CVE-2020-16120 and CVE-2021-3428

CVE-2020-16120 and CVE-2021-3428

[achtol]

Hello,

It seems the fix commits for a couple of CVEs have not been cherry 
picked in the current linux-5.4.y branch (v5.4.188, currently):

---

CVE-2020-16120:

<https://nvd.nist.gov/vuln/detail/CVE-2020-16120> references the 
following mainline commits:

     d1d04ef8572bc8c22265057bd3d5a79f223f8f52 "ovl: stack file ops" 
(break commit)
     56230d956739b9cb1cbde439d76227d77979a04d "ovl: verify permissions 
in ovl_path_open()"
     48bd024b8a40d73ad6b086de2615738da0c7004f "ovl: switch to mounter 
creds in readdir"
     05acefb4872dae89e772729efb194af754c877e8 "ovl: check permission to 
open real file"
     b6650dab404c701d7fe08a108b746542a934da84 "ovl: do not fail because 
of O_NOATIME"

The CVE description says the last commit in the list above fixes a 
regression introduced by these two commits:

     130fdbc3d1f9966dd4230709c30f3768bccd3065 "ovl: pass correct flags 
for opening real directory"
     292f902a40c11f043a5ca1305a114da0e523eaa3 "ovl: call secutiry hook 
in ovl_real_ioctl()"

---

CVE-2021-3428:

According to <https://bugzilla.suse.com/show_bug.cgi?id=1173485>, the 
mainline fix commits are:

     d176b1f62f24 "ext4: handle error of ext4_setup_system_zone() on 
remount"
     bf9a379d0980 "ext4: don't allow overlapping system zones"
     ce9f24cccdc0 "ext4: check journal inode extents more carefully"

Of these, only the first two have been cherry-picked.

---

Half of these commits may be cherry-picked without a conflict. I wonder 
why they have not been applied and cannot find any discussion about them 
on this mailing list. Is it an oversight? Or because the v5.4 line is 
not affected? Some other reason?

Regards,

achtol

Re: CVE-2020-16120 and CVE-2021-3428

[Greg KH]

On Thu, Apr 07, 2022 at 12:40:51PM +0200, achtol wrote:
> Hello,
> 
> It seems the fix commits for a couple of CVEs have not been cherry picked in
> the current linux-5.4.y branch (v5.4.188, currently):
> 
> ---
> 
> CVE-2020-16120:
> 
> <https://nvd.nist.gov/vuln/detail/CVE-2020-16120> references the following
> mainline commits:
> 
>     d1d04ef8572bc8c22265057bd3d5a79f223f8f52 "ovl: stack file ops" (break
> commit)
>     56230d956739b9cb1cbde439d76227d77979a04d "ovl: verify permissions in
> ovl_path_open()"
>     48bd024b8a40d73ad6b086de2615738da0c7004f "ovl: switch to mounter creds
> in readdir"
>     05acefb4872dae89e772729efb194af754c877e8 "ovl: check permission to open
> real file"
>     b6650dab404c701d7fe08a108b746542a934da84 "ovl: do not fail because of
> O_NOATIME"
> 
> The CVE description says the last commit in the list above fixes a
> regression introduced by these two commits:
> 
>     130fdbc3d1f9966dd4230709c30f3768bccd3065 "ovl: pass correct flags for
> opening real directory"
>     292f902a40c11f043a5ca1305a114da0e523eaa3 "ovl: call secutiry hook in
> ovl_real_ioctl()"
> 
> ---
> 
> CVE-2021-3428:
> 
> According to <https://bugzilla.suse.com/show_bug.cgi?id=1173485>, the
> mainline fix commits are:
> 
>     d176b1f62f24 "ext4: handle error of ext4_setup_system_zone() on remount"
>     bf9a379d0980 "ext4: don't allow overlapping system zones"
>     ce9f24cccdc0 "ext4: check journal inode extents more carefully"
> 
> Of these, only the first two have been cherry-picked.
> 
> ---
> 
> Half of these commits may be cherry-picked without a conflict.

Which half?

> I wonder why
> they have not been applied and cannot find any discussion about them on this
> mailing list. Is it an oversight? Or because the v5.4 line is not affected?
> Some other reason?

If you can provide a working set of patches backported, I will be glad
to review them and apply them if needed.

thanks,

greg k-h

Re: CVE-2020-16120 and CVE-2021-3428

[Greg KH]

On Thu, Apr 07, 2022 at 01:21:02PM +0200, Greg KH wrote:
> On Thu, Apr 07, 2022 at 12:40:51PM +0200, achtol wrote:
> > Hello,
> > 
> > It seems the fix commits for a couple of CVEs have not been cherry picked in
> > the current linux-5.4.y branch (v5.4.188, currently):
> > 
> > ---
> > 
> > CVE-2020-16120:
> > 
> > <https://nvd.nist.gov/vuln/detail/CVE-2020-16120> references the following
> > mainline commits:
> > 
> >     d1d04ef8572bc8c22265057bd3d5a79f223f8f52 "ovl: stack file ops" (break
> > commit)
> >     56230d956739b9cb1cbde439d76227d77979a04d "ovl: verify permissions in
> > ovl_path_open()"
> >     48bd024b8a40d73ad6b086de2615738da0c7004f "ovl: switch to mounter creds
> > in readdir"
> >     05acefb4872dae89e772729efb194af754c877e8 "ovl: check permission to open
> > real file"
> >     b6650dab404c701d7fe08a108b746542a934da84 "ovl: do not fail because of
> > O_NOATIME"
> > 
> > The CVE description says the last commit in the list above fixes a
> > regression introduced by these two commits:
> > 
> >     130fdbc3d1f9966dd4230709c30f3768bccd3065 "ovl: pass correct flags for
> > opening real directory"
> >     292f902a40c11f043a5ca1305a114da0e523eaa3 "ovl: call secutiry hook in
> > ovl_real_ioctl()"
> > 
> > ---
> > 
> > CVE-2021-3428:
> > 
> > According to <https://bugzilla.suse.com/show_bug.cgi?id=1173485>, the
> > mainline fix commits are:
> > 
> >     d176b1f62f24 "ext4: handle error of ext4_setup_system_zone() on remount"
> >     bf9a379d0980 "ext4: don't allow overlapping system zones"
> >     ce9f24cccdc0 "ext4: check journal inode extents more carefully"
> > 
> > Of these, only the first two have been cherry-picked.
> > 
> > ---
> > 
> > Half of these commits may be cherry-picked without a conflict.
> 
> Which half?
> 
> > I wonder why
> > they have not been applied and cannot find any discussion about them on this
> > mailing list. Is it an oversight? Or because the v5.4 line is not affected?
> > Some other reason?
> 
> If you can provide a working set of patches backported, I will be glad
> to review them and apply them if needed.

Given the lack of response here, I am guessing these really are not
needed for 5.4 and older so will drop this from my queue.

If that is not the case, please send a working set of backports.

thanks,

greg k-h