missing backport markings on security fix [was: [PATCH] io_uring: set table->files[i] to NULL when io_sqe_file_register failed]
On Wed, Sep 2, 2020 at 4:49 PM Jens Axboe axboe@kernel.dk wrote:
On 9/2/20 3:59 AM, Jiufei Xue wrote:
While io_sqe_file_register() failed in __io_sqe_files_update(), table->files[i] still point to the original file which may freed soon, and that will trigger use-after-free problems.
Applied, thanks.
Shouldn't this have a CC stable tag and a fixes tag on it? AFAICS this is a fix for a UAF that exists since f3bd9dae3708a0ff6b067e766073ffeb853301f9 ("io_uring: fix memleak in __io_sqe_files_update()"), and that commit was marked for stable backporting back to when c3a31e605620 landed, and that commit was introduced in Linux 5.5.
You can see at https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/io_uring.c?h=linux-5.8.y#n6933 that this security vulnerability currently exists in the stable 5.8 branch.
On 9/2/20 9:07 AM, Jann Horn wrote:
On Wed, Sep 2, 2020 at 4:49 PM Jens Axboe axboe@kernel.dk wrote:
On 9/2/20 3:59 AM, Jiufei Xue wrote:
While io_sqe_file_register() failed in __io_sqe_files_update(), table->files[i] still point to the original file which may freed soon, and that will trigger use-after-free problems.
Applied, thanks.
Shouldn't this have a CC stable tag and a fixes tag on it? AFAICS this is a fix for a UAF that exists since f3bd9dae3708a0ff6b067e766073ffeb853301f9 ("io_uring: fix memleak in __io_sqe_files_update()"), and that commit was marked for stable backporting back to when c3a31e605620 landed, and that commit was introduced in Linux 5.5.
You can see at https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/io_uring.c?h=linux-5.8.y#n6933 that this security vulnerability currently exists in the stable 5.8 branch.
I'll mark it for stable, it should have been just like the previous one is.
linux-stable-mirror@lists.linaro.org
-
Jann Horn -
Jens Axboe