diff options
author | dheerajpdsk <p.dheeraj.srujan.kumar@intel.com> | 2022-12-03 17:23:15 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-12-03 17:23:15 +0300 |
commit | e9e8ce6060c3c89cff2ca181cf95e3dec1a6c78d (patch) | |
tree | ee5b64acbe5374240089bc65c9443dd29df482f8 /meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch | |
parent | e0c224c79550bf49928bfb75f629233b1ef07c7a (diff) | |
parent | 7dd3ed26ca09df0e582be8cc2780bba588bdd11e (diff) | |
download | openbmc-e9e8ce6060c3c89cff2ca181cf95e3dec1a6c78d.tar.xz |
Merge pull request #124 from Intel-BMC/update1-0.92
Update to internal 1-0.92
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch new file mode 100644 index 000000000..3af84d90d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch @@ -0,0 +1,52 @@ +From 60765e43e40fbf7a1df828116172440510fcc3e4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Fri, 28 Jan 2022 22:57:01 +0300 +Subject: [PATCH] fanotify: Fix stale file descriptor in copy_event_to_user() + +commit ee12595147ac1fbfb5bcb23837e26dd58d94b15d upstream. + +This code calls fd_install() which gives the userspace access to the fd. +Then if copy_info_records_to_user() fails it calls put_unused_fd(fd) but +that will not release it and leads to a stale entry in the file +descriptor table. + +Generally you can't trust the fd after a call to fd_install(). The fix +is to delay the fd_install() until everything else has succeeded. + +Fortunately it requires CAP_SYS_ADMIN to reach this code so the security +impact is less. + +Fixes: f644bc449b37 ("fanotify: fix copy_event_to_user() fid error clean up") +Link: https://lore.kernel.org/r/20220128195656.GA26981@kili +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Mathias Krause <minipli@grsecurity.net> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/notify/fanotify/fanotify_user.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c +index 6facdf476255d1..84ec851211d91c 100644 +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -611,9 +611,6 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, + if (fanotify_is_perm_event(event->mask)) + FANOTIFY_PERM(event)->fd = fd; + +- if (f) +- fd_install(fd, f); +- + if (info_mode) { + ret = copy_info_records_to_user(event, info, info_mode, pidfd, + buf, count); +@@ -621,6 +618,9 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, + goto out_close_fd; + } + ++ if (f) ++ fd_install(fd, f); ++ + return metadata.event_len; + + out_close_fd: |