Re: [PATCH 6.6.y v2 0/2] Fix `fremovexattr` missing `fdput`

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: "Barry K. Nathan" <barryn@pobox.com>
Cc: Tomasz Kramkowski <tomasz@kramkow.ski>,
	stable@vger.kernel.org, Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 6.6.y v2 0/2] Fix `fremovexattr` missing `fdput`
Date: Mon, 6 Apr 2026 09:18:21 +0200	[thread overview]
Message-ID: <2026040647-vindicate-unlearned-7ab8@gregkh> (raw)
In-Reply-To: <7ab3b184-8d9f-465d-b678-4def48cc2a9f@pobox.com>

On Sun, Apr 05, 2026 at 10:05:35AM -0700, Barry K. Nathan wrote:
> On 4/5/26 04:45, Tomasz Kramkowski wrote:
> > As discussed, a v2 which includes the revert from the previous version
> > [0] and a new attempt at backporiting the upstream change which doesn't
> > cause the regression introduced in the first attempt[1].
> > 
> > In total, this fixes the missing `fdput` in the `fremovexattr`
> > `copy_from_user` error path that the backport was intended for.
> > 
> > I tested both the error case and the happy case in qemu.
> > 
> > [0]: https://lore.kernel.org/stable/20260404112219.389495-1-tomasz@kramkow.ski/
> > [1]: https://lore.kernel.org/stable/tencent_72B5370E2D4C4AC319ED4F0DCB479CA4B406@qq.com/
> > 
> > Al Viro (1):
> >    xattr: switch to CLASS(fd)
> > 
> > Tomasz Kramkowski (1):
> >    Revert "xattr: switch to CLASS(fd)"
> > 
> >   fs/xattr.c | 10 +++++++++-
> >   1 file changed, 9 insertions(+), 1 deletion(-)
> > 
> 
> I tested the following two (groups of) proof-of-concept exploits
> against 6.6.130, 6.6.132, and 6.6.132 + this patch series:
> 
> 
> 1. "CVE-2024-14027 - SlopSploit" proof-of-concept exploit for the bug
> fixed by the original mainline commit. This only works on i386 kernels,
> so I tested with i386 kernels on amd64 hardware.
> 
> https://github.com/lcfr-eth/CVE-2024-14027_slop
> 
> (I used exploit.c. For me, the exploit never reached its intended goal
> of allowing a normal user to read /etc/shadow, but as far as I can tell
> it still causes a parade of oopses on vulnerable i386 kernels but no
> oopses on invulnerable i386 kernels. So it's still a good test of whether
> this patch series works.)
> 
> 
> 2. Brad Spengler's proof-of-concept exploits for the 6.6.132 regression,
> posted on Twitter (I tested on i386 and amd64 kernels, on amd64 hardware):
> 
> https://x.com/spendergrsec/status/2040049852793450561
> 
> (Note that one of these has a missing parameter, but it's easy enough
> to fix.)
> 
> 
> Test results:
> 6.6.130: #1 causes oopses (but not #2)
> 6.6.132: #2 causes oopses (but not #1)
> 6.6.132 + this patch series: Neither #1 nor #2 cause oopses
> 
> So, at least in my testing, this patch series successfully fixes both
> the old and new bugs (both CVE-2024-14027 and the 6.6.132 regression).
> 
> Tested-by: Barry K. Nathan <barryn@pobox.com>
> 

Thanks for the testing, and thanks Tomasz for the revert and the
backport, I'll go do a release right now with these in it as this is
pretty big.

greg k-h

     prev parent reply	other threads:[~2026-04-06  7:18 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-05 11:45 [PATCH 6.6.y v2 0/2] Fix `fremovexattr` missing `fdput` Tomasz Kramkowski
2026-04-05 11:45 ` [PATCH 6.6.y v2 1/2] Revert "xattr: switch to CLASS(fd)" Tomasz Kramkowski
2026-04-05 11:45 ` [PATCH 6.6.y v2 2/2] xattr: switch to CLASS(fd) Tomasz Kramkowski
2026-04-05 17:05 ` [PATCH 6.6.y v2 0/2] Fix `fremovexattr` missing `fdput` Barry K. Nathan
2026-04-06  7:18   ` Greg Kroah-Hartman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026040647-vindicate-unlearned-7ab8@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=barryn@pobox.com \
    --cc=brauner@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tomasz@kramkow.ski \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox