]> git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit
projects / mirror_ubuntu-focal-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9379b04) | patch
UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails
authorSeth Forshee <seth.forshee@canonical.com>
Wed, 6 Nov 2019 15:38:57 +0000 (09:38 -0600)
committerAndrea Righi <andrea.righi@canonical.com>
Mon, 25 Nov 2019 13:57:01 +0000 (14:57 +0100)
commit616d0ac0c4d93551b30828c30c52573caf7e446c
tree18cabb86c04ef006fed39356c7ae1739a2b4a825tree
parent9379b044660d8ff153ff42f873fd97a39e45de16commit | diff
UBUNTU: SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails

BugLink: https://bugs.launchpad.net/bugs/1850994
shiftfs_mmap() overwrites vma->vm_file before calling the lower
filesystem mmap but does not restore the original value on
failure. This means it is giving a pointer to the lower fs file
back to the caller with no reference, which is a bad practice.
However, it does not lead to any issues with upstream kernels as
no caller accesses vma->vm_file after call_mmap().

With the aufs patches applied the story is different. Whereas
mmap_region() previously fput a local variable containing the
file it assigned to vm_file, it now calls vma_fput() which will
fput vm_file, for which it has no reference, and the reference
for the original vm_file is not put.

Fix this by restoring vma->vm_file to the original value when the
mmap call into the lower fs fails.

CVE-2019-15794

Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
fs/shiftfs.c diff | blob | blame | history
Ubuntu Focal Linux kernel mirror