rpms / kpatch-patch-3_10_0-1160_42_2

Clone
Source Code
GIT

Blame SOURCES/CVE-2020-0466.patch

c7
  1.   57a3d08b34f98000487ff1da646ee41b8506d052
  2.   SOURCES
  3.   CVE-2020-0466.patch
Blob History Raw
57a3d0 
From c17b58ebffbfa862b3f1815e208db340bd1664eb Mon Sep 17 00:00:00 2001
57a3d0 
From: Yannick Cote <ycote@redhat.com>
57a3d0 
Date: Tue, 1 Feb 2022 14:14:41 -0500
57a3d0 
Subject: [KPATCH CVE-2020-0466] epoll: kpatch fixes for CVE-2020-0466
57a3d0
57a3d0 
Kernels:
57a3d0 
3.10.0-1160.15.2.el7
57a3d0 
3.10.0-1160.21.1.el7
57a3d0 
3.10.0-1160.24.1.el7
57a3d0 
3.10.0-1160.25.1.el7
57a3d0 
3.10.0-1160.31.1.el7
57a3d0 
3.10.0-1160.36.2.el7
57a3d0 
3.10.0-1160.41.1.el7
57a3d0 
3.10.0-1160.42.2.el7
57a3d0 
3.10.0-1160.45.1.el7
57a3d0 
3.10.0-1160.49.1.el7
57a3d0 
3.10.0-1160.53.1.el7
57a3d0
57a3d0 
Changes since last build:
57a3d0 
[x86_64]:
57a3d0 
eventpoll.o: changed function: SyS_epoll_ctl
57a3d0 
eventpoll.o: changed function: clear_tfile_check_list
57a3d0 
eventpoll.o: changed function: ep_loop_check_proc
57a3d0
57a3d0 
[ppc64le]:
57a3d0 
eventpoll.o: changed function: SyS_epoll_ctl
57a3d0 
eventpoll.o: changed function: ep_loop_check_proc
57a3d0
57a3d0 
---------------------------
57a3d0
57a3d0 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/22
57a3d0 
Approved-by: Artem Savkov (@artem.savkov)
57a3d0 
Kernels:
57a3d0 
3.10.0-1160.21.1.el7
57a3d0 
3.10.0-1160.24.1.el7
57a3d0 
3.10.0-1160.25.1.el7
57a3d0 
3.10.0-1160.31.1.el7
57a3d0 
3.10.0-1160.36.2.el7
57a3d0 
3.10.0-1160.41.1.el7
57a3d0 
3.10.0-1160.42.2.el7
57a3d0 
3.10.0-1160.45.1.el7
57a3d0 
3.10.0-1160.49.1.el7
57a3d0 
3.10.0-1160.53.1.el7
57a3d0
57a3d0 
Modifications: none
57a3d0
57a3d0 
commit f771ed0537c55c506dc846cb8f3da60f6383a2b3
57a3d0 
Author: Carlos Maiolino <cmaiolino@redhat.com>
57a3d0 
Date:   Sat Dec 18 09:23:31 2021 +0100
57a3d0
57a3d0 
    epoll: Keep a reference on files added to the check list
57a3d0
57a3d0 
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2042760
57a3d0 
    Tested: Sanity check only
57a3d0 
    CVE: CVE-2020-0466
57a3d0
57a3d0 
    Conflicts:
57a3d0 
            - RHEL7 has no support for non-blocking do_epoll_ctl(), so the
57a3d0 
              original patch got this part stripped.
57a3d0
57a3d0 
    When adding a new fd to an epoll, and that this new fd is an
57a3d0 
    epoll fd itself, we recursively scan the fds attached to it
57a3d0 
    to detect cycles, and add non-epool files to a "check list"
57a3d0 
    that gets subsequently parsed.
57a3d0
57a3d0 
    However, this check list isn't completely safe when deletions
57a3d0 
    can happen concurrently. To sidestep the issue, make sure that
57a3d0 
    a struct file placed on the check list sees its f_count increased,
57a3d0 
    ensuring that a concurrent deletion won't result in the file
57a3d0 
    disapearing from under our feet.
57a3d0
57a3d0 
    Cc: stable@vger.kernel.org
57a3d0 
    Signed-off-by: Marc Zyngier <maz@kernel.org>
57a3d0 
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
57a3d0 
    (cherry picked from commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682)
57a3d0
57a3d0 
    Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
57a3d0
57a3d0 
commit 0875a380011a7ff7f4504b72890c29fec420d1cd
57a3d0 
Author: Carlos Maiolino <cmaiolino@redhat.com>
57a3d0 
Date:   Sat Dec 18 09:23:47 2021 +0100
57a3d0
57a3d0 
    fix regression in "epoll: Keep a reference on files added to the check list"
57a3d0
57a3d0 
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2042760
57a3d0 
    Tested: Sanity check only
57a3d0 
    CVE: CVE-2020-0466
57a3d0
57a3d0 
    epoll_loop_check_proc() can run into a file already committed to destruction;
57a3d0 
    we can't grab a reference on those and don't need to add them to the set for
57a3d0 
    reverse path check anyway.
57a3d0
57a3d0 
    Tested-by: Marc Zyngier <maz@kernel.org>
57a3d0 
    Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list")
57a3d0 
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
57a3d0 
    (cherry picked from commit 77f4689de17c0887775bb77896f4cc11a39bf848)
57a3d0
57a3d0 
    Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
57a3d0
57a3d0 
Signed-off-by: Yannick Cote <ycote@redhat.com>
57a3d0 
---
57a3d0 
 fs/eventpoll.c | 13 +++++++++----
57a3d0 
 1 file changed, 9 insertions(+), 4 deletions(-)
57a3d0
57a3d0 
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
57a3d0 
index 6731b99a481f..ca0eb701eeb4 100644
57a3d0 
--- a/fs/eventpoll.c
57a3d0 
+++ b/fs/eventpoll.c
57a3d0 
@@ -1750,9 +1750,11 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
57a3d0 
 			 * not already there, and calling reverse_path_check()
57a3d0 
 			 * during ep_insert().
57a3d0 
 			 */
57a3d0 
-			if (list_empty(&epi->ffd.file->f_tfile_llink))
57a3d0 
-				list_add(&epi->ffd.file->f_tfile_llink,
57a3d0 
-					 &tfile_check_list);
57a3d0 
+			if (list_empty(&epi->ffd.file->f_tfile_llink)) {
57a3d0 
+				if (get_file_rcu(epi->ffd.file))
57a3d0 
+					list_add(&epi->ffd.file->f_tfile_llink,
57a3d0 
+						 &tfile_check_list);
57a3d0 
+			}
57a3d0 
 		}
57a3d0 
 	}
57a3d0 
 	mutex_unlock(&ep->mtx);
57a3d0 
@@ -1796,6 +1798,7 @@ static void clear_tfile_check_list(void)
57a3d0 
 		file = list_first_entry(&tfile_check_list, struct file,
57a3d0 
 					f_tfile_llink);
57a3d0 
 		list_del_init(&file->f_tfile_llink);
57a3d0 
+		fput(file);
57a3d0 
 	}
57a3d0 
 	INIT_LIST_HEAD(&tfile_check_list);
57a3d0 
 }
57a3d0 
@@ -1951,9 +1954,11 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
57a3d0 
 					clear_tfile_check_list();
57a3d0 
 					goto error_tgt_fput;
57a3d0 
 				}
57a3d0 
-			} else
57a3d0 
+			} else {
57a3d0 
+				get_file(tf.file);
57a3d0 
 				list_add(&tf.file->f_tfile_llink,
57a3d0 
 							&tfile_check_list);
57a3d0 
+			}
57a3d0 
 			mutex_lock_nested(&ep->mtx, 0);
57a3d0 
 			if (is_file_epoll(tf.file)) {
57a3d0 
 				tep = tf.file->private_data;
57a3d0 
--
57a3d0 
2.26.3
57a3d0
57a3d0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation