diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch')
| -rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch new file mode 100644 index 000000000..3af84d90d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch @@ -0,0 +1,52 @@ +From 60765e43e40fbf7a1df828116172440510fcc3e4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Fri, 28 Jan 2022 22:57:01 +0300 +Subject: [PATCH] fanotify: Fix stale file descriptor in copy_event_to_user() + +commit ee12595147ac1fbfb5bcb23837e26dd58d94b15d upstream. + +This code calls fd_install() which gives the userspace access to the fd. +Then if copy_info_records_to_user() fails it calls put_unused_fd(fd) but +that will not release it and leads to a stale entry in the file +descriptor table. + +Generally you can't trust the fd after a call to fd_install(). The fix +is to delay the fd_install() until everything else has succeeded. + +Fortunately it requires CAP_SYS_ADMIN to reach this code so the security +impact is less. + +Fixes: f644bc449b37 ("fanotify: fix copy_event_to_user() fid error clean up") +Link: https://lore.kernel.org/r/20220128195656.GA26981@kili +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Mathias Krause <minipli@grsecurity.net> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/notify/fanotify/fanotify_user.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c +index 6facdf476255d1..84ec851211d91c 100644 +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -611,9 +611,6 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, + if (fanotify_is_perm_event(event->mask)) + FANOTIFY_PERM(event)->fd = fd; + +- if (f) +- fd_install(fd, f); +- + if (info_mode) { + ret = copy_info_records_to_user(event, info, info_mode, pidfd, + buf, count); +@@ -621,6 +618,9 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, + goto out_close_fd; + } + ++ if (f) ++ fd_install(fd, f); ++ + return metadata.event_len; + + out_close_fd: |