rpms / kpatch-patch-3_10_0-1160_24_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2020-0466.patch

c7
  1.   d77eec8fdb04abdd009870a12a6fe82e5f7de1d1
  2.   SOURCES
  3.   CVE-2020-0466.patch
Blob History Raw
d77eec 
From c17b58ebffbfa862b3f1815e208db340bd1664eb Mon Sep 17 00:00:00 2001
d77eec 
From: Yannick Cote <ycote@redhat.com>
d77eec 
Date: Tue, 1 Feb 2022 14:14:41 -0500
d77eec 
Subject: [KPATCH CVE-2020-0466] epoll: kpatch fixes for CVE-2020-0466
d77eec
d77eec 
Kernels:
d77eec 
3.10.0-1160.15.2.el7
d77eec 
3.10.0-1160.21.1.el7
d77eec 
3.10.0-1160.24.1.el7
d77eec 
3.10.0-1160.25.1.el7
d77eec 
3.10.0-1160.31.1.el7
d77eec 
3.10.0-1160.36.2.el7
d77eec 
3.10.0-1160.41.1.el7
d77eec 
3.10.0-1160.42.2.el7
d77eec 
3.10.0-1160.45.1.el7
d77eec 
3.10.0-1160.49.1.el7
d77eec 
3.10.0-1160.53.1.el7
d77eec
d77eec 
Changes since last build:
d77eec 
[x86_64]:
d77eec 
eventpoll.o: changed function: SyS_epoll_ctl
d77eec 
eventpoll.o: changed function: clear_tfile_check_list
d77eec 
eventpoll.o: changed function: ep_loop_check_proc
d77eec
d77eec 
[ppc64le]:
d77eec 
eventpoll.o: changed function: SyS_epoll_ctl
d77eec 
eventpoll.o: changed function: ep_loop_check_proc
d77eec
d77eec 
---------------------------
d77eec
d77eec 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/22
d77eec 
Approved-by: Artem Savkov (@artem.savkov)
d77eec 
Kernels:
d77eec 
3.10.0-1160.21.1.el7
d77eec 
3.10.0-1160.24.1.el7
d77eec 
3.10.0-1160.25.1.el7
d77eec 
3.10.0-1160.31.1.el7
d77eec 
3.10.0-1160.36.2.el7
d77eec 
3.10.0-1160.41.1.el7
d77eec 
3.10.0-1160.42.2.el7
d77eec 
3.10.0-1160.45.1.el7
d77eec 
3.10.0-1160.49.1.el7
d77eec 
3.10.0-1160.53.1.el7
d77eec
d77eec 
Modifications: none
d77eec
d77eec 
commit f771ed0537c55c506dc846cb8f3da60f6383a2b3
d77eec 
Author: Carlos Maiolino <cmaiolino@redhat.com>
d77eec 
Date:   Sat Dec 18 09:23:31 2021 +0100
d77eec
d77eec 
    epoll: Keep a reference on files added to the check list
d77eec
d77eec 
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2042760
d77eec 
    Tested: Sanity check only
d77eec 
    CVE: CVE-2020-0466
d77eec
d77eec 
    Conflicts:
d77eec 
            - RHEL7 has no support for non-blocking do_epoll_ctl(), so the
d77eec 
              original patch got this part stripped.
d77eec
d77eec 
    When adding a new fd to an epoll, and that this new fd is an
d77eec 
    epoll fd itself, we recursively scan the fds attached to it
d77eec 
    to detect cycles, and add non-epool files to a "check list"
d77eec 
    that gets subsequently parsed.
d77eec
d77eec 
    However, this check list isn't completely safe when deletions
d77eec 
    can happen concurrently. To sidestep the issue, make sure that
d77eec 
    a struct file placed on the check list sees its f_count increased,
d77eec 
    ensuring that a concurrent deletion won't result in the file
d77eec 
    disapearing from under our feet.
d77eec
d77eec 
    Cc: stable@vger.kernel.org
d77eec 
    Signed-off-by: Marc Zyngier <maz@kernel.org>
d77eec 
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
d77eec 
    (cherry picked from commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682)
d77eec
d77eec 
    Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
d77eec
d77eec 
commit 0875a380011a7ff7f4504b72890c29fec420d1cd
d77eec 
Author: Carlos Maiolino <cmaiolino@redhat.com>
d77eec 
Date:   Sat Dec 18 09:23:47 2021 +0100
d77eec
d77eec 
    fix regression in "epoll: Keep a reference on files added to the check list"
d77eec
d77eec 
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2042760
d77eec 
    Tested: Sanity check only
d77eec 
    CVE: CVE-2020-0466
d77eec
d77eec 
    epoll_loop_check_proc() can run into a file already committed to destruction;
d77eec 
    we can't grab a reference on those and don't need to add them to the set for
d77eec 
    reverse path check anyway.
d77eec
d77eec 
    Tested-by: Marc Zyngier <maz@kernel.org>
d77eec 
    Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list")
d77eec 
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
d77eec 
    (cherry picked from commit 77f4689de17c0887775bb77896f4cc11a39bf848)
d77eec
d77eec 
    Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
d77eec
d77eec 
Signed-off-by: Yannick Cote <ycote@redhat.com>
d77eec 
---
d77eec 
 fs/eventpoll.c | 13 +++++++++----
d77eec 
 1 file changed, 9 insertions(+), 4 deletions(-)
d77eec
d77eec 
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
d77eec 
index 6731b99a481f..ca0eb701eeb4 100644
d77eec 
--- a/fs/eventpoll.c
d77eec 
+++ b/fs/eventpoll.c
d77eec 
@@ -1750,9 +1750,11 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
d77eec 
 			 * not already there, and calling reverse_path_check()
d77eec 
 			 * during ep_insert().
d77eec 
 			 */
d77eec 
-			if (list_empty(&epi->ffd.file->f_tfile_llink))
d77eec 
-				list_add(&epi->ffd.file->f_tfile_llink,
d77eec 
-					 &tfile_check_list);
d77eec 
+			if (list_empty(&epi->ffd.file->f_tfile_llink)) {
d77eec 
+				if (get_file_rcu(epi->ffd.file))
d77eec 
+					list_add(&epi->ffd.file->f_tfile_llink,
d77eec 
+						 &tfile_check_list);
d77eec 
+			}
d77eec 
 		}
d77eec 
 	}
d77eec 
 	mutex_unlock(&ep->mtx);
d77eec 
@@ -1796,6 +1798,7 @@ static void clear_tfile_check_list(void)
d77eec 
 		file = list_first_entry(&tfile_check_list, struct file,
d77eec 
 					f_tfile_llink);
d77eec 
 		list_del_init(&file->f_tfile_llink);
d77eec 
+		fput(file);
d77eec 
 	}
d77eec 
 	INIT_LIST_HEAD(&tfile_check_list);
d77eec 
 }
d77eec 
@@ -1951,9 +1954,11 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
d77eec 
 					clear_tfile_check_list();
d77eec 
 					goto error_tgt_fput;
d77eec 
 				}
d77eec 
-			} else
d77eec 
+			} else {
d77eec 
+				get_file(tf.file);
d77eec 
 				list_add(&tf.file->f_tfile_llink,
d77eec 
 							&tfile_check_list);
d77eec 
+			}
d77eec 
 			mutex_lock_nested(&ep->mtx, 0);
d77eec 
 			if (is_file_epoll(tf.file)) {
d77eec 
 				tep = tf.file->private_data;
d77eec 
--
d77eec 
2.26.3
d77eec
d77eec

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation