[Devel] [PATCH RHEL8 COMMIT] ms: fs/namespace.c: fix mountpoint reference counter race

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jul 24 20:39:46 MSK 2020 

The commit is pushed to "branch-rh8-4.18.0-193.6.3.vz8.4.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-193.6.3.vz8.4.5
------>
commit c1678f2c1b6b2c7b0db25f71de6da3dc927698d0
Author: Vasily Averin <vvs at virtuozzo.com>
Date:   Fri Jul 3 06:53:47 2020 +0300

    ms: fs/namespace.c: fix mountpoint reference counter race
    
    A race condition between threads updating mountpoint reference counter
    affects longterm releases 4.4.220, 4.9.220, 4.14.177 and 4.19.118.
    
    The mountpoint reference counter corruption may occur when:
    * one thread increments m_count member of struct mountpoint
      [under namespace_sem, but not holding mount_lock]
        pivot_root()
    * another thread simultaneously decrements the same m_count
      [under mount_lock, but not holding namespace_sem]
        put_mountpoint()
          unhash_mnt()
            umount_mnt()
              mntput_no_expire()
    
    To fix this race condition, grab mount_lock before updating m_count in
    pivot_root().
    
    Reference: CVE-2020-12114
    Cc: Al Viro <viro at zeniv.linux.org.uk>
    Signed-off-by: Piotr Krysiuk <piotras at gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
    
    stable 4.4 commit 83354adbd7a9 ("fs/namespace.c: fix mountpoint
    reference counter race") fixes CVE-2020-12114: DoS by corrupting
    mountpoint reference counter
    https://jira.sw.ru/browse/PSBM-104964
    Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
---
 fs/namespace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index 4f73e4987a53..1018ae0efa06 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3191,8 +3191,8 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
 	/* make certain new is below the root */
 	if (!is_path_reachable(new_mnt, new.dentry, &root))
 		goto out4;
-	root_mp->m_count++; /* pin it so it won't go away */
 	lock_mount_hash();
+	root_mp->m_count++; /* pin it so it won't go away */
 	detach_mnt(new_mnt, &parent_path);
 	detach_mnt(root_mnt, &root_parent);
 	if (root_mnt->mnt.mnt_flags & MNT_LOCKED) {

More information about the Devel mailing list