[linux] 03/03: loop: fix concurrent lo_open/lo_release (CVE-2018-5344)

Tue Jan 16 20:38:23 UTC 2018

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 0bb5e7cccb41f7a32ee7adafa7495d2743bae279
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Tue Jan 16 20:57:31 2018 +0100

    loop: fix concurrent lo_open/lo_release (CVE-2018-5344)
---
 debian/changelog                                   |  1 +
 .../loop-fix-concurrent-lo_open-lo_release.patch   | 56 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 58 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 2f2a5cc..9c2c7fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ linux (4.14.13-2) UNRELEASED; urgency=medium
 
   * RDS: Heap OOB write in rds_message_alloc_sgs() (CVE-2018-5332)
   * RDS: null pointer dereference in rds_atomic_free_op (CVE-2018-5333)
+  * loop: fix concurrent lo_open/lo_release (CVE-2018-5344)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 16 Jan 2018 20:50:23 +0100
 
diff --git a/debian/patches/bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch b/debian/patches/bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch
new file mode 100644
index 0000000..a5ba39e
--- /dev/null
+++ b/debian/patches/bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch
@@ -0,0 +1,56 @@
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri, 5 Jan 2018 16:26:00 -0800
+Subject: loop: fix concurrent lo_open/lo_release
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5344
+
+范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
+The reason is due to insufficient serialization in lo_release(), which
+will continue to use the loop device even after it has decremented the
+lo_refcnt to zero.
+
+In the meantime, another process can come in, open the loop device
+again as it is being shut down. Confusion ensues.
+
+Reported-by: 范龙飞 <long7573 at 126.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+---
+ drivers/block/loop.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index bc8e61506968..d5fe720cf149 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1581,9 +1581,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode)
+ 	return err;
+ }
+ 
+-static void lo_release(struct gendisk *disk, fmode_t mode)
++static void __lo_release(struct loop_device *lo)
+ {
+-	struct loop_device *lo = disk->private_data;
+ 	int err;
+ 
+ 	if (atomic_dec_return(&lo->lo_refcnt))
+@@ -1610,6 +1609,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode)
+ 	mutex_unlock(&lo->lo_ctl_mutex);
+ }
+ 
++static void lo_release(struct gendisk *disk, fmode_t mode)
++{
++	mutex_lock(&loop_index_mutex);
++	__lo_release(disk->private_data);
++	mutex_unlock(&loop_index_mutex);
++}
++
+ static const struct block_device_operations lo_fops = {
+ 	.owner =	THIS_MODULE,
+ 	.open =		lo_open,
+-- 
+2.15.1
+
diff --git a/debian/patches/series b/debian/patches/series
index f502e75..8e4bcf3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -133,6 +133,7 @@ bugfix/all/bpf-move-global-verifier-log-into-verifier-environme.patch
 bugfix/all/bpf-fix-integer-overflows.patch
 bugfix/all/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
 bugfix/all/RDS-null-pointer-dereference-in-rds_atomic_free_op.patch
+bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

