propagate_one(): mnt_set_mountpoint() needs mount_lock
A similar issue to CVE-2020-12114.
This commit is contained in:
parent
6e26711704
commit
ff5ad5a3d1
|
@ -1,5 +1,6 @@
|
|||
linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* selinux: properly handle multiple messages in selinux_netlink_send()
|
||||
(CVE-2020-10751)
|
||||
* fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114)
|
||||
|
@ -27,6 +28,9 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
|
|||
* [x86] KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed (CVE-2019-3016)
|
||||
* [x86] KVM: Clean up host's steal time structure (CVE-2019-3016)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* propagate_one(): mnt_set_mountpoint() needs mount_lock
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 May 2020 23:02:30 +0200
|
||||
|
||||
linux (4.19.118-2) buster; urgency=medium
|
||||
|
|
45
debian/patches/bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch
vendored
Normal file
45
debian/patches/bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch
vendored
Normal file
|
@ -0,0 +1,45 @@
|
|||
From: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Date: Mon, 27 Apr 2020 10:26:22 -0400
|
||||
Subject: propagate_one(): mnt_set_mountpoint() needs mount_lock
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?id=fa87bf609aa173b5dce91d23cd3dcebd9e846124
|
||||
|
||||
commit b0d3869ce9eeacbb1bbd541909beeef4126426d5 upstream.
|
||||
|
||||
... to protect the modification of mp->m_count done by it. Most of
|
||||
the places that modify that thing also have namespace_lock held,
|
||||
but not all of them can do so, so we really need mount_lock here.
|
||||
Kudos to Piotr Krysiuk <piotras@gmail.com>, who'd spotted a related
|
||||
bug in pivot_root(2) (fixed unnoticed in 5.3); search for other
|
||||
similar turds has caught out this one.
|
||||
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
fs/pnode.c | 9 ++++-----
|
||||
1 file changed, 4 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/fs/pnode.c b/fs/pnode.c
|
||||
index 53d411a371ce..7910ae91f17e 100644
|
||||
--- a/fs/pnode.c
|
||||
+++ b/fs/pnode.c
|
||||
@@ -266,14 +266,13 @@ static int propagate_one(struct mount *m)
|
||||
if (IS_ERR(child))
|
||||
return PTR_ERR(child);
|
||||
child->mnt.mnt_flags &= ~MNT_LOCKED;
|
||||
+ read_seqlock_excl(&mount_lock);
|
||||
mnt_set_mountpoint(m, mp, child);
|
||||
+ if (m->mnt_master != dest_master)
|
||||
+ SET_MNT_MARK(m->mnt_master);
|
||||
+ read_sequnlock_excl(&mount_lock);
|
||||
last_dest = m;
|
||||
last_source = child;
|
||||
- if (m->mnt_master != dest_master) {
|
||||
- read_seqlock_excl(&mount_lock);
|
||||
- SET_MNT_MARK(m->mnt_master);
|
||||
- read_sequnlock_excl(&mount_lock);
|
||||
- }
|
||||
hlist_add_head(&child->mnt_hash, list);
|
||||
return count_mounts(m->mnt_ns, child);
|
||||
}
|
|
@ -302,6 +302,7 @@ bugfix/all/blktrace-fix-dereference-after-null-check.patch
|
|||
bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch
|
||||
bugfix/all/selinux-properly-handle-multiple-messages-in-selinux.patch
|
||||
bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch
|
||||
bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch
|
||||
bugfix/all/usb-core-fix-free-while-in-use-bug-in-the-usb-s-glib.patch
|
||||
bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
|
||||
bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
|
||||
|
|
Loading…
Reference in New Issue