loop: CVE-2018-5344

loop: fix concurrent lo_open/lo_release

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-5344
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=d5e06a1867210049bbfe27864ee0a40cfd9b1e9b

Change-Id: Ic46cc23eaa20fafd3ff2b0275b989cb46f716774
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

1 files changed, 63 insertions, 0 deletions

diff --git a/patches/cve/CVE-2018-5344-loop-fix-concurrent-lo_open-lo_release.patch b/patches/cve/CVE-2018-5344-loop-fix-concurrent-lo_open-lo_release.patch
new file mode 100644
index 0000000..4e9bd40
--- /dev/null
+++ b/patches/cve/CVE-2018-5344-loop-fix-concurrent-lo_open-lo_release.patch
@@ -0,0 +1,63 @@
+From d5e06a1867210049bbfe27864ee0a40cfd9b1e9b Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 5 Jan 2018 16:26:00 -0800
+Subject: [PATCH] loop: fix concurrent lo_open/lo_release
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 upstream.
+
+范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
+The reason is due to insufficient serialization in lo_release(), which
+will continue to use the loop device even after it has decremented the
+lo_refcnt to zero.
+
+In the meantime, another process can come in, open the loop device
+again as it is being shut down. Confusion ensues.
+
+CVE: CVE-2018-5344
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=d5e06a1867210049bbfe27864ee0a40cfd9b1e9b]
+
+Reported-by: 范龙飞 <long7573@126.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/block/loop.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 85de67334695..a2a0dce5114e 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1576,9 +1576,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode)
+        return err;
+ }
+ 
+-static void lo_release(struct gendisk *disk, fmode_t mode)
++static void __lo_release(struct loop_device *lo)
+ {
+-       struct loop_device *lo = disk->private_data;
+        int err;
+ 
+        if (atomic_dec_return(&lo->lo_refcnt))
+@@ -1605,6 +1604,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode)
+        mutex_unlock(&lo->lo_ctl_mutex);
+ }
+ 
++static void lo_release(struct gendisk *disk, fmode_t mode)
++{
++       mutex_lock(&loop_index_mutex);
++       __lo_release(disk->private_data);
++       mutex_unlock(&loop_index_mutex);
++}
++
+ static const struct block_device_operations lo_fops = {
+        .owner =        THIS_MODULE,
+        .open =         lo_open,
+-- 
+2.20.1
+