diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-09-19 10:19:14 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-09-19 10:19:45 +0200 |
commit | 435018782fd34106fa127379e2fdcdb83b979a2d (patch) | |
tree | 452ae9df0aa75ca32e73834cca53ebd4a4912337 | |
parent | 9c43ce5719e850093ecf001d21554f4cb9318486 (diff) | |
download | kernel_replicant_linux-435018782fd34106fa127379e2fdcdb83b979a2d.tar.gz kernel_replicant_linux-435018782fd34106fa127379e2fdcdb83b979a2d.tar.bz2 kernel_replicant_linux-435018782fd34106fa127379e2fdcdb83b979a2d.zip |
io_uring: ensure symmetry in handling iter types in loop_rw_iter() (CVE-2021-41073)
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/patches/bugfix/all/io_uring-ensure-symmetry-in-handling-iter-types-in-l.patch | 46 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 54 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 484879c1dca7..86983c96ad28 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +linux (5.14.6-2) UNRELEASED; urgency=medium + + * io_uring: ensure symmetry in handling iter types in loop_rw_iter() + (CVE-2021-41073) + + -- Salvatore Bonaccorso <carnil@debian.org> Sun, 19 Sep 2021 10:19:35 +0200 + linux (5.14.6-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/patches/bugfix/all/io_uring-ensure-symmetry-in-handling-iter-types-in-l.patch b/debian/patches/bugfix/all/io_uring-ensure-symmetry-in-handling-iter-types-in-l.patch new file mode 100644 index 000000000000..82ec0020167f --- /dev/null +++ b/debian/patches/bugfix/all/io_uring-ensure-symmetry-in-handling-iter-types-in-l.patch @@ -0,0 +1,46 @@ +From: Jens Axboe <axboe@kernel.dk> +Date: Sun, 12 Sep 2021 06:45:07 -0600 +Subject: io_uring: ensure symmetry in handling iter types in loop_rw_iter() +Origin: https://git.kernel.org/linus/16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-41073 + +When setting up the next segment, we check what type the iter is and +handle it accordingly. However, when incrementing and processed amount +we do not, and both iter advance and addr/len are adjusted, regardless +of type. Split the increment side just like we do on the setup side. + +Fixes: 4017eb91a9e7 ("io_uring: make loop_rw_iter() use original user supplied pointers") +Cc: stable@vger.kernel.org +Reported-by: Valentina Palmiotti <vpalmiotti@gmail.com> +Reviewed-by: Pavel Begunkov <asml.silence@gmail.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +--- + fs/io_uring.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 16fb7436043c..66a7414c3756 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -3263,12 +3263,15 @@ static ssize_t loop_rw_iter(int rw, struct io_kiocb *req, struct iov_iter *iter) + ret = nr; + break; + } ++ if (!iov_iter_is_bvec(iter)) { ++ iov_iter_advance(iter, nr); ++ } else { ++ req->rw.len -= nr; ++ req->rw.addr += nr; ++ } + ret += nr; + if (nr != iovec.iov_len) + break; +- req->rw.len -= nr; +- req->rw.addr += nr; +- iov_iter_advance(iter, nr); + } + + return ret; +-- +2.33.0 + diff --git a/debian/patches/series b/debian/patches/series index c12b08480f2d..d257091d58a6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -112,6 +112,7 @@ features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signatu debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch bugfix/all/dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch +bugfix/all/io_uring-ensure-symmetry-in-handling-iter-types-in-l.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |