APPLIED: [PATCH 0/2][SRU][D/E] CVE-2019-15794: ovl/shiftfs refcount underflow
Khaled Elmously
khalid.elmously at canonical.com
Fri Nov 8 06:48:49 UTC 2019
On 2019-11-07 10:08:23 , Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1850994
>
> Impact: overlayfs and shiftfs both replace vma->vm_file in their mmap
> handlers. On error the original value is not restored, and the reference
> is put for the file to which vm_file points. On upstream kernels this is
> not an issue, as no callers dereference vm_file dereference vm_file
> following after call_mmap() returns an error. However, the aufs patchs
> change mmap_region() to replace the fput() using a local variable with
> vma_fput(), which will fput() vm_file, leading to a refcount underflow.
>
> Fix: Restore the original vma_file value on error.
>
> Test Case: A reproducer is provided in the original bug report.
>
> Regression Potential: Minimal. As stated above, other callers of
> call_mmap() do not dereference vma->vm_file when it returns an error,
> and the one which does is fixed by these patches.
>
> Notes: Supported kernels prior to disco are not affected as overlayfs
> did not support mmap until 4.19, and shiftfs was not present in Ubuntu
> kernels before disco. The issue is mitigated for overlayfs by another
> bug which is preventing unprivileged mounting; a patch for this issue
> will be sent separately.
>
> Thanks,
> Seth
>
>
> Seth Forshee (2):
> UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails
> UBUNTU: SAUCE: ovl: Restore vm_file value when lower fs mmap fails
>
> fs/overlayfs/file.c | 6 +++++-
> fs/shiftfs.c | 15 +++++++++++----
> 2 files changed, 16 insertions(+), 5 deletions(-)
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list