On Thu, Apr 07, 2022 at 12:40:51PM +0200, achtol wrote:
Hello,
It seems the fix commits for a couple of CVEs have not been cherry picked in the current linux-5.4.y branch (v5.4.188, currently):
CVE-2020-16120:
https://nvd.nist.gov/vuln/detail/CVE-2020-16120 references the following mainline commits:
d1d04ef8572bc8c22265057bd3d5a79f223f8f52 "ovl: stack file ops" (break commit) 56230d956739b9cb1cbde439d76227d77979a04d "ovl: verify permissions in ovl_path_open()" 48bd024b8a40d73ad6b086de2615738da0c7004f "ovl: switch to mounter creds in readdir" 05acefb4872dae89e772729efb194af754c877e8 "ovl: check permission to open real file" b6650dab404c701d7fe08a108b746542a934da84 "ovl: do not fail because of O_NOATIME"
The CVE description says the last commit in the list above fixes a regression introduced by these two commits:
130fdbc3d1f9966dd4230709c30f3768bccd3065 "ovl: pass correct flags for opening real directory" 292f902a40c11f043a5ca1305a114da0e523eaa3 "ovl: call secutiry hook in ovl_real_ioctl()"
CVE-2021-3428:
According to https://bugzilla.suse.com/show_bug.cgi?id=1173485, the mainline fix commits are:
d176b1f62f24 "ext4: handle error of ext4_setup_system_zone() on remount" bf9a379d0980 "ext4: don't allow overlapping system zones" ce9f24cccdc0 "ext4: check journal inode extents more carefully"
Of these, only the first two have been cherry-picked.
Half of these commits may be cherry-picked without a conflict.
Which half?
I wonder why they have not been applied and cannot find any discussion about them on this mailing list. Is it an oversight? Or because the v5.4 line is not affected? Some other reason?
If you can provide a working set of patches backported, I will be glad to review them and apply them if needed.
thanks,
greg k-h