From 4e6569b36884d1f1b6cd72b57d797f66be67161a Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Tue, 18 Aug 2020 08:02:38 +0300 Subject: [PATCH] Pick fix of CVE-2020-11935 --- fs-aufs-2.patch | 133 ++++++++++++++++++++++++++++++++++++++++++++++++ kernel.spec | 5 +- 2 files changed, 136 insertions(+), 2 deletions(-) create mode 100644 fs-aufs-2.patch diff --git a/fs-aufs-2.patch b/fs-aufs-2.patch new file mode 100644 index 0000000..606f5c8 --- /dev/null +++ b/fs-aufs-2.patch @@ -0,0 +1,133 @@ +From 4d4c05a8901e313264433db69cc3374cef5164f6 Mon Sep 17 00:00:00 2001 +From: Mauricio Faria de Oliveira +Date: Mon, 29 Jun 2020 15:31:22 -0300 +Subject: aufs: do not call i_readcount_inc() + +The 'struct inode.i_readcount' field is maintained at the VFS, and +should not be modified by filesystems. But aufs does in one place, +which causes it to be unbalanced. + +This started with Linux v2.6.39 commit 890275b5eb79 ("IMA: maintain +i_readcount in the VFS layer"), which moved the i_readcount updates +from IMA into the VFS (at the same places IMA was called previously) +and introduced 'mutex_lock(i_mutex)' in the ima_file_check() path. + +The former change is functionally equivalent, thus no changes are +needed in response to it. + +The latter change, on the other hand, is _not_; and is reported to +cause a deadlock in aufs (see below), thus it dropped the call to +ima_file_check(). + +However, when dropping the ima_file_check() call, aufs introduced +the i_readcount_inc() call as well, which according to the commit +changes is not necessary. + +This can be observed in aufs2-standalone.git commit 1dbd1c864e455 +("aufs2.1 standalone version for linux-2.6."), announced to the +aufs-users mailing list on 2011-04-04 [1]. + + diff --git a/ChangeLog b/ChangeLog + ... + +commit 17eac367b03334e57a93e8051eb712add24d2534 + +Author: J. R. Okajima + +Date: Fri Apr 1 16:31:22 2011 +0900 + + + + aufs: for 2.6.39, limit the support for IMA + + + + Since it acquires i_mutex and causes a deadlock, replace a + + ima_file_check() call by i_readcount_inc(). + + + + Signed-off-by: J. R. Okajima + ... + diff --git a/fs/aufs/vfsub.c b/fs/aufs/vfsub.c + ... + struct file *vfsub_dentry_open(struct path *path, int flags) + ... + + if (!IS_ERR_OR_NULL(file) + + && (file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) + + i_readcount_inc(path->dentry->d_inode); + + - err = ima_file_check(file, au_conv_oflags(flags)); + ... + +Apparently, this might have been a misunderstanding of one hunk in +the 2.6.39 commit, that deletes the lines to increment i_readcount, +and adds the lines to acquire i_mutex. + +It reuses code from the removed function ima_counts_get() to create +ima_rdwr_violation_check(), and another hunk calls the new function +from ima_file_check(). But note that the i_readcount increment was +_not_ called from ima_file_check() previously, via ima_counts_get(): + + -void ima_counts_get(struct file *file) + +static void ima_rdwr_violation_check(struct file *file) + { + ... + + mutex_lock(&inode->i_mutex); /* file metadata: permissions, xattr */ + ... + - atomic_inc(&inode->i_readcount); + + #@@ -318,6 +308,7 @@ int ima_file_check(struct file *file, int mask) + ... + + ima_rdwr_violation_check(file); + +So, in order to avoid the unbalance caused to i_readcount, drop the +i_readcount_inc() call. + +Note the issue is not the lack of a corresponding i_readcount_dec() +call; it's the mere usage of these functions outside of VFS layer, +where i_readcount is maintained. + +Links: + +[1] https://sourceforge.net/p/aufs/mailman/message/27304125/ + snippet: + + """ + aufs2 Monday GIT release + From: - 2011-04-04 04:59:18 + + o news + - begin supporting linux-2.6.39-rcN. + ... + - aufs2-2.6.git#aufs2.1 branch + ... + aufs: for 2.6.39, limit the support for IMA + ... + """ + +Signed-off-by: Mauricio Faria de Oliveira +(cherry picked from commit 515a586eeef31e0717d5dea21e2c11a965340b3c aufs4-linux.git) +CVE-2020-11935 +Signed-off-by: Mauricio Faria de Oliveira +Acked-by: Kamal Mostafa +Signed-off-by: Khalid Elmously +--- + fs/aufs/vfsub.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/fs/aufs/vfsub.c b/fs/aufs/vfsub.c +index e954cd7..a5e10c5 100644 +--- a/fs/aufs/vfsub.c ++++ b/fs/aufs/vfsub.c +@@ -76,15 +76,8 @@ int vfsub_update_h_iattr(struct path *h_path, int *did) + + struct file *vfsub_dentry_open(struct path *path, int flags) + { +- struct file *file; +- +- file = dentry_open(path, flags /* | __FMODE_NONOTIFY */, ++ return dentry_open(path, flags /* | __FMODE_NONOTIFY */, + current_cred()); +- if (!IS_ERR_OR_NULL(file) +- && (file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) +- i_readcount_inc(d_inode(path->dentry)); +- +- return file; + } + + struct file *vfsub_filp_open(const char *path, int oflags, int mode) +-- +cgit v1.1 + diff --git a/kernel.spec b/kernel.spec index f9310f3..dc2d233 100644 --- a/kernel.spec +++ b/kernel.spec @@ -260,12 +260,13 @@ Patch101: perf-xmlto-skip-validation.patch # http://bugs.rosalinux.ru/show_bug.cgi?id=6459 Patch102: audit-make-it-less-verbose.patch -# AUFS from http://aufs.sourceforge.net/ +# AUFS 5 from http://aufs.sourceforge.net/ Patch109: fs-aufs.patch +Patch110: fs-aufs-2.patch # For kmod() generator of RPM Provides # Changes version of aacraid.ko -Patch110: 0001-Remove-RPM-illegal-chars-from-module-version.patch +Patch111: 0001-Remove-RPM-illegal-chars-from-module-version.patch # AltHa LSM Module # https://www.altlinux.org/AltHa