From patchwork Wed Oct 13 19:18:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1540585 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=iWzWNOoo; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HV2QP5w03z9sP7 for ; Thu, 14 Oct 2021 06:19:09 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1majmK-0007IJ-GR; Wed, 13 Oct 2021 19:19:04 +0000 Received: from smtp-relay-canonical-0.internal ([10.131.114.83] helo=smtp-relay-canonical-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1majmJ-0007Hz-EK for kernel-team@lists.ubuntu.com; Wed, 13 Oct 2021 19:19:03 +0000 Received: from mussarela.. (unknown [177.9.89.30]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 811D43F07D for ; Wed, 13 Oct 2021 19:19:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1634152743; bh=D5jRh8KznDdHq70EBnkhLqDnS3oA8B6LA2XBWkO+Bbw=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=iWzWNOoox/VUwNmQbuneqfiyC3pGo+fGgU3+Q/lJLdq/mKck0BShnWg9FwMnoeVcL xcq2RfQf1ajHyWMUBb7uA+d6Rad3c5BxDOFWoT0V99cc0/hluDtXE6QgpT5f+i25kK IoAY6Ed+8YMf34LoeGola+Ln4SMOmaN2mX6Yto7zoNATcGqwToWeo9V6ZT1f0W7O2M dkHKlV1ZGIKxATRiLjvqYvYgWhAOz/Wba8g3kEFRuTbwuMIXe2A6rpET3fG1ntKv98 s6qT48/bVEefYI6rao/imQSHrg/vIsZFGqp8ZRU/HEQq1vS0BR9h3v5smOnoUZb29r tD9KoI101Esig== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Bionic 0/2] CVE-2020-36322 and CVE-2021-28950 Date: Wed, 13 Oct 2021 16:18:54 -0300 Message-Id: <20211013191856.906264-1-cascardo@canonical.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] Unprivileged users could mount a fuse filesystem and trigger a BUG_ON or a soft lockup. [Test case] A test was found for the first issue, but not the second. The fix works for that first one. [Backport] The backport had a lot of conflicts due to context. As the nature of the fix was basically replacing is_bad_inode with fuse_is_bad and adding the check for fuse_is_bad, it is not that hard to review that the end result is as expected. [Potential regression] FUSE filesystems may lock up, trigger BUGs, or fail to respond. It is more likely to happen due to malicious actions. So, there is a chance that forcing bad inodes may lead to other potential hiccups. Amir Goldstein (1): fuse: fix live lock in fuse_iget() Miklos Szeredi (1): fuse: fix bad inode fs/fuse/acl.c | 6 ++++++ fs/fuse/dir.c | 41 ++++++++++++++++++++++++++++++++++++----- fs/fuse/file.c | 21 ++++++++++++--------- fs/fuse/fuse_i.h | 13 +++++++++++++ fs/fuse/inode.c | 2 +- fs/fuse/xattr.c | 9 +++++++++ 6 files changed, 77 insertions(+), 15 deletions(-) Acked-by: Kelsey Skunberg Acked-by: Stefan Bader