From 34284455a6241f0b657f9824971df140a8b829cf Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 28 May 2020 23:33:22 +0200 Subject: [PATCH] fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114) --- debian/changelog | 1 + ...ix-mountpoint-reference-counter-race.patch | 48 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 50 insertions(+) create mode 100644 debian/patches/bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch diff --git a/debian/changelog b/debian/changelog index c98562377..f165190e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium * selinux: properly handle multiple messages in selinux_netlink_send() (CVE-2020-10751) + * fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114) -- Salvatore Bonaccorso Thu, 28 May 2020 23:02:30 +0200 diff --git a/debian/patches/bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch b/debian/patches/bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch new file mode 100644 index 000000000..70e9d44a4 --- /dev/null +++ b/debian/patches/bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch @@ -0,0 +1,48 @@ +From: Piotr Krysiuk +Date: Mon, 27 Apr 2020 11:34:12 +0100 +Subject: fs/namespace.c: fix mountpoint reference counter race +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f511dc75d22e0c000fc70b54f670c2c17f5fba9a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-12114 + +A race condition between threads updating mountpoint reference counter +affects longterm releases 4.4.220, 4.9.220, 4.14.177 and 4.19.118. + +The mountpoint reference counter corruption may occur when: +* one thread increments m_count member of struct mountpoint + [under namespace_sem, but not holding mount_lock] + pivot_root() +* another thread simultaneously decrements the same m_count + [under mount_lock, but not holding namespace_sem] + put_mountpoint() + unhash_mnt() + umount_mnt() + mntput_no_expire() + +To fix this race condition, grab mount_lock before updating m_count in +pivot_root(). + +Reference: CVE-2020-12114 +Cc: Al Viro +Signed-off-by: Piotr Krysiuk +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 1fce41ba3535..741f40cd955e 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -3142,8 +3142,8 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, + /* make certain new is below the root */ + if (!is_path_reachable(new_mnt, new.dentry, &root)) + goto out4; +- root_mp->m_count++; /* pin it so it won't go away */ + lock_mount_hash(); ++ root_mp->m_count++; /* pin it so it won't go away */ + detach_mnt(new_mnt, &parent_path); + detach_mnt(root_mnt, &root_parent); + if (root_mnt->mnt.mnt_flags & MNT_LOCKED) { +-- +2.27.0.rc0 + diff --git a/debian/patches/series b/debian/patches/series index ee50e4c72..4cd693801 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -301,5 +301,6 @@ bugfix/all/blktrace-protect-q-blk_trace-with-rcu.patch bugfix/all/blktrace-fix-dereference-after-null-check.patch bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch bugfix/all/selinux-properly-handle-multiple-messages-in-selinux.patch +bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch # ABI maintenance