]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.19-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 30 Jan 2021 14:56:43 +0000 (15:56 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 30 Jan 2021 14:56:43 +0000 (15:56 +0100)
added patches:
nbd-freeze-the-queue-while-we-re-adding-connections.patch

queue-4.19/nbd-freeze-the-queue-while-we-re-adding-connections.patch [new file with mode: 0644]

diff --git a/queue-4.19/nbd-freeze-the-queue-while-we-re-adding-connections.patch b/queue-4.19/nbd-freeze-the-queue-while-we-re-adding-connections.patch
new file mode 100644 (file)
index 0000000..f3ea13c
--- /dev/null
@@ -0,0 +1,60 @@
+From b98e762e3d71e893b221f871825dc64694cfb258 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 25 Jan 2021 12:21:02 -0500
+Subject: nbd: freeze the queue while we're adding connections
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit b98e762e3d71e893b221f871825dc64694cfb258 upstream.
+
+When setting up a device, we can krealloc the config->socks array to add
+new sockets to the configuration.  However if we happen to get a IO
+request in at this point even though we aren't setup we could hit a UAF,
+as we deref config->socks without any locking, assuming that the
+configuration was setup already and that ->socks is safe to access it as
+we have a reference on the configuration.
+
+But there's nothing really preventing IO from occurring at this point of
+the device setup, we don't want to incur the overhead of a lock to
+access ->socks when it will never change while the device is running.
+To fix this UAF scenario simply freeze the queue if we are adding
+sockets.  This will protect us from this particular case without adding
+any additional overhead for the normal running case.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/nbd.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -966,6 +966,12 @@ static int nbd_add_socket(struct nbd_dev
+       if (!sock)
+               return err;
++      /*
++       * We need to make sure we don't get any errant requests while we're
++       * reallocating the ->socks array.
++       */
++      blk_mq_freeze_queue(nbd->disk->queue);
++
+       if (!netlink && !nbd->task_setup &&
+           !test_bit(NBD_BOUND, &config->runtime_flags))
+               nbd->task_setup = current;
+@@ -1004,10 +1010,12 @@ static int nbd_add_socket(struct nbd_dev
+       nsock->cookie = 0;
+       socks[config->num_connections++] = nsock;
+       atomic_inc(&config->live_connections);
++      blk_mq_unfreeze_queue(nbd->disk->queue);
+       return 0;
+ put_socket:
++      blk_mq_unfreeze_queue(nbd->disk->queue);
+       sockfd_put(sock);
+       return err;
+ }