rpms / kpatch-patch-3_10_0-1160_21_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2020-0466.patch

c7
  1.   b2a0988d9bd76ccc9a4f9bf5f2f286a761fbcc48
  2.   SOURCES
  3.   CVE-2020-0466.patch
Blob History Raw
b2a098 
From c17b58ebffbfa862b3f1815e208db340bd1664eb Mon Sep 17 00:00:00 2001
b2a098 
From: Yannick Cote <ycote@redhat.com>
b2a098 
Date: Tue, 1 Feb 2022 14:14:41 -0500
b2a098 
Subject: [KPATCH CVE-2020-0466] epoll: kpatch fixes for CVE-2020-0466
b2a098
b2a098 
Kernels:
b2a098 
3.10.0-1160.15.2.el7
b2a098 
3.10.0-1160.21.1.el7
b2a098 
3.10.0-1160.24.1.el7
b2a098 
3.10.0-1160.25.1.el7
b2a098 
3.10.0-1160.31.1.el7
b2a098 
3.10.0-1160.36.2.el7
b2a098 
3.10.0-1160.41.1.el7
b2a098 
3.10.0-1160.42.2.el7
b2a098 
3.10.0-1160.45.1.el7
b2a098 
3.10.0-1160.49.1.el7
b2a098 
3.10.0-1160.53.1.el7
b2a098
b2a098 
Changes since last build:
b2a098 
[x86_64]:
b2a098 
eventpoll.o: changed function: SyS_epoll_ctl
b2a098 
eventpoll.o: changed function: clear_tfile_check_list
b2a098 
eventpoll.o: changed function: ep_loop_check_proc
b2a098
b2a098 
[ppc64le]:
b2a098 
eventpoll.o: changed function: SyS_epoll_ctl
b2a098 
eventpoll.o: changed function: ep_loop_check_proc
b2a098
b2a098 
---------------------------
b2a098
b2a098 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/22
b2a098 
Approved-by: Artem Savkov (@artem.savkov)
b2a098 
Kernels:
b2a098 
3.10.0-1160.21.1.el7
b2a098 
3.10.0-1160.24.1.el7
b2a098 
3.10.0-1160.25.1.el7
b2a098 
3.10.0-1160.31.1.el7
b2a098 
3.10.0-1160.36.2.el7
b2a098 
3.10.0-1160.41.1.el7
b2a098 
3.10.0-1160.42.2.el7
b2a098 
3.10.0-1160.45.1.el7
b2a098 
3.10.0-1160.49.1.el7
b2a098 
3.10.0-1160.53.1.el7
b2a098
b2a098 
Modifications: none
b2a098
b2a098 
commit f771ed0537c55c506dc846cb8f3da60f6383a2b3
b2a098 
Author: Carlos Maiolino <cmaiolino@redhat.com>
b2a098 
Date:   Sat Dec 18 09:23:31 2021 +0100
b2a098
b2a098 
    epoll: Keep a reference on files added to the check list
b2a098
b2a098 
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2042760
b2a098 
    Tested: Sanity check only
b2a098 
    CVE: CVE-2020-0466
b2a098
b2a098 
    Conflicts:
b2a098 
            - RHEL7 has no support for non-blocking do_epoll_ctl(), so the
b2a098 
              original patch got this part stripped.
b2a098
b2a098 
    When adding a new fd to an epoll, and that this new fd is an
b2a098 
    epoll fd itself, we recursively scan the fds attached to it
b2a098 
    to detect cycles, and add non-epool files to a "check list"
b2a098 
    that gets subsequently parsed.
b2a098
b2a098 
    However, this check list isn't completely safe when deletions
b2a098 
    can happen concurrently. To sidestep the issue, make sure that
b2a098 
    a struct file placed on the check list sees its f_count increased,
b2a098 
    ensuring that a concurrent deletion won't result in the file
b2a098 
    disapearing from under our feet.
b2a098
b2a098 
    Cc: stable@vger.kernel.org
b2a098 
    Signed-off-by: Marc Zyngier <maz@kernel.org>
b2a098 
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
b2a098 
    (cherry picked from commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682)
b2a098
b2a098 
    Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
b2a098
b2a098 
commit 0875a380011a7ff7f4504b72890c29fec420d1cd
b2a098 
Author: Carlos Maiolino <cmaiolino@redhat.com>
b2a098 
Date:   Sat Dec 18 09:23:47 2021 +0100
b2a098
b2a098 
    fix regression in "epoll: Keep a reference on files added to the check list"
b2a098
b2a098 
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2042760
b2a098 
    Tested: Sanity check only
b2a098 
    CVE: CVE-2020-0466
b2a098
b2a098 
    epoll_loop_check_proc() can run into a file already committed to destruction;
b2a098 
    we can't grab a reference on those and don't need to add them to the set for
b2a098 
    reverse path check anyway.
b2a098
b2a098 
    Tested-by: Marc Zyngier <maz@kernel.org>
b2a098 
    Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list")
b2a098 
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
b2a098 
    (cherry picked from commit 77f4689de17c0887775bb77896f4cc11a39bf848)
b2a098
b2a098 
    Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
b2a098
b2a098 
Signed-off-by: Yannick Cote <ycote@redhat.com>
b2a098 
---
b2a098 
 fs/eventpoll.c | 13 +++++++++----
b2a098 
 1 file changed, 9 insertions(+), 4 deletions(-)
b2a098
b2a098 
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
b2a098 
index 6731b99a481f..ca0eb701eeb4 100644
b2a098 
--- a/fs/eventpoll.c
b2a098 
+++ b/fs/eventpoll.c
b2a098 
@@ -1750,9 +1750,11 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
b2a098 
 			 * not already there, and calling reverse_path_check()
b2a098 
 			 * during ep_insert().
b2a098 
 			 */
b2a098 
-			if (list_empty(&epi->ffd.file->f_tfile_llink))
b2a098 
-				list_add(&epi->ffd.file->f_tfile_llink,
b2a098 
-					 &tfile_check_list);
b2a098 
+			if (list_empty(&epi->ffd.file->f_tfile_llink)) {
b2a098 
+				if (get_file_rcu(epi->ffd.file))
b2a098 
+					list_add(&epi->ffd.file->f_tfile_llink,
b2a098 
+						 &tfile_check_list);
b2a098 
+			}
b2a098 
 		}
b2a098 
 	}
b2a098 
 	mutex_unlock(&ep->mtx);
b2a098 
@@ -1796,6 +1798,7 @@ static void clear_tfile_check_list(void)
b2a098 
 		file = list_first_entry(&tfile_check_list, struct file,
b2a098 
 					f_tfile_llink);
b2a098 
 		list_del_init(&file->f_tfile_llink);
b2a098 
+		fput(file);
b2a098 
 	}
b2a098 
 	INIT_LIST_HEAD(&tfile_check_list);
b2a098 
 }
b2a098 
@@ -1951,9 +1954,11 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
b2a098 
 					clear_tfile_check_list();
b2a098 
 					goto error_tgt_fput;
b2a098 
 				}
b2a098 
-			} else
b2a098 
+			} else {
b2a098 
+				get_file(tf.file);
b2a098 
 				list_add(&tf.file->f_tfile_llink,
b2a098 
 							&tfile_check_list);
b2a098 
+			}
b2a098 
 			mutex_lock_nested(&ep->mtx, 0);
b2a098 
 			if (is_file_epoll(tf.file)) {
b2a098 
 				tep = tf.file->private_data;
b2a098 
--
b2a098 
2.26.3
b2a098
b2a098

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation