[Kernel-packages] [Bug 1824735] Re: shiftfs: use after free when checking mount options
This bug was fixed in the package linux - 5.0.0-13.14 --- linux (5.0.0-13.14) disco; urgency=medium * linux: 5.0.0-13.14 -proposed tracker (LP: #1824819) * Display only has 640x480 (LP: #1824677) - Revert "UBUNTU: SAUCE: drm/nouveau: Disable nouveau driver by default" * shiftfs: use after free when checking mount options (LP: #1824735) - SAUCE: shiftfs: prevent use-after-free when verifying mount options linux (5.0.0-12.13) disco; urgency=medium * linux: 5.0.0-12.13 -proposed tracker (LP: #1824726) * Linux 5.0 black screen on boot, display flickers (i915 regression with certain laptop panels) (LP: #1824216) - drm/i915/dp: revert back to max link rate and lane count on eDP * kernel BUG at fs/attr.c:287 when using shiftfs (LP: #1824717) - SAUCE: shiftfs: fix passing of attrs to underaly for setattr -- Seth Forshee Mon, 15 Apr 2019 09:11:23 -0500 ** Changed in: linux (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824735 Title: shiftfs: use after free when checking mount options Status in linux package in Ubuntu: Fix Released Bug description: SRU Justification Impact: We currently keep a reference to the shiftfs mark mount's shiftfs_super_info which was stashed in the superblock of the mark mount. The problem is that we only take a reference to the mount of the underlay, i.e. the filesystem that is *under* the shiftfs mark mount. This means when someone performs a shiftfs mark mount, then a shiftfs overlay mount and then immediately unmounts the shiftfs mark mount we muck with invalid memory since shiftfs_put_super might have already been called freeing that memory. Fix: Copy up the passthrough mount settings of the mark mount point to the shiftfs overlay. An alternative solution would be to start reference counting. But this is overkill. We only care about the passthrough mount option of the mark mount. And we only need it to verify that on remount the new passthrough options of the shiftfs overlay are a subset of the mark mount's passthrough options. In other scenarios we don't care. So copying up is good enough and also only needs to happen once on mount, i.e. when a new superblock is created and the .fill_super method is called. Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below). Test Case: Built Ubuntu Disco Kernel with patch applied from source, installed it, ran LXD and verified that passthrough mount option now works correctly. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824735/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824735] Re: shiftfs: use after free when checking mount options
** Changed in: linux (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824735 Title: shiftfs: use after free when checking mount options Status in linux package in Ubuntu: Fix Committed Bug description: SRU Justification Impact: We currently keep a reference to the shiftfs mark mount's shiftfs_super_info which was stashed in the superblock of the mark mount. The problem is that we only take a reference to the mount of the underlay, i.e. the filesystem that is *under* the shiftfs mark mount. This means when someone performs a shiftfs mark mount, then a shiftfs overlay mount and then immediately unmounts the shiftfs mark mount we muck with invalid memory since shiftfs_put_super might have already been called freeing that memory. Fix: Copy up the passthrough mount settings of the mark mount point to the shiftfs overlay. An alternative solution would be to start reference counting. But this is overkill. We only care about the passthrough mount option of the mark mount. And we only need it to verify that on remount the new passthrough options of the shiftfs overlay are a subset of the mark mount's passthrough options. In other scenarios we don't care. So copying up is good enough and also only needs to happen once on mount, i.e. when a new superblock is created and the .fill_super method is called. Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below). Test Case: Built Ubuntu Disco Kernel with patch applied from source, installed it, ran LXD and verified that passthrough mount option now works correctly. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824735/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824735] Re: shiftfs: use after free when checking mount options
** Description changed: SRU Justification Impact: We currently keep a reference to the shiftfs mark mount's shiftfs_super_info which was stashed in the superblock of the mark mount. The problem is that we only take a reference to the mount of the underlay, i.e. the filesystem that is *under* the shiftfs mark mount. This means when someone performs a shiftfs mark mount, then a shiftfs overlay mount and then immediately unmounts the shiftfs mark mount we muck with invalid memory since shiftfs_put_super might have already been called freeing that memory. Fix: Copy up the passthrough mount settings of the mark mount point to the shiftfs overlay. An alternative solution would be to start reference counting. But this is overkill. We only care about the passthrough mount option of the mark mount. And we only need it to verify that on remount the new passthrough options of the shiftfs overlay are a subset of the mark mount's passthrough options. In other scenarios we don't care. So copying up is good enough and also only needs to happen once on mount, i.e. when a new superblock is created and the .fill_super method is called. Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below). + + Test Case: Built Ubuntu Disco Kernel with patch applied from source, + installed it, ran LXD and verified that passthrough mount option now + works correctly. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824735 Title: shiftfs: use after free when checking mount options Status in linux package in Ubuntu: In Progress Bug description: SRU Justification Impact: We currently keep a reference to the shiftfs mark mount's shiftfs_super_info which was stashed in the superblock of the mark mount. The problem is that we only take a reference to the mount of the underlay, i.e. the filesystem that is *under* the shiftfs mark mount. This means when someone performs a shiftfs mark mount, then a shiftfs overlay mount and then immediately unmounts the shiftfs mark mount we muck with invalid memory since shiftfs_put_super might have already been called freeing that memory. Fix: Copy up the passthrough mount settings of the mark mount point to the shiftfs overlay. An alternative solution would be to start reference counting. But this is overkill. We only care about the passthrough mount option of the mark mount. And we only need it to verify that on remount the new passthrough options of the shiftfs overlay are a subset of the mark mount's passthrough options. In other scenarios we don't care. So copying up is good enough and also only needs to happen once on mount, i.e. when a new superblock is created and the .fill_super method is called. Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below). Test Case: Built Ubuntu Disco Kernel with patch applied from source, installed it, ran LXD and verified that passthrough mount option now works correctly. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824735/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824735] Re: shiftfs: use after free when checking mount options
** Description changed: SRU Justification Impact: We currently keep a reference to the shiftfs mark mount's shiftfs_super_info which was stashed in the superblock of the mark mount. The problem is that we only take a reference to the mount of the underlay, i.e. the filesystem that is *under* the shiftfs mark mount. This means when someone performs a shiftfs mark mount, then a shiftfs overlay mount and then immediately unmounts the shiftfs mark mount we muck with invalid memory since shiftfs_put_super might have already been called freeing that memory. Fix: Copy up the passthrough mount settings of the mark mount point to the shiftfs overlay. An alternative solution would be to start reference counting. But this is overkill. We only care about the passthrough mount option of the mark mount. And we only need it to verify that on remount the new passthrough options of the shiftfs overlay are a subset of the mark mount's passthrough options. In other scenarios we don't care. So copying up is good enough and also only needs to happen once on mount, i.e. when a new superblock is created and the .fill_super method is called. Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below). - - Test Case: Tested in the lxd CI environment where the bug was originally - discovered. No regressions were seen, and the BUG statement was not hit. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824735 Title: shiftfs: use after free when checking mount options Status in linux package in Ubuntu: In Progress Bug description: SRU Justification Impact: We currently keep a reference to the shiftfs mark mount's shiftfs_super_info which was stashed in the superblock of the mark mount. The problem is that we only take a reference to the mount of the underlay, i.e. the filesystem that is *under* the shiftfs mark mount. This means when someone performs a shiftfs mark mount, then a shiftfs overlay mount and then immediately unmounts the shiftfs mark mount we muck with invalid memory since shiftfs_put_super might have already been called freeing that memory. Fix: Copy up the passthrough mount settings of the mark mount point to the shiftfs overlay. An alternative solution would be to start reference counting. But this is overkill. We only care about the passthrough mount option of the mark mount. And we only need it to verify that on remount the new passthrough options of the shiftfs overlay are a subset of the mark mount's passthrough options. In other scenarios we don't care. So copying up is good enough and also only needs to happen once on mount, i.e. when a new superblock is created and the .fill_super method is called. Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824735/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824735] Re: shiftfs: use after free when checking mount options
** Description changed: SRU Justification - Impact: We currently keep a reference to the shiftfs mark mount's shiftfs_super_info which was stashed in the superblock of the mark mount. The problem is that we only take a reference to the mount of the underlay, i.e. the filesystem that is *under* the shiftfs mark mount. This means when someone performs a shiftfs mark mount, then a shiftfs overlay mount and then immediately unmounts the shiftfs mark mount we muck with invalid memory since shiftfs_put_super might have already been called freeing that memory. Fix: Copy up the passthrough mount settings of the mark mount point to the shiftfs overlay. - One solution would be to start reference counting which is overkill. We only care about the passthrough mount option of the mark mount. And we only need it to verify that on remount the new passthrough options of the shiftfs overlay are a subset of the mark mount's passthrough options. In other scenarios we don't care. So copying up is good enough and also only needs to happen once on mount, i.e. when a new superblock is created and the .fill_super method is called. + An alternative solution would be to start reference counting. But this is overkill. We only care about the passthrough mount option of the mark mount. And we only need it to verify that on remount the new passthrough options of the shiftfs overlay are a subset of the mark mount's passthrough options. In other scenarios we don't care. So copying up is good enough and also only needs to happen once on mount, i.e. when a new superblock is created and the .fill_super method is called. + + Regression Potential: Limited to shiftfs, matches the behavior of other + stacked filesystems, and has been tested (see below). + + Test Case: Tested in the lxd CI environment where the bug was originally + discovered. No regressions were seen, and the BUG statement was not hit. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824735 Title: shiftfs: use after free when checking mount options Status in linux package in Ubuntu: In Progress Bug description: SRU Justification Impact: We currently keep a reference to the shiftfs mark mount's shiftfs_super_info which was stashed in the superblock of the mark mount. The problem is that we only take a reference to the mount of the underlay, i.e. the filesystem that is *under* the shiftfs mark mount. This means when someone performs a shiftfs mark mount, then a shiftfs overlay mount and then immediately unmounts the shiftfs mark mount we muck with invalid memory since shiftfs_put_super might have already been called freeing that memory. Fix: Copy up the passthrough mount settings of the mark mount point to the shiftfs overlay. An alternative solution would be to start reference counting. But this is overkill. We only care about the passthrough mount option of the mark mount. And we only need it to verify that on remount the new passthrough options of the shiftfs overlay are a subset of the mark mount's passthrough options. In other scenarios we don't care. So copying up is good enough and also only needs to happen once on mount, i.e. when a new superblock is created and the .fill_super method is called. Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below). Test Case: Tested in the lxd CI environment where the bug was originally discovered. No regressions were seen, and the BUG statement was not hit. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824735/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
