From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 1 Sep 2021 11:41:21 +0000 (+0200)
Subject: 5.14-stable patches
X-Git-Tag: v4.4.283~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5364c76eb084d51335f5cb5ff0d30b2932c66bd9;p=thirdparty%2Fkernel%2Fstable-queue.git

5.14-stable patches

added patches:
	audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch
---

diff --git a/queue-5.14/audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch b/queue-5.14/audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch
new file mode 100644
index 00000000000..444b48c47ec
--- /dev/null
+++ b/queue-5.14/audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch
@@ -0,0 +1,57 @@
+From 67d69e9d1a6c889d98951c1d74b19332ce0565af Mon Sep 17 00:00:00 2001
+From: Richard Guy Briggs <rgb@redhat.com>
+Date: Mon, 23 Aug 2021 22:04:09 -0400
+Subject: audit: move put_tree() to avoid trim_trees refcount underflow and UAF
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+commit 67d69e9d1a6c889d98951c1d74b19332ce0565af upstream.
+
+AUDIT_TRIM is expected to be idempotent, but multiple executions resulted
+in a refcount underflow and use-after-free.
+
+git bisect fingered commit fb041bb7c0a9	("locking/refcount: Consolidate
+implementations of refcount_t") but this patch with its more thorough
+checking that wasn't in the x86 assembly code merely exposed a previously
+existing tree refcount imbalance in the case of tree trimming code that
+was refactored with prune_one() to remove a tree introduced in
+commit 8432c7006297 ("audit: Simplify locking around untag_chunk()")
+
+Move the put_tree() to cover only the prune_one() case.
+
+Passes audit-testsuite and 3 passes of "auditctl -t" with at least one
+directory watch.
+
+Cc: Jan Kara <jack@suse.cz>
+Cc: Will Deacon <will@kernel.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Seiji Nishikawa <snishika@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 8432c7006297 ("audit: Simplify locking around untag_chunk()")
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+[PM: reformatted/cleaned-up the commit description]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit_tree.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/audit_tree.c
++++ b/kernel/audit_tree.c
+@@ -593,7 +593,6 @@ static void prune_tree_chunks(struct aud
+ 		spin_lock(&hash_lock);
+ 	}
+ 	spin_unlock(&hash_lock);
+-	put_tree(victim);
+ }
+ 
+ /*
+@@ -602,6 +601,7 @@ static void prune_tree_chunks(struct aud
+ static void prune_one(struct audit_tree *victim)
+ {
+ 	prune_tree_chunks(victim, false);
++	put_tree(victim);
+ }
+ 
+ /* trim the uncommitted chunks from tree */
diff --git a/queue-5.14/series b/queue-5.14/series
index 336aefee507..a5dcb594c3f 100644
--- a/queue-5.14/series
+++ b/queue-5.14/series
@@ -8,3 +8,4 @@ ext4-report-correct-st_size-for-encrypted-symlinks.patch
 f2fs-report-correct-st_size-for-encrypted-symlinks.patch
 ubifs-report-correct-st_size-for-encrypted-symlinks.patch
 net-don-t-unconditionally-copy_from_user-a-struct-ifreq-for-socket-ioctls.patch
+audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch