From 80c7e812dffa734599aadde93cb8e30b34f0983d Mon Sep 17 00:00:00 2001

From: Joe Lawrence <joe.lawrence@redhat.com>

Date: Mon, 21 Mar 2022 15:45:03 -0400

Subject: [KPATCH CVE-2021-4083] fget: kpatch fixes for CVE-2021-4083

Kernels:

3.10.0-1160.24.1.el7

3.10.0-1160.25.1.el7

3.10.0-1160.31.1.el7

3.10.0-1160.36.2.el7

3.10.0-1160.41.1.el7

3.10.0-1160.42.2.el7

3.10.0-1160.45.1.el7

3.10.0-1160.49.1.el7

3.10.0-1160.53.1.el7

3.10.0-1160.59.1.el7

Changes since last build:

arches: x86_64 ppc64le

file.o: changed function: SyS_dup

file.o: changed function: dup_fd

file.o: changed function: fget

file.o: changed function: fget_light

file.o: changed function: fget_raw

file.o: changed function: fget_raw_light

file.o: changed function: put_files_struct

file.o: new function: __fget

file.o: new function: __fget_light

---------------------------

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/34

Approved-by: Yannick Cote (@ycote1)

Modifications:

- include/linux/rcupdate.h, kernel/rcupdate.c: leave exported

  rcu_my_thread_group_empty() intact

- fs/file.c: use fput() instead of fputs_many() since we skipped commit

  ("fs: add fget_many() and fput_many()")

- fs/file.c: use fcheck_files() instead of files_lookup_fd_raw() since

  we are skipping subsequent commit ("fget: clarify and improve

  __fget_files() implementation") that provides it.

- Set __attribute__((optimize("-fno-optimize-sibling-calls"))) for

  fget() and fget_raw() on ppc64le

commit c2207a235113315ad696b06eb96ccd36d1f5fdeb

Author: Miklos Szeredi <mszeredi@redhat.com>

Date:   Fri Jan 21 10:22:29 2022 +0100

    introduce __fcheck_files() to fix rcu_dereference_check_fdtable(), kill rcu_my_thread_group_empty()

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2032478

    Upstream status: Linus

    Testing: xfstests

    CVE: CVE-2021-4083

    Conflicts:

            - context difference due to backport of later patch

            - target file difference due to missing backport of rcu source code

              move

    commit a8d4b8345e0ee48b732126d980efaf0dc373e2b0

    Author: Oleg Nesterov <oleg@redhat.com>

    Date:   Sat Jan 11 19:19:32 2014 +0100

        introduce __fcheck_files() to fix rcu_dereference_check_fdtable(), kill rcu_my_thread_group_empty()

        rcu_dereference_check_fdtable() looks very wrong,

        1. rcu_my_thread_group_empty() was added by 844b9a8707f1 "vfs: fix

           RCU-lockdep false positive due to /proc" but it doesn't really

           fix the problem. A CLONE_THREAD (without CLONE_FILES) task can

           hit the same race with get_files_struct().

           And otoh rcu_my_thread_group_empty() can suppress the correct

           warning if the caller is the CLONE_FILES (without CLONE_THREAD)

           task.

        2. files->count == 1 check is not really right too. Even if this

           files_struct is not shared it is not safe to access it lockless

           unless the caller is the owner.

           Otoh, this check is sub-optimal. files->count == 0 always means

           it is safe to use it lockless even if files != current->files,

           but put_files_struct() has to take rcu_read_lock(). See the next

           patch.

        This patch removes the buggy checks and turns fcheck_files() into

        __fcheck_files() which uses rcu_dereference_raw(), the "unshared"

        callers, fget_light() and fget_raw_light(), can use it to avoid

        the warning from RCU-lockdep.

        fcheck_files() is trivially reimplemented as rcu_lockdep_assert()

        plus __fcheck_files().

        Signed-off-by: Oleg Nesterov <oleg@redhat.com>

        Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

commit ec06bac02991edcfdeb148ab2fe7f3e2d7d3ceaa

Author: Miklos Szeredi <mszeredi@redhat.com>

Date:   Fri Jan 21 10:22:30 2022 +0100

    fs: factor out common code in fget() and fget_raw()

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2032478

    Upstream status: Linus

    Testing: xfstests

    CVE: CVE-2021-4083

    Conflicts:

            - difference due to backport of later patch

    commit 1deb46e2562561255c34075825fd00f22a858bb3

    Author: Oleg Nesterov <oleg@redhat.com>

    Date:   Mon Jan 13 16:48:19 2014 +0100

        fs: factor out common code in fget() and fget_raw()

        Apart from FMODE_PATH check fget() and fget_raw() are identical,

        shift the code into the new simple helper, __fget(fd, mask). Saves

        160 bytes.

        Signed-off-by: Oleg Nesterov <oleg@redhat.com>

        Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

commit ac43fab520f6836e2a7d3d20dd64d6328233ccbe

Author: Miklos Szeredi <mszeredi@redhat.com>

Date:   Fri Jan 21 10:22:30 2022 +0100

    fs: factor out common code in fget_light() and fget_raw_light()

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2032478

    Upstream status: Linus

    Testing: xfstests

    CVE: CVE-2021-4083

    commit ad46183445043b562856c60b74db664668fb364b

    Author: Oleg Nesterov <oleg@redhat.com>

    Date:   Mon Jan 13 16:48:40 2014 +0100

        fs: factor out common code in fget_light() and fget_raw_light()

        Apart from FMODE_PATH check fget_light() and fget_raw_light() are

        identical, shift the code into the new helper, __fget_light(fd, mask).

        Saves 208 bytes.

        Signed-off-by: Oleg Nesterov <oleg@redhat.com>

        Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

commit 9e24c8894f5df488a336f0c848f15a7d2f78d163

Author: Miklos Szeredi <mszeredi@redhat.com>

Date:   Fri Jan 21 10:22:30 2022 +0100

    fs: __fget_light() can use __fget() in slow path

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2032478

    Upstream status: Linus

    Testing: xfstests

    CVE: CVE-2021-4083

    commit e6ff9a9fa4e05c1c03dec63cdc6a87d6dea02755

    Author: Oleg Nesterov <oleg@redhat.com>

    Date:   Mon Jan 13 16:49:06 2014 +0100

        fs: __fget_light() can use __fget() in slow path

        The slow path in __fget_light() can use __fget() to avoid the

        code duplication. Saves 232 bytes.

        Signed-off-by: Oleg Nesterov <oleg@redhat.com>

        Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

commit d63fb584ae2d7d9a1620e23e59072cb6929f3833

Author: Miklos Szeredi <mszeredi@redhat.com>

Date:   Fri Jan 21 10:22:30 2022 +0100

    fs/file.c: __fget() and dup2() atomicity rules

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2032478

    Upstream status: Linus

    Testing: xfstests

    CVE: CVE-2021-4083

    commit 5ba97d2832f87943c43bb69cb1ef86dbc59df5bc

    Author: Eric Dumazet <edumazet@google.com>

    Date:   Mon Jun 29 17:10:30 2015 +0200

        fs/file.c: __fget() and dup2() atomicity rules

        __fget() does lockless fetch of pointer from the descriptor

        table, attempts to grab a reference and treats "it was already

        zero" as "it's already gone from the table, we just hadn't

        seen the store, let's fail".  Unfortunately, that breaks the

        atomicity of dup2() - __fget() might see the old pointer,

        notice that it's been already dropped and treat that as

        "it's closed".  What we should be getting is either the

        old file or new one, depending whether we come before or after

        dup2().

        Dmitry had following test failing sometimes :

        int fd;

        void *Thread(void *x) {

          char buf;

          int n = read(fd, &buf, 1);

          if (n != 1)

            exit(printf("read failed: n=%d errno=%d\n", n, errno));

          return 0;

        }

        int main()

        {

          fd = open("/dev/urandom", O_RDONLY);

          int fd2 = open("/dev/urandom", O_RDONLY);

          if (fd == -1 || fd2 == -1)

            exit(printf("open failed\n"));

          pthread_t th;

          pthread_create(&th, 0, Thread, 0);

          if (dup2(fd2, fd) == -1)

            exit(printf("dup2 failed\n"));

          pthread_join(th, 0);

          if (close(fd) == -1)

            exit(printf("close failed\n"));

          if (close(fd2) == -1)

            exit(printf("close failed\n"));

          printf("DONE\n");

          return 0;

        }

        Signed-off-by: Eric Dumazet <edumazet@google.com>

        Reported-by: Dmitry Vyukov <dvyukov@google.com>

        Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

commit bc04a10c9303dcd9a6305a0452361537257fa0c1

Author: Miklos Szeredi <mszeredi@redhat.com>

Date:   Fri Jan 21 10:22:31 2022 +0100

    fget: check that the fd still exists after getting a ref to it

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2032478

    Upstream status: Linus

    Testing: xfstests

    CVE: CVE-2021-4083

    commit 054aa8d439b9185d4f5eb9a90282d1ce74772969

    Author: Linus Torvalds <torvalds@linux-foundation.org>

    Date:   Wed Dec 1 10:06:14 2021 -0800

        fget: check that the fd still exists after getting a ref to it

        Jann Horn points out that there is another possible race wrt Unix domain

        socket garbage collection, somewhat reminiscent of the one fixed in

        commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").

        See the extended comment about the garbage collection requirements added

        to unix_peek_fds() by that commit for details.

        The race comes from how we can locklessly look up a file descriptor just

        as it is in the process of being closed, and with the right artificial

        timing (Jann added a few strategic 'mdelay(500)' calls to do that), the

        Unix domain socket garbage collector could see the reference count

        decrement of the close() happen before fget() took its reference to the

        file and the file was attached onto a new file descriptor.

        This is all (intentionally) correct on the 'struct file *' side, with

        RCU lookups and lockless reference counting very much part of the

        design.  Getting that reference count out of order isn't a problem per

        se.

        But the garbage collector can get confused by seeing this situation of

        having seen a file not having any remaining external references and then

        seeing it being attached to an fd.

        In commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK") the

        fix was to serialize the file descriptor install with the garbage

        collector by taking and releasing the unix_gc_lock.

        That's not really an option here, but since this all happens when we are

        in the process of looking up a file descriptor, we can instead simply

        just re-check that the file hasn't been closed in the meantime, and just

        re-do the lookup if we raced with a concurrent close() of the same file

        descriptor.

        Reported-and-tested-by: Jann Horn <jannh@google.com>

        Acked-by: Miklos Szeredi <mszeredi@redhat.com>

        Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>

---

 fs/file.c               | 86 +++++++++++++++--------------------------

 include/linux/fdtable.h | 35 ++++++++++-------

 2 files changed, 53 insertions(+), 68 deletions(-)

diff --git a/fs/file.c b/fs/file.c

index 44bd634b636a..564d60bf0fda 100644

--- a/fs/file.c

+++ b/fs/file.c

@@ -718,42 +718,43 @@ void do_close_on_exec(struct files_struct *files)

 	spin_unlock(&files->file_lock);

 }

-struct file *fget(unsigned int fd)

+static struct file *__fget(unsigned int fd, fmode_t mask)

 {

-	struct file *file;

 	struct files_struct *files = current->files;

+	struct file *file;

 	rcu_read_lock();

+loop:

 	file = fcheck_files(files, fd);

 	if (file) {

-		/* File object ref couldn't be taken */

-		if (file->f_mode & FMODE_PATH || !get_file_rcu(file))

+		/* File object ref couldn't be taken.

+		 * dup2() atomicity guarantee is the reason

+		 * we loop to catch the new file (or NULL pointer)

+		 */

+		if (file->f_mode & mask)

 			file = NULL;

+		else if (!get_file_rcu(file))

+			goto loop;

+		else if (fcheck_files(files, fd) != file) {

+			fput(file);

+			goto loop;

+		}

 	}

 	rcu_read_unlock();

 	return file;

 }

+__attribute__((optimize("-fno-optimize-sibling-calls"))) struct file *fget(unsigned int fd)

+{

+	return __fget(fd, FMODE_PATH);

+}

 EXPORT_SYMBOL(fget);

-struct file *fget_raw(unsigned int fd)

+__attribute__((optimize("-fno-optimize-sibling-calls"))) struct file *fget_raw(unsigned int fd)

 {

-	struct file *file;

-	struct files_struct *files = current->files;

-

-	rcu_read_lock();

-	file = fcheck_files(files, fd);

-	if (file) {

-		/* File object ref couldn't be taken */

-		if (!atomic_long_inc_not_zero(&file->f_count))

-			file = NULL;

-	}

-	rcu_read_unlock();

-

-	return file;

+	return __fget(fd, 0);

 }

-

 EXPORT_SYMBOL(fget_raw);

 /*

@@ -772,56 +773,33 @@ EXPORT_SYMBOL(fget_raw);

  * The fput_needed flag returned by fget_light should be passed to the

  * corresponding fput_light.

  */

-struct file *fget_light(unsigned int fd, int *fput_needed)

+struct file *__fget_light(unsigned int fd, fmode_t mask, int *fput_needed)

 {

-	struct file *file;

 	struct files_struct *files = current->files;

+	struct file *file;

 	*fput_needed = 0;

 	if (atomic_read(&files->count) == 1) {

-		file = fcheck_files(files, fd);

-		if (file && (file->f_mode & FMODE_PATH))

+		file = __fcheck_files(files, fd);

+		if (file && (file->f_mode & mask))

 			file = NULL;

 	} else {

-		rcu_read_lock();

-		file = fcheck_files(files, fd);

-		if (file) {

-			if (!(file->f_mode & FMODE_PATH) &&

-			    atomic_long_inc_not_zero(&file->f_count))

-				*fput_needed = 1;

-			else

-				/* Didn't get the reference, someone's freed */

-				file = NULL;

-		}

-		rcu_read_unlock();

+		file = __fget(fd, mask);

+		if (file)

+			*fput_needed = 1;

 	}

 	return file;

 }

+struct file *fget_light(unsigned int fd, int *fput_needed)

+{

+	return __fget_light(fd, FMODE_PATH, fput_needed);

+}

 EXPORT_SYMBOL(fget_light);

 struct file *fget_raw_light(unsigned int fd, int *fput_needed)

 {

-	struct file *file;

-	struct files_struct *files = current->files;

-

-	*fput_needed = 0;

-	if (atomic_read(&files->count) == 1) {

-		file = fcheck_files(files, fd);

-	} else {

-		rcu_read_lock();

-		file = fcheck_files(files, fd);

-		if (file) {

-			if (atomic_long_inc_not_zero(&file->f_count))

-				*fput_needed = 1;

-			else

-				/* Didn't get the reference, someone's freed */

-				file = NULL;

-		}

-		rcu_read_unlock();

-	}

-

-	return file;

+	return __fget_light(fd, 0, fput_needed);

 }

 void set_close_on_exec(unsigned int fd, int flag)

diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h

index 88d74ca9418f..95bcca7c1a0f 100644

--- a/include/linux/fdtable.h

+++ b/include/linux/fdtable.h

@@ -70,29 +70,36 @@ struct files_struct {

 	RH_KABI_EXTEND(wait_queue_head_t resize_wait)

 };

-#define rcu_dereference_check_fdtable(files, fdtfd) \

-	(rcu_dereference_check((fdtfd), \

-			       lockdep_is_held(&(files)->file_lock) || \

-			       atomic_read(&(files)->count) == 1 || \

-			       rcu_my_thread_group_empty()))

-

-#define files_fdtable(files) \

-		(rcu_dereference_check_fdtable((files), (files)->fdt))

-

 struct file_operations;

 struct vfsmount;

 struct dentry;

-static inline struct file * fcheck_files(struct files_struct *files, unsigned int fd)

+#define rcu_dereference_check_fdtable(files, fdtfd) \

+	rcu_dereference_check((fdtfd), lockdep_is_held(&(files)->file_lock))

+

+#define files_fdtable(files) \

+	rcu_dereference_check_fdtable((files), (files)->fdt)

+

+/*

+ * The caller must ensure that fd table isn't shared or hold rcu or file lock

+ */

+static inline struct file *__fcheck_files(struct files_struct *files, unsigned int fd)

 {

-	struct file * file = NULL;

-	struct fdtable *fdt = files_fdtable(files);

+	struct fdtable *fdt = rcu_dereference_raw(files->fdt);

 	if (fd < fdt->max_fds) {

 		fd = array_index_nospec(fd, fdt->max_fds);

-		file = rcu_dereference_check_fdtable(files, fdt->fd[fd]);

+		return rcu_dereference_raw(fdt->fd[fd]);

 	}

-	return file;

+	return NULL;

+}

+

+static inline struct file *fcheck_files(struct files_struct *files, unsigned int fd)

+{

+	rcu_lockdep_assert(rcu_read_lock_held() ||

+			   lockdep_is_held(&files->file_lock),

+			   "suspicious rcu_dereference_check() usage");

+	return __fcheck_files(files, fd);

 }

 /*

-- 

2.26.3