mbox series

[SRU,Impish,Hirsute,OEM-5.10,Focal,Bionic,0/2] CVE-2021-4083

Message ID 20220121142616.163592-1-cascardo@canonical.com
Headers show
Series CVE-2021-4083 | expand

Message

Thadeu Lima de Souza Cascardo Jan. 21, 2022, 2:26 p.m. UTC 
[Impact]
A race condition during unix socket garbage collection may lead to a potential
use-after-free for a struct file.

[Backport]
On 4.15 kernel, an additional commit was necessary. On 5.4 and 5.10 kernels,
__fcheck_files was used instead, as it was renamed to files_lookup_fd_raw.

This solution was also used on upstream stable backports.

[Test case]
There is no specific test case for this, but a stress on the unix garbage
collection was tested.

[Potential regression]
These fixes impact every use of file descriptors, not only restricted to
unix sockets. Some impact on workloads with races on creating and closing
file descriptors is expected.

Jens Axboe (1):
  fs: add fget_many() and fput_many()

Linus Torvalds (1):
  fget: check that the fd still exists after getting a ref to it

 fs/file.c            | 19 ++++++++++++++-----
 fs/file_table.c      |  9 +++++++--
 include/linux/file.h |  2 ++
 include/linux/fs.h   |  4 +++-
 4 files changed, 26 insertions(+), 8 deletions(-)

Comments

Krzysztof Kozlowski Jan. 24, 2022, 8:51 a.m. UTC | #1 
On 21/01/2022 15:26, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> A race condition during unix socket garbage collection may lead to a potential
> use-after-free for a struct file.
> 
> [Backport]
> On 4.15 kernel, an additional commit was necessary. On 5.4 and 5.10 kernels,
> __fcheck_files was used instead, as it was renamed to files_lookup_fd_raw.
> 
> This solution was also used on upstream stable backports.
> 
> [Test case]
> There is no specific test case for this, but a stress on the unix garbage
> collection was tested.
> 
> [Potential regression]
> These fixes impact every use of file descriptors, not only restricted to
> unix sockets. Some impact on workloads with races on creating and closing
> file descriptors is expected.
> 
> Jens Axboe (1):
>   fs: add fget_many() and fput_many()
> 
> Linus Torvalds (1):
>   fget: check that the fd still exists after getting a ref to it
> 


Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>


Best regards,
Krzysztof
Tim Gardner Jan. 24, 2022, 1:10 p.m. UTC | #2 
Acked-by: Tim Gardner <tim.gardner@canonical.com>

On 1/21/22 7:26 AM, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> A race condition during unix socket garbage collection may lead to a potential
> use-after-free for a struct file.
> 
> [Backport]
> On 4.15 kernel, an additional commit was necessary. On 5.4 and 5.10 kernels,
> __fcheck_files was used instead, as it was renamed to files_lookup_fd_raw.
> 
> This solution was also used on upstream stable backports.
> 
> [Test case]
> There is no specific test case for this, but a stress on the unix garbage
> collection was tested.
> 
> [Potential regression]
> These fixes impact every use of file descriptors, not only restricted to
> unix sockets. Some impact on workloads with races on creating and closing
> file descriptors is expected.
> 
> Jens Axboe (1):
>    fs: add fget_many() and fput_many()
> 
> Linus Torvalds (1):
>    fget: check that the fd still exists after getting a ref to it
> 
>   fs/file.c            | 19 ++++++++++++++-----
>   fs/file_table.c      |  9 +++++++--
>   include/linux/file.h |  2 ++
>   include/linux/fs.h   |  4 +++-
>   4 files changed, 26 insertions(+), 8 deletions(-)
>