[X/B/D/E][PATCH 0/2] aufs: fixes for CVE-2020-11935

Mauricio Faria de Oliveira mfo at canonical.com
Mon Jun 29 18:31:08 UTC 2020 

[Impact]

 * This patchset contains fixes for aufs's CVE-2020-11935.
 
 * The aufs filesystem might hit a kernel BUG() message
   under high load.
 
 * This may trigger a kernel panic/crash if panic_on_oops
   is enabled.  Otherwise, no harmful behavior is noticed.
   
 * One workaround is to clean the inode cache periodically:
   $ echo 2 | sudo tee /proc/sys/vm/drop-caches
   
[Fix]

 * The issue is fixed with 2 patches in aufs4-linux.git:
   - 515a586eeef3 aufs: do not call i_readcount_inc()
   - f10aea57d39d aufs: bugfix, IMA i_readcount

 * The first addresses the issue, and the second addresses a
   regression in the aufs feature to change RW branches to RO.

 * The aufs patches for v5.3+ have an equivalent fix to the
   second patch; it is present in Focal and later (not Eoan)
   (and on ubuntu-unstable/master & /master-5.8 as of Jun 29)
   - 1d26f910c53f aufs: for v5.3-rc1, maintain i_readcount
     (in aufs5-linux.git)

 * So, X/B/D/E need patches 1 and 2.
 * And F/G/Unstable need patch 1 only.
   
[Test Case]

 * Test cases are available internally, if needed.
   
[Regression Potential]

 * This changes the core path that aufs opens files, so there
   is a risk of regression; however, the fix changes aufs for
   how other filesystems work, so this generally is OK to do.
   In any case, regressions would likely happen in open() or
   close().
 
 * The aufs maintainer has access to an internal test-suite
   used to validate aufs changes, used to identify the first
   regression (in the branch RW/RO mode change), and then to
   validate/publish the patches upstream; should be good now.
   
 * This has also been tested with 'stress-ng --class filesystem'
   and with 'xfstests -overlay' (patch to use aufs vs overlayfs)
   on Xenial/Bionic/Focal (-proposed vs. -proposed + patches).
   No regressions observed in stress-ng/xfstests log or dmesg.
   (Also build-tested on Disco/Eoan.)

[Other Info]

 * Applied on Unstable (branches master and master-5.8)
 * Not required on Groovy (still 5.4; should sync from Unstable)
 * Required on LTS releases: Bionic and Focal and Xenial.
 * Required on other releases: Disco and Eoan (for custom kernels)

 * Sorry for the submission after scheduled last day for patches.
   Really wanted to have this upstream first specially given the
   maintainer's internal test-suite (that catched one regression
   not hit in my tests, because it's on corner case/feature path.)

J. R. Okajima (1):
  aufs: bugfix, IMA i_readcount

Mauricio Faria de Oliveira (1):
  aufs: do not call i_readcount_inc()

 fs/aufs/branch.c | 6 +++++-
 fs/aufs/vfsub.c  | 9 +--------
 2 files changed, 6 insertions(+), 9 deletions(-)

-- 
2.25.1

More information about the kernel-team mailing list