loop: fix concurrent lo_open/lo_release (CVE-2018-5344)
This commit is contained in:
parent
6c0d6a6239
commit
0bb5e7cccb
|
@ -2,6 +2,7 @@ linux (4.14.13-2) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
* RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)
|
* RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)
|
||||||
* RDS: null pointer dereference in rds_atomic_free_op (CVE-2018-5333)
|
* RDS: null pointer dereference in rds_atomic_free_op (CVE-2018-5333)
|
||||||
|
* loop: fix concurrent lo_open/lo_release (CVE-2018-5344)
|
||||||
|
|
||||||
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 16 Jan 2018 20:50:23 +0100
|
-- Salvatore Bonaccorso <carnil@debian.org> Tue, 16 Jan 2018 20:50:23 +0100
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,56 @@
|
||||||
|
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Date: Fri, 5 Jan 2018 16:26:00 -0800
|
||||||
|
Subject: loop: fix concurrent lo_open/lo_release
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
Origin: https://git.kernel.org/linus/ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5344
|
||||||
|
|
||||||
|
范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
|
||||||
|
The reason is due to insufficient serialization in lo_release(), which
|
||||||
|
will continue to use the loop device even after it has decremented the
|
||||||
|
lo_refcnt to zero.
|
||||||
|
|
||||||
|
In the meantime, another process can come in, open the loop device
|
||||||
|
again as it is being shut down. Confusion ensues.
|
||||||
|
|
||||||
|
Reported-by: 范龙飞 <long7573@126.com>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||||
|
---
|
||||||
|
drivers/block/loop.c | 10 ++++++++--
|
||||||
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
|
||||||
|
index bc8e61506968..d5fe720cf149 100644
|
||||||
|
--- a/drivers/block/loop.c
|
||||||
|
+++ b/drivers/block/loop.c
|
||||||
|
@@ -1581,9 +1581,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode)
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void lo_release(struct gendisk *disk, fmode_t mode)
|
||||||
|
+static void __lo_release(struct loop_device *lo)
|
||||||
|
{
|
||||||
|
- struct loop_device *lo = disk->private_data;
|
||||||
|
int err;
|
||||||
|
|
||||||
|
if (atomic_dec_return(&lo->lo_refcnt))
|
||||||
|
@@ -1610,6 +1609,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode)
|
||||||
|
mutex_unlock(&lo->lo_ctl_mutex);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void lo_release(struct gendisk *disk, fmode_t mode)
|
||||||
|
+{
|
||||||
|
+ mutex_lock(&loop_index_mutex);
|
||||||
|
+ __lo_release(disk->private_data);
|
||||||
|
+ mutex_unlock(&loop_index_mutex);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static const struct block_device_operations lo_fops = {
|
||||||
|
.owner = THIS_MODULE,
|
||||||
|
.open = lo_open,
|
||||||
|
--
|
||||||
|
2.15.1
|
||||||
|
|
|
@ -133,6 +133,7 @@ bugfix/all/bpf-move-global-verifier-log-into-verifier-environme.patch
|
||||||
bugfix/all/bpf-fix-integer-overflows.patch
|
bugfix/all/bpf-fix-integer-overflows.patch
|
||||||
bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
|
bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
|
||||||
bugfix/all/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch
|
bugfix/all/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch
|
||||||
|
bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue