ACK: [PATCH 0/2][SRU][D/E] CVE-2019-15794: ovl/shiftfs refcount underflow

Tyler Hicks tyhicks at canonical.com
Thu Nov 7 16:29:37 UTC 2019


On 2019-11-07 10:08:23, Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1850994
> 
> Impact: overlayfs and shiftfs both replace vma->vm_file in their mmap
> handlers. On error the original value is not restored, and the reference
> is put for the file to which vm_file points. On upstream kernels this is
> not an issue, as no callers dereference vm_file dereference vm_file
> following after call_mmap() returns an error. However, the aufs patchs
> change mmap_region() to replace the fput() using a local variable with
> vma_fput(), which will fput() vm_file, leading to a refcount underflow.
> 
> Fix: Restore the original vma_file value on error.
> 
> Test Case: A reproducer is provided in the original bug report.
> 
> Regression Potential: Minimal. As stated above, other callers of
> call_mmap() do not dereference vma->vm_file when it returns an error,
> and the one which does is fixed by these patches.
> 
> Notes: Supported kernels prior to disco are not affected as overlayfs
> did not support mmap until 4.19, and shiftfs was not present in Ubuntu
> kernels before disco. The issue is mitigated for overlayfs by another
> bug which is preventing unprivileged mounting; a patch for this issue
> will be sent separately.

Both patches look good.

 Acked-by: Tyler Hicks <tyhicks at canonical.com>

Thanks!

Tyler

> 
> Thanks,
> Seth
> 
> 
> Seth Forshee (2):
>   UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails
>   UBUNTU: SAUCE: ovl: Restore vm_file value when lower fs mmap fails
> 
>  fs/overlayfs/file.c |  6 +++++-
>  fs/shiftfs.c        | 15 +++++++++++----
>  2 files changed, 16 insertions(+), 5 deletions(-)
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team



More information about the kernel-team mailing list