| From: Piotr Krysiuk <piotras@gmail.com> |
| Date: Mon, 27 Apr 2020 11:34:12 +0100 |
| Subject: fs/namespace.c: fix mountpoint reference counter race |
| |
| A race condition between threads updating mountpoint reference counter |
| affects longterm releases 4.4.220, 4.9.220, 4.14.177 and 4.19.118. |
| |
| The mountpoint reference counter corruption may occur when: |
| * one thread increments m_count member of struct mountpoint |
| [under namespace_sem, but not holding mount_lock] |
| pivot_root() |
| * another thread simultaneously decrements the same m_count |
| [under mount_lock, but not holding namespace_sem] |
| put_mountpoint() |
| unhash_mnt() |
| umount_mnt() |
| mntput_no_expire() |
| |
| To fix this race condition, grab mount_lock before updating m_count in |
| pivot_root(). |
| |
| Reference: CVE-2020-12114 |
| Cc: Al Viro <viro@zeniv.linux.org.uk> |
| Signed-off-by: Piotr Krysiuk <piotras@gmail.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| fs/namespace.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/fs/namespace.c |
| +++ b/fs/namespace.c |
| @@ -2937,8 +2937,8 @@ SYSCALL_DEFINE2(pivot_root, const char _ |
| /* make certain new is below the root */ |
| if (!is_path_reachable(new_mnt, new.dentry, &root)) |
| goto out4; |
| - root_mp->m_count++; /* pin it so it won't go away */ |
| lock_mount_hash(); |
| + root_mp->m_count++; /* pin it so it won't go away */ |
| detach_mnt(new_mnt, &parent_path); |
| detach_mnt(root_mnt, &root_parent); |
| if (root_mnt->mnt.mnt_flags & MNT_LOCKED) { |
