diff options
author | dheerajpdsk <p.dheeraj.srujan.kumar@intel.com> | 2022-06-16 23:47:53 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-16 23:47:53 +0300 |
commit | e0c224c79550bf49928bfb75f629233b1ef07c7a (patch) | |
tree | dfe08b91193d44f4984117dbd3eef9866e097582 /meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-24122.patch | |
parent | 0945170f93cc0c101bf01739f41136c2f05af570 (diff) | |
parent | 1f4be67aa2cc61a3db46c577da5ccd88cc84fa16 (diff) | |
download | openbmc-e0c224c79550bf49928bfb75f629233b1ef07c7a.tar.xz |
Merge pull request #82 from Intel-BMC/update1-0.91-151
Update to internal 1-0.91-151
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-24122.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-24122.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-24122.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-24122.patch new file mode 100644 index 000000000..42fbba9ac --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-24122.patch @@ -0,0 +1,57 @@ +From f9d87929d451d3e649699d0f1d74f71f77ad38f5 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Mon, 24 Jan 2022 12:46:50 -0600 +Subject: ucount: Make get_ucount a safe get_user replacement + +When the ucount code was refactored to create get_ucount it was missed +that some of the contexts in which a rlimit is kept elevated can be +the only reference to the user/ucount in the system. + +Ordinary ucount references exist in places that also have a reference +to the user namspace, but in POSIX message queues, the SysV shm code, +and the SIGPENDING code there is no independent user namespace +reference. + +Inspection of the the user_namespace show no instance of circular +references between struct ucounts and the user_namespace. So +hold a reference from struct ucount to i's user_namespace to +resolve this problem. + +Link: https://lore.kernel.org/lkml/YZV7Z+yXbsx9p3JN@fixkernel.com/ +Reported-by: Qian Cai <quic_qiancai@quicinc.com> +Reported-by: Mathias Krause <minipli@grsecurity.net> +Tested-by: Mathias Krause <minipli@grsecurity.net> +Reviewed-by: Mathias Krause <minipli@grsecurity.net> +Reviewed-by: Alexey Gladkov <legion@kernel.org> +Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") +Fixes: 6e52a9f0532f ("Reimplement RLIMIT_MSGQUEUE on top of ucounts") +Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts") +Cc: stable@vger.kernel.org +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +--- + kernel/ucount.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/ucount.c b/kernel/ucount.c +index 7b32c356ebc5c..65b597431c861 100644 +--- a/kernel/ucount.c ++++ b/kernel/ucount.c +@@ -190,6 +190,7 @@ struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid) + kfree(new); + } else { + hlist_add_head(&new->node, hashent); ++ get_user_ns(new->ns); + spin_unlock_irq(&ucounts_lock); + return new; + } +@@ -210,6 +211,7 @@ void put_ucounts(struct ucounts *ucounts) + if (atomic_dec_and_lock_irqsave(&ucounts->count, &ucounts_lock, flags)) { + hlist_del_init(&ucounts->node); + spin_unlock_irqrestore(&ucounts_lock, flags); ++ put_user_ns(ucounts->ns); + kfree(ucounts); + } + } +-- +cgit 1.2.3-1.el7 + |