debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

propagate_one(): mnt_set_mountpoint() needs mount_lock 

A similar issue to CVE-2020-12114.
This commit is contained in:
Ben Hutchings 2020-06-07 00:46:11 +01:00
parent 6e26711704
commit ff5ad5a3d1
3 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
debian/changelog vendored
View File

@ -1,5 +1,6 @@
linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
[ Salvatore Bonaccorso ]
* selinux: properly handle multiple messages in selinux_netlink_send()
(CVE-2020-10751)
* fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114)
@ -27,6 +28,9 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
* [x86] KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed (CVE-2019-3016)
* [x86] KVM: Clean up host's steal time structure (CVE-2019-3016)
[ Ben Hutchings ]
* propagate_one(): mnt_set_mountpoint() needs mount_lock
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 May 2020 23:02:30 +0200
linux (4.19.118-2) buster; urgency=medium

45
debian/patches/bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch vendored Normal file
View File

@ -0,0 +1,45 @@
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Mon, 27 Apr 2020 10:26:22 -0400
Subject: propagate_one(): mnt_set_mountpoint() needs mount_lock
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?id=fa87bf609aa173b5dce91d23cd3dcebd9e846124
commit b0d3869ce9eeacbb1bbd541909beeef4126426d5 upstream.
... to protect the modification of mp->m_count done by it. Most of
the places that modify that thing also have namespace_lock held,
but not all of them can do so, so we really need mount_lock here.
Kudos to Piotr Krysiuk <piotras@gmail.com>, who'd spotted a related
bug in pivot_root(2) (fixed unnoticed in 5.3); search for other
similar turds has caught out this one.
Cc: stable@kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/pnode.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/fs/pnode.c b/fs/pnode.c
index 53d411a371ce..7910ae91f17e 100644
--- a/fs/pnode.c
+++ b/fs/pnode.c
@@ -266,14 +266,13 @@ static int propagate_one(struct mount *m)
if (IS_ERR(child))
return PTR_ERR(child);
child->mnt.mnt_flags &= ~MNT_LOCKED;
+ read_seqlock_excl(&mount_lock);
mnt_set_mountpoint(m, mp, child);
+ if (m->mnt_master != dest_master)
+ SET_MNT_MARK(m->mnt_master);
+ read_sequnlock_excl(&mount_lock);
last_dest = m;
last_source = child;
- if (m->mnt_master != dest_master) {
- read_seqlock_excl(&mount_lock);
- SET_MNT_MARK(m->mnt_master);
- read_sequnlock_excl(&mount_lock);
- }
hlist_add_head(&child->mnt_hash, list);
return count_mounts(m->mnt_ns, child);
}

1
debian/patches/series vendored
View File

@ -302,6 +302,7 @@ bugfix/all/blktrace-fix-dereference-after-null-check.patch
bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch
bugfix/all/selinux-properly-handle-multiple-messages-in-selinux.patch
bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch
bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch
bugfix/all/usb-core-fix-free-while-in-use-bug-in-the-usb-s-glib.patch
bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch