[linux] 01/01: aufs3: mmap: Fix races in madvise_remove() and sys_msync() (Closes: #796036)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Sep 10 19:27:49 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 56c47391d49d46e9b64d77c70d8b2b0845d5605b
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Sep 10 02:27:20 2015 +0100
aufs3: mmap: Fix races in madvise_remove() and sys_msync() (Closes: #796036)
---
debian/changelog | 1 +
.../features/all/aufs3/aufs3-mmap-fix-races.patch | 50 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 52 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 35a9ad4..defa044 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ linux (3.16.7-ckt11-1+deb8u4) UNRELEASED; urgency=medium
* ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
* virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156)
* vhost: actually track log eventfd file (CVE-2015-6252)
+ * aufs3: mmap: Fix races in madvise_remove() and sys_msync() (Closes: #796036)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 09 Sep 2015 21:21:36 +0100
diff --git a/debian/patches/features/all/aufs3/aufs3-mmap-fix-races.patch b/debian/patches/features/all/aufs3/aufs3-mmap-fix-races.patch
new file mode 100644
index 0000000..ef9b616
--- /dev/null
+++ b/debian/patches/features/all/aufs3/aufs3-mmap-fix-races.patch
@@ -0,0 +1,50 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 10 Sep 2015 02:19:59 +0100
+Subject: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
+Bug-Debian: https://bugs.debian.org/796036
+
+In madvise_remove() and sys_msync() we drop the mmap_sem before
+dropping references to the mapped file(s). As soon as we drop the
+mmap_sem, the vma we got them from might be destroyed by another
+thread, so calling vma_do_fput() is a possible use-after-free.
+
+In these cases we don't actually need a reference to the aufs file, so
+revert to using get_file() and fput() directly.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -327,12 +327,12 @@ static long madvise_remove(struct vm_are
+ * vma's reference to the file) can go away as soon as we drop
+ * mmap_sem.
+ */
+- vma_get_file(vma);
++ get_file(f);
+ up_read(¤t->mm->mmap_sem);
+ error = do_fallocate(f,
+ FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
+ offset, end - start);
+- vma_fput(vma);
++ fput(f);
+ down_read(¤t->mm->mmap_sem);
+ return error;
+ }
+--- a/mm/msync.c
++++ b/mm/msync.c
+@@ -84,13 +84,13 @@ SYSCALL_DEFINE3(msync, unsigned long, st
+ start = vma->vm_end;
+ if ((flags & MS_SYNC) && file &&
+ (vma->vm_flags & VM_SHARED)) {
+- vma_get_file(vma);
++ get_file(file);
+ up_read(&mm->mmap_sem);
+ if (vma->vm_flags & VM_NONLINEAR)
+ error = vfs_fsync(file, 1);
+ else
+ error = vfs_fsync_range(file, fstart, fend, 1);
+- vma_fput(vma);
++ fput(file);
+ if (error || start >= end)
+ goto out;
+ down_read(&mm->mmap_sem);
diff --git a/debian/patches/series b/debian/patches/series
index fc49167..b7a85de 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,6 +21,7 @@ bugfix/all/radeon-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
features/all/aufs3/aufs3-kbuild.patch
features/all/aufs3/aufs3-base.patch
features/all/aufs3/aufs3-mmap.patch
+features/all/aufs3/aufs3-mmap-fix-races.patch
features/all/aufs3/aufs3-standalone.patch
features/all/aufs3/aufs3-add.patch
# Debian-specific changes
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list