[PATCH openEuler-1.0-LTS 0/2] loop: fix UAF in mutex_spin_on_owner()
The error path in loop_set_status() fails to release the loop_ctl_mutex lock, causing a UAF issue in mutex_spin_on_owner() when other processes attempt to access the same loop device. Zheng Qixing (1): Revert "loop: loop_set_status_from_info() check before assignment" Zhong Jinghua (1): loop: loop_set_status_from_info() check before assignment drivers/block/loop.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.39.2
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IC2E65 CVE: NA -------------------------------- This reverts commit 91a08b4503ba71c1835e3f3290ac5019a69b3de5. This patch did not correctly fix the issue that the original community patch was intended to address, and instead introduced a new UAF problem. The patch should be reverted, and the community fix patch will be reapplied in the next patch. Fixes: 91a08b4503ba ("loop: loop_set_status_from_info() check before assignment") Signed-off-by: Zheng Qixing <zhengqixing@huawei.com> --- drivers/block/loop.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/block/loop.c b/drivers/block/loop.c index 692c63882686..d1d6aeaa81a7 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -1283,15 +1283,13 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info) lo->lo_device->bd_inode->i_mapping->nrpages); goto out_unfreeze; } - - /* Avoid assigning overflow values */ - if (info->lo_offset > LLONG_MAX || info->lo_sizelimit > LLONG_MAX) - return -EOVERFLOW; - if (figure_loop_size(lo, info->lo_offset, info->lo_sizelimit)) { err = -EFBIG; goto out_unfreeze; } + /* loff_t vars have been assigned __u64 */ + if (lo->lo_offset < 0 || lo->lo_sizelimit < 0) + return -EOVERFLOW; } loop_config_discard(lo); -- 2.39.2
From: Zhong Jinghua <zhongjinghua@huawei.com> stable inclusion from stable-v4.19.312 commit 832580af82ace363205039a8e7c4ef04552ccc1a category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IC2E65 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... ------------------ [ Upstream commit 9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa ] In loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should be checked before reassignment, because if an overflow error occurs, the original correct value will be changed to the wrong value, and it will not be changed back. More, the original patch did not solve the problem, the value was set and ioctl returned an error, but the subsequent io used the value in the loop driver, which still caused an alarm: loop_handle_cmd do_req_filebacked loff_t pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset; lo_rw_aio cmd->iocb.ki_pos = pos Fixes: c490a0b5a4f3 ("loop: Check for overflow while configuring loop") Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com> Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> Link: https://lore.kernel.org/r/20230221095027.3656193-1-zhongjinghua@huaweicloud.... Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: drivers/block/loop.c [Context conflicts.] Signed-off-by: Zheng Qixing <zhengqixing@huawei.com> --- drivers/block/loop.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/block/loop.c b/drivers/block/loop.c index d1d6aeaa81a7..026cde240c4a 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -1283,13 +1283,17 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info) lo->lo_device->bd_inode->i_mapping->nrpages); goto out_unfreeze; } + + /* Avoid assigning overflow values */ + if (info->lo_offset > LLONG_MAX || info->lo_sizelimit > LLONG_MAX) { + err = -EOVERFLOW; + goto out_unfreeze; + } + if (figure_loop_size(lo, info->lo_offset, info->lo_sizelimit)) { err = -EFBIG; goto out_unfreeze; } - /* loff_t vars have been assigned __u64 */ - if (lo->lo_offset < 0 || lo->lo_sizelimit < 0) - return -EOVERFLOW; } loop_config_discard(lo); -- 2.39.2
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/15930 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/M6O... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/15930 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/M6O...
participants (2)
-
patchwork bot -
Zheng Qixing