From e4655cc96aae6a736b09791c7a0e616857ac9de7 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Jan 12 2018 15:51:28 +0000 Subject: Fix CVE-2018-5344 (rhbz 1533909 1533911) --- diff --git a/kernel.spec b/kernel.spec index c561dee..b4be632 100644 --- a/kernel.spec +++ b/kernel.spec @@ -644,6 +644,9 @@ Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch # https://patchwork.kernel.org/patch/10104349/ Patch506: e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch +# CVE-2018-5344 rhbz 1533909 1533911 +Patch507: loop-fix-concurrent-lo_open-lo_release.patch + # 550-600 Meltdown and Spectre Fixes Patch550: prevent-bounds-check-bypass-via-speculative-execution.patch Patch551: 0001-x86-cpufeatures-Add-X86_BUG_SPECTRE_V-12.patch @@ -2243,6 +2246,9 @@ fi # # %changelog +* Fri Jan 12 2018 Jeremy Cline +- Fix for CVE-2018-5344 (rhbz 1533909 1533911) + * Wed Jan 10 2018 Justin M. Forbes - 4.14.13-300 - Linux v4.14.13 - Iniital retpoline fixes for Spectre v2 diff --git a/loop-fix-concurrent-lo_open-lo_release.patch b/loop-fix-concurrent-lo_open-lo_release.patch new file mode 100644 index 0000000..37131a7 --- /dev/null +++ b/loop-fix-concurrent-lo_open-lo_release.patch @@ -0,0 +1,55 @@ +From ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 5 Jan 2018 16:26:00 -0800 +Subject: [PATCH] loop: fix concurrent lo_open/lo_release +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +范龙飞 reports that KASAN can report a use-after-free in __lock_acquire. +The reason is due to insufficient serialization in lo_release(), which +will continue to use the loop device even after it has decremented the +lo_refcnt to zero. + +In the meantime, another process can come in, open the loop device +again as it is being shut down. Confusion ensues. + +Reported-by: 范龙飞 +Signed-off-by: Linus Torvalds +Signed-off-by: Jens Axboe +--- + drivers/block/loop.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index bc8e61506968..d5fe720cf149 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1581,9 +1581,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode) + return err; + } + +-static void lo_release(struct gendisk *disk, fmode_t mode) ++static void __lo_release(struct loop_device *lo) + { +- struct loop_device *lo = disk->private_data; + int err; + + if (atomic_dec_return(&lo->lo_refcnt)) +@@ -1610,6 +1609,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode) + mutex_unlock(&lo->lo_ctl_mutex); + } + ++static void lo_release(struct gendisk *disk, fmode_t mode) ++{ ++ mutex_lock(&loop_index_mutex); ++ __lo_release(disk->private_data); ++ mutex_unlock(&loop_index_mutex); ++} ++ + static const struct block_device_operations lo_fops = { + .owner = THIS_MODULE, + .open = lo_open, +-- +2.15.1 +