. Whereas mmap_region() previously fput a local variable containing the file it assigned to vm_file, it now calls vma_fput() which will fput vm_file, for which it has no reference, and the reference for the original vm_file is not put. Fix this by restoring vma->vm_file to the original value when the mmap call into the lower fs fails. CVE-2019-15794 Reported-by: Jann Horn Signed-off-by: Seth Forshee --- fs/shiftfs.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/fs/shiftfs.c b/fs/shiftfs.c index 55bb32b611f2..57d84479026b 100644 --- a/fs/shiftfs.c +++ b/fs/shiftfs.c @@ -1289,10 +1289,17 @@ static int shiftfs_mmap(struct file *file, struct vm_area_struct *vma) shiftfs_file_accessed(file); - if (ret) - fput(realfile); /* Drop refcount from new vm_file value */ - else - fput(file); /* Drop refcount from previous vm_file value */ + if (ret) { + /* + * Drop refcount from new vm_file value and restore original + * vm_file value + */ + vma->vm_file = file; + fput(realfile); + } else { + /* Drop refcount from previous vm_file value */ + fput(file); + } return ret; } From patchwork Thu Nov 7 16:08:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1191255 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4787lt5qljz9sR0; Fri, 8 Nov 2019 03:15:06 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iSkR5-0007G8-7n; Thu, 07 Nov 2019 16:15:03 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iSkR2-0007Ex-TC for kernel-team@lists.ubuntu.com; Thu, 07 Nov 2019 16:15:00 +0000 Received: from mail-yb1-f200.google.com ([209.85.219.200]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iSkR2-0006X7-Lm for kernel-team@lists.ubuntu.com; Thu, 07 Nov 2019 16:15:00 +0000 Received: by mail-yb1-f200.google.com with SMTP id y64so2324757ybf.2 for ; Thu, 07 Nov 2019 08:15:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UTum9mMlDxagA/g0SW09IPw0T6SoAbMMya4C/yTAcaI=; b=FY1KMWLqKFl+k4clrQD5SxqGbWNYWpTKMWOHPnrmEE8eHF1URTPfJon2ZHryZ0JsLN vJ3mskAf3s7/MKMfXeYpU8uCxhp9Bvu2x3n1ZtMG3DfWOqsuOwEiHQCoJQgW5/b08ghx Mc2S1cX924aMH68ZA0b7JyRbH5QxHAsML24Kv2+kIb+fjeUPV34zGqvmEGRkPzBv2SrI 1U7j9ARHeqhozNQrCC8SLxEpvCzDcgAiuK1aY1APMwQlY4yF/WietfyxeIzg9wg9p6lK 9fO5qGXv9ZUCSsMYz3KHGEEopy08fz3ga/klAzrZeRdgTAeCO/1RfJgRLoj/+5bvcIuU 1h+g== X-Gm-Message-State: APjAAAW0ueMRAkUObp1S/fk/whxovfT5mNM6o3EnceiQNLx9xOueRD1/ EHWBkhEedi/kB2tqNLH8k3EVfLL37sOsMZyXbxSDNCThVm5DAjAYDaqr2BErfqi3BkOpepoMI4D d5vTeSfYcHVWWQojS05P+TgMtKoE3Cd1xynOeKsQGJQ== X-Received: by 2002:a25:c386:: with SMTP id t128mr3896724ybf.505.1573143299432; Thu, 07 Nov 2019 08:14:59 -0800 (PST) X-Google-Smtp-Source: APXvYqxFhEnoWnr3hzUD7RCiizGbPUZ0vOvg+8lftL+A6q92AiRxYO3XhpGRiP0t9a+5dC0Tr2rcBg== X-Received: by 2002:a25:c386:: with SMTP id t128mr3896678ybf.505.1573143298908; Thu, 07 Nov 2019 08:14:58 -0800 (PST) Received: from localhost ([136.37.150.243]) by smtp.gmail.com with ESMTPSA id 203sm1048420ywk.29.2019.11.07.08.14.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Nov 2019 08:14:58 -0800 (PST) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/2][SRU][D/E] UBUNTU: SAUCE: ovl: Restore vm_file value when lower fs mmap fails Date: Thu, 7 Nov 2019 10:08:25 -0600 Message-Id: <20191107160825.30000-3-seth.forshee@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191107160825.30000-1-seth.forshee@canonical.com> References: <20191107160825.30000-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1850994 ovl_mmap() overwrites vma->vm_file before calling the lower filesystem mmap but does not restore the original value on failure. This means it is giving a pointer to the lower fs file back to the caller with no reference, which is a bad practice. However, it does not lead to any issues with upstream kernels as no caller accesses vma->vm_file after call_mmap(). With the aufs patches applied the story is different. Whereas mmap_region() previously fput a local variable containing the file it assigned to vm_file, it now calls vma_fput() which will fput vm_file, for which it has no reference, and the reference for the original vm_file is not put. Fix this by restoring vma->vm_file to the original value when the mmap call into the lower fs fails. CVE-2019-15794 Reported-by: Jann Horn Signed-off-by: Seth Forshee --- fs/overlayfs/file.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index 895f2c5565d3..43ad47cc046f 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -334,7 +334,11 @@ static int ovl_mmap(struct file *file, struct vm_area_struct *vma) revert_creds(old_cred); if (ret) { - /* Drop reference count from new vm_file value */ + /* + * Drop reference count from new vm_file value and restore + * original vm_file value + */ + vma->vm_file = file; fput(realfile); } else { /* Drop reference count from previous vm_file value */