ACK: [PATCH 0/2][SRU][D/E] CVE-2019-15794: ovl/shiftfs refcount underflow
stefan.bader at canonical.com
Thu Nov 7 16:50:13 UTC 2019
On 07.11.19 17:08, Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1850994
> Impact: overlayfs and shiftfs both replace vma->vm_file in their mmap
> handlers. On error the original value is not restored, and the reference
> is put for the file to which vm_file points. On upstream kernels this is
> not an issue, as no callers dereference vm_file dereference vm_file
> following after call_mmap() returns an error. However, the aufs patchs
> change mmap_region() to replace the fput() using a local variable with
> vma_fput(), which will fput() vm_file, leading to a refcount underflow.
> Fix: Restore the original vma_file value on error.
> Test Case: A reproducer is provided in the original bug report.
> Regression Potential: Minimal. As stated above, other callers of
> call_mmap() do not dereference vma->vm_file when it returns an error,
> and the one which does is fixed by these patches.
> Notes: Supported kernels prior to disco are not affected as overlayfs
> did not support mmap until 4.19, and shiftfs was not present in Ubuntu
> kernels before disco. The issue is mitigated for overlayfs by another
> bug which is preventing unprivileged mounting; a patch for this issue
> will be sent separately.
> Seth Forshee (2):
> UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails
> UBUNTU: SAUCE: ovl: Restore vm_file value when lower fs mmap fails
> fs/overlayfs/file.c | 6 +++++-
> fs/shiftfs.c | 15 +++++++++++----
> 2 files changed, 16 insertions(+), 5 deletions(-)
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the kernel-team