[PATCH 0/2][SRU][D/E] CVE-2019-15794: ovl/shiftfs refcount underflow
Seth Forshee
seth.forshee at canonical.com
Thu Nov 7 16:08:23 UTC 2019
BugLink: https://bugs.launchpad.net/bugs/1850994
Impact: overlayfs and shiftfs both replace vma->vm_file in their mmap
handlers. On error the original value is not restored, and the reference
is put for the file to which vm_file points. On upstream kernels this is
not an issue, as no callers dereference vm_file dereference vm_file
following after call_mmap() returns an error. However, the aufs patchs
change mmap_region() to replace the fput() using a local variable with
vma_fput(), which will fput() vm_file, leading to a refcount underflow.
Fix: Restore the original vma_file value on error.
Test Case: A reproducer is provided in the original bug report.
Regression Potential: Minimal. As stated above, other callers of
call_mmap() do not dereference vma->vm_file when it returns an error,
and the one which does is fixed by these patches.
Notes: Supported kernels prior to disco are not affected as overlayfs
did not support mmap until 4.19, and shiftfs was not present in Ubuntu
kernels before disco. The issue is mitigated for overlayfs by another
bug which is preventing unprivileged mounting; a patch for this issue
will be sent separately.
Thanks,
Seth
Seth Forshee (2):
UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails
UBUNTU: SAUCE: ovl: Restore vm_file value when lower fs mmap fails
fs/overlayfs/file.c | 6 +++++-
fs/shiftfs.c | 15 +++++++++++----
2 files changed, 16 insertions(+), 5 deletions(-)
More information about the kernel-team
mailing list