From ff5ad5a3d1175fdccde72067808b1d6fcea8a31e Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 7 Jun 2020 00:46:11 +0100 Subject: [PATCH] propagate_one(): mnt_set_mountpoint() needs mount_lock A similar issue to CVE-2020-12114. --- debian/changelog | 4 ++ ...-mnt_set_mountpoint-needs-mount_lock.patch | 45 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 50 insertions(+) create mode 100644 debian/patches/bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch diff --git a/debian/changelog b/debian/changelog index d2911c508..0c78411a1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,6 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium + [ Salvatore Bonaccorso ] * selinux: properly handle multiple messages in selinux_netlink_send() (CVE-2020-10751) * fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114) @@ -27,6 +28,9 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium * [x86] KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed (CVE-2019-3016) * [x86] KVM: Clean up host's steal time structure (CVE-2019-3016) + [ Ben Hutchings ] + * propagate_one(): mnt_set_mountpoint() needs mount_lock + -- Salvatore Bonaccorso Thu, 28 May 2020 23:02:30 +0200 linux (4.19.118-2) buster; urgency=medium diff --git a/debian/patches/bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch b/debian/patches/bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch new file mode 100644 index 000000000..12e6c2410 --- /dev/null +++ b/debian/patches/bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch @@ -0,0 +1,45 @@ +From: Al Viro +Date: Mon, 27 Apr 2020 10:26:22 -0400 +Subject: propagate_one(): mnt_set_mountpoint() needs mount_lock +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?id=fa87bf609aa173b5dce91d23cd3dcebd9e846124 + +commit b0d3869ce9eeacbb1bbd541909beeef4126426d5 upstream. + +... to protect the modification of mp->m_count done by it. Most of +the places that modify that thing also have namespace_lock held, +but not all of them can do so, so we really need mount_lock here. +Kudos to Piotr Krysiuk , who'd spotted a related +bug in pivot_root(2) (fixed unnoticed in 5.3); search for other +similar turds has caught out this one. + +Cc: stable@kernel.org +Signed-off-by: Al Viro +Signed-off-by: Piotr Krysiuk +Signed-off-by: Greg Kroah-Hartman +--- + fs/pnode.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/pnode.c b/fs/pnode.c +index 53d411a371ce..7910ae91f17e 100644 +--- a/fs/pnode.c ++++ b/fs/pnode.c +@@ -266,14 +266,13 @@ static int propagate_one(struct mount *m) + if (IS_ERR(child)) + return PTR_ERR(child); + child->mnt.mnt_flags &= ~MNT_LOCKED; ++ read_seqlock_excl(&mount_lock); + mnt_set_mountpoint(m, mp, child); ++ if (m->mnt_master != dest_master) ++ SET_MNT_MARK(m->mnt_master); ++ read_sequnlock_excl(&mount_lock); + last_dest = m; + last_source = child; +- if (m->mnt_master != dest_master) { +- read_seqlock_excl(&mount_lock); +- SET_MNT_MARK(m->mnt_master); +- read_sequnlock_excl(&mount_lock); +- } + hlist_add_head(&child->mnt_hash, list); + return count_mounts(m->mnt_ns, child); + } diff --git a/debian/patches/series b/debian/patches/series index dbdddb875..027deb9a1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -302,6 +302,7 @@ bugfix/all/blktrace-fix-dereference-after-null-check.patch bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch bugfix/all/selinux-properly-handle-multiple-messages-in-selinux.patch bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch +bugfix/all/propagate_one-mnt_set_mountpoint-needs-mount_lock.patch bugfix/all/usb-core-fix-free-while-in-use-bug-in-the-usb-s-glib.patch bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch