shiftfs: use after free when checking mount options

Bug #1824735 reported by Christian Brauner on 2019-04-14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Christian Brauner

Bug Description

SRU Justification

Impact: We currently keep a reference to the shiftfs mark mount's
shiftfs_super_info which was stashed in the superblock of the mark mount. The problem is that we only take a reference to the mount of the underlay, i.e. the filesystem that is *under* the shiftfs mark mount. This means when someone performs a shiftfs mark mount, then a shiftfs overlay mount and then immediately unmounts the shiftfs mark mount we muck with invalid memory since shiftfs_put_super might have already been called freeing that memory.

Fix: Copy up the passthrough mount settings of the mark mount point to the shiftfs overlay.
An alternative solution would be to start reference counting. But this is overkill. We only care about the passthrough mount option of the mark mount. And we only need it to verify that on remount the new passthrough options of the shiftfs overlay are a subset of the mark mount's passthrough options. In other scenarios we don't care. So copying up is good enough and also only needs to happen once on mount, i.e. when a new superblock is created and the .fill_super method is called.

Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below).

Test Case: Built Ubuntu Disco Kernel with patch applied from source,
installed it, ran LXD and verified that passthrough mount option now
works correctly.

Changed in linux (Ubuntu):
assignee: nobody → Christian Brauner (cbrauner)
status: New → In Progress
description: updated
description: updated
description: updated
description: updated
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-13.14

linux (5.0.0-13.14) disco; urgency=medium

  * linux: 5.0.0-13.14 -proposed tracker (LP: #1824819)

  * Display only has 640x480 (LP: #1824677)
    - Revert "UBUNTU: SAUCE: drm/nouveau: Disable nouveau driver by default"

  * shiftfs: use after free when checking mount options (LP: #1824735)
    - SAUCE: shiftfs: prevent use-after-free when verifying mount options

linux (5.0.0-12.13) disco; urgency=medium

  * linux: 5.0.0-12.13 -proposed tracker (LP: #1824726)

  * Linux 5.0 black screen on boot, display flickers (i915 regression with
    certain laptop panels) (LP: #1824216)
    - drm/i915/dp: revert back to max link rate and lane count on eDP

  * kernel BUG at fs/attr.c:287 when using shiftfs (LP: #1824717)
    - SAUCE: shiftfs: fix passing of attrs to underaly for setattr

 -- Seth Forshee <email address hidden> Mon, 15 Apr 2019 09:11:23 -0500

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers