[PATCH openEuler-1.0-LTS 0/2] Fix CVE-2025-38058
This patch set fix CVE-2025-38058. Al Viro (2): do_umount(): add missing barrier before refcount checks in sync case __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock fs/namespace.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) -- 2.39.2
From: Al Viro <viro@zeniv.linux.org.uk> stable inclusion from stable-v6.6.90 commit 00f0dd1a0166e1ed8adeb50a6e345b4fd7878431 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICGANV CVE: CVE-2025-38058 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=t... -------------------------------- [ Upstream commit 65781e19dcfcb4aed1167d87a3ffcc2a0c071d47 ] do_umount() analogue of the race fixed in 119e1ef80ecf "fix __legitimize_mnt()/mntput() race". Here we want to make sure that if __legitimize_mnt() doesn't notice our lock_mount_hash(), we will notice their refcount increment. Harder to hit than mntput_no_expire() one, fortunately, and consequences are milder (sync umount acting like umount -l on a rare race with RCU pathwalk hitting at just the wrong time instead of use-after-free galore mntput_no_expire() counterpart used to be hit). Still a bug... Fixes: 48a066e72d97 ("RCU'd vfsmounts") Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Long Li <leo.lilong@huawei.com> --- fs/namespace.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index 68e3777b9323..6f1741379324 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -575,7 +575,7 @@ int __legitimize_mnt(struct vfsmount *bastard, unsigned seq) return 0; mnt = real_mount(bastard); mnt_add_count(mnt, 1); - smp_mb(); // see mntput_no_expire() + smp_mb(); // see mntput_no_expire() and do_umount() if (likely(!read_seqretry(&mount_lock, seq))) return 0; if (bastard->mnt_flags & MNT_SYNC_UMOUNT) { @@ -1618,6 +1618,7 @@ static int do_umount(struct mount *mnt, int flags) umount_tree(mnt, UMOUNT_PROPAGATE); retval = 0; } else { + smp_mb(); // paired with __legitimize_mnt() shrink_submounts(mnt); retval = -EBUSY; if (!propagate_mount_busy(mnt, 2)) { -- 2.39.2
From: Al Viro <viro@zeniv.linux.org.uk> stable inclusion from stable-v6.6.92 commit d8ece4ced3b051e656c77180df2e69e19e24edc1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICGANV CVE: CVE-2025-38058 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=t... -------------------------------- [ Upstream commit 250cf3693060a5f803c5f1ddc082bb06b16112a9 ] ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe to quietly undo mnt_count increment and leaves dropping the reference to caller, where it'll be a full-blown mntput(). Check under mount_lock is needed; leaving the current one done before taking that makes no sense - it's nowhere near common enough to bother with. Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Long Li <leo.lilong@huawei.com> --- fs/namespace.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index 6f1741379324..b682a044cf0e 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -578,12 +578,8 @@ int __legitimize_mnt(struct vfsmount *bastard, unsigned seq) smp_mb(); // see mntput_no_expire() and do_umount() if (likely(!read_seqretry(&mount_lock, seq))) return 0; - if (bastard->mnt_flags & MNT_SYNC_UMOUNT) { - mnt_add_count(mnt, -1); - return 1; - } lock_mount_hash(); - if (unlikely(bastard->mnt_flags & MNT_DOOMED)) { + if (unlikely(bastard->mnt_flags & (MNT_SYNC_UMOUNT | MNT_DOOMED))) { mnt_add_count(mnt, -1); unlock_mount_hash(); return 1; -- 2.39.2
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/16846 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/OHY... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/16846 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/OHY...
participants (2)
-
Long Li -
patchwork bot