rpms / kpatch-patch-3_10_0-1160_49_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2020-0466.patch

c7
  1.   79a518119beda52421aee6c439f833cff3f98ffc
  2.   SOURCES
  3.   CVE-2020-0466.patch
Blob History Raw
79a518 
From c17b58ebffbfa862b3f1815e208db340bd1664eb Mon Sep 17 00:00:00 2001
79a518 
From: Yannick Cote <ycote@redhat.com>
79a518 
Date: Tue, 1 Feb 2022 14:14:41 -0500
79a518 
Subject: [KPATCH CVE-2020-0466] epoll: kpatch fixes for CVE-2020-0466
79a518
79a518 
Kernels:
79a518 
3.10.0-1160.15.2.el7
79a518 
3.10.0-1160.21.1.el7
79a518 
3.10.0-1160.24.1.el7
79a518 
3.10.0-1160.25.1.el7
79a518 
3.10.0-1160.31.1.el7
79a518 
3.10.0-1160.36.2.el7
79a518 
3.10.0-1160.41.1.el7
79a518 
3.10.0-1160.42.2.el7
79a518 
3.10.0-1160.45.1.el7
79a518 
3.10.0-1160.49.1.el7
79a518 
3.10.0-1160.53.1.el7
79a518
79a518 
Changes since last build:
79a518 
[x86_64]:
79a518 
eventpoll.o: changed function: SyS_epoll_ctl
79a518 
eventpoll.o: changed function: clear_tfile_check_list
79a518 
eventpoll.o: changed function: ep_loop_check_proc
79a518
79a518 
[ppc64le]:
79a518 
eventpoll.o: changed function: SyS_epoll_ctl
79a518 
eventpoll.o: changed function: ep_loop_check_proc
79a518
79a518 
---------------------------
79a518
79a518 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/22
79a518 
Approved-by: Artem Savkov (@artem.savkov)
79a518 
Kernels:
79a518 
3.10.0-1160.21.1.el7
79a518 
3.10.0-1160.24.1.el7
79a518 
3.10.0-1160.25.1.el7
79a518 
3.10.0-1160.31.1.el7
79a518 
3.10.0-1160.36.2.el7
79a518 
3.10.0-1160.41.1.el7
79a518 
3.10.0-1160.42.2.el7
79a518 
3.10.0-1160.45.1.el7
79a518 
3.10.0-1160.49.1.el7
79a518 
3.10.0-1160.53.1.el7
79a518
79a518 
Modifications: none
79a518
79a518 
commit f771ed0537c55c506dc846cb8f3da60f6383a2b3
79a518 
Author: Carlos Maiolino <cmaiolino@redhat.com>
79a518 
Date:   Sat Dec 18 09:23:31 2021 +0100
79a518
79a518 
    epoll: Keep a reference on files added to the check list
79a518
79a518 
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2042760
79a518 
    Tested: Sanity check only
79a518 
    CVE: CVE-2020-0466
79a518
79a518 
    Conflicts:
79a518 
            - RHEL7 has no support for non-blocking do_epoll_ctl(), so the
79a518 
              original patch got this part stripped.
79a518
79a518 
    When adding a new fd to an epoll, and that this new fd is an
79a518 
    epoll fd itself, we recursively scan the fds attached to it
79a518 
    to detect cycles, and add non-epool files to a "check list"
79a518 
    that gets subsequently parsed.
79a518
79a518 
    However, this check list isn't completely safe when deletions
79a518 
    can happen concurrently. To sidestep the issue, make sure that
79a518 
    a struct file placed on the check list sees its f_count increased,
79a518 
    ensuring that a concurrent deletion won't result in the file
79a518 
    disapearing from under our feet.
79a518
79a518 
    Cc: stable@vger.kernel.org
79a518 
    Signed-off-by: Marc Zyngier <maz@kernel.org>
79a518 
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
79a518 
    (cherry picked from commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682)
79a518
79a518 
    Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
79a518
79a518 
commit 0875a380011a7ff7f4504b72890c29fec420d1cd
79a518 
Author: Carlos Maiolino <cmaiolino@redhat.com>
79a518 
Date:   Sat Dec 18 09:23:47 2021 +0100
79a518
79a518 
    fix regression in "epoll: Keep a reference on files added to the check list"
79a518
79a518 
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2042760
79a518 
    Tested: Sanity check only
79a518 
    CVE: CVE-2020-0466
79a518
79a518 
    epoll_loop_check_proc() can run into a file already committed to destruction;
79a518 
    we can't grab a reference on those and don't need to add them to the set for
79a518 
    reverse path check anyway.
79a518
79a518 
    Tested-by: Marc Zyngier <maz@kernel.org>
79a518 
    Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list")
79a518 
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
79a518 
    (cherry picked from commit 77f4689de17c0887775bb77896f4cc11a39bf848)
79a518
79a518 
    Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
79a518
79a518 
Signed-off-by: Yannick Cote <ycote@redhat.com>
79a518 
---
79a518 
 fs/eventpoll.c | 13 +++++++++----
79a518 
 1 file changed, 9 insertions(+), 4 deletions(-)
79a518
79a518 
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
79a518 
index 6731b99a481f..ca0eb701eeb4 100644
79a518 
--- a/fs/eventpoll.c
79a518 
+++ b/fs/eventpoll.c
79a518 
@@ -1750,9 +1750,11 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
79a518 
 			 * not already there, and calling reverse_path_check()
79a518 
 			 * during ep_insert().
79a518 
 			 */
79a518 
-			if (list_empty(&epi->ffd.file->f_tfile_llink))
79a518 
-				list_add(&epi->ffd.file->f_tfile_llink,
79a518 
-					 &tfile_check_list);
79a518 
+			if (list_empty(&epi->ffd.file->f_tfile_llink)) {
79a518 
+				if (get_file_rcu(epi->ffd.file))
79a518 
+					list_add(&epi->ffd.file->f_tfile_llink,
79a518 
+						 &tfile_check_list);
79a518 
+			}
79a518 
 		}
79a518 
 	}
79a518 
 	mutex_unlock(&ep->mtx);
79a518 
@@ -1796,6 +1798,7 @@ static void clear_tfile_check_list(void)
79a518 
 		file = list_first_entry(&tfile_check_list, struct file,
79a518 
 					f_tfile_llink);
79a518 
 		list_del_init(&file->f_tfile_llink);
79a518 
+		fput(file);
79a518 
 	}
79a518 
 	INIT_LIST_HEAD(&tfile_check_list);
79a518 
 }
79a518 
@@ -1951,9 +1954,11 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
79a518 
 					clear_tfile_check_list();
79a518 
 					goto error_tgt_fput;
79a518 
 				}
79a518 
-			} else
79a518 
+			} else {
79a518 
+				get_file(tf.file);
79a518 
 				list_add(&tf.file->f_tfile_llink,
79a518 
 							&tfile_check_list);
79a518 
+			}
79a518 
 			mutex_lock_nested(&ep->mtx, 0);
79a518 
 			if (is_file_epoll(tf.file)) {
79a518 
 				tep = tf.file->private_data;
79a518 
--
79a518 
2.26.3
79a518
79a518

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation