diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 13:40:19 +0100 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 13:40:19 +0100 |
commit | b6643e162871f2c81cc342f510ac9bd35e7744bd (patch) | |
tree | 92b443e03b847a708ea46c0d2db7aacfb71e2025 | |
parent | 838e3893300a078ef12aa1d8d8c2336df259d2e0 (diff) | |
download | enea-kernel-cache-b6643e162871f2c81cc342f510ac9bd35e7744bd.tar.gz |
userfaultfd: CVE-2018-18397
userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-18397
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=82c5a8c0debac552750a00b4fc7551c89c7b34b8
Change-Id: I8b35a87096278dee376107808022c95c2350c80e
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.14.x.scc | 2 | ||||
-rw-r--r-- | patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch | 118 |
2 files changed, 120 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index 9a53416..59a57b6 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
@@ -11,3 +11,5 @@ patch CVE-2018-14611-btrfs-validate-type-when-reading-a-chunk.patch | |||
11 | patch CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch | 11 | patch CVE-2018-14614-f2fs-fix-to-do-sanity-check-with-cp_pack_start_sum.patch |
12 | patch CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch | 12 | patch CVE-2018-18690-xfs-don-t-fail-when-converting-shortform-attr-to-lon.patch |
13 | patch CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch | 13 | patch CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch |
14 | #CVEs fixed in 4.14.87: | ||
15 | patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch | ||
diff --git a/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch b/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch new file mode 100644 index 0000000..0d02d22 --- /dev/null +++ b/patches/cve/CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch | |||
@@ -0,0 +1,118 @@ | |||
1 | From 82c5a8c0debac552750a00b4fc7551c89c7b34b8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andrea Arcangeli <aarcange@redhat.com> | ||
3 | Date: Fri, 30 Nov 2018 14:09:25 -0800 | ||
4 | Subject: [PATCH] userfaultfd: use ENOENT instead of EFAULT if the atomic copy | ||
5 | user fails | ||
6 | |||
7 | commit 9e368259ad988356c4c95150fafd1a06af095d98 upstream. | ||
8 | |||
9 | Patch series "userfaultfd shmem updates". | ||
10 | |||
11 | Jann found two bugs in the userfaultfd shmem MAP_SHARED backend: the | ||
12 | lack of the VM_MAYWRITE check and the lack of i_size checks. | ||
13 | |||
14 | Then looking into the above we also fixed the MAP_PRIVATE case. | ||
15 | |||
16 | Hugh by source review also found a data loss source if UFFDIO_COPY is | ||
17 | used on shmem MAP_SHARED PROT_READ mappings (the production usages | ||
18 | incidentally run with PROT_READ|PROT_WRITE, so the data loss couldn't | ||
19 | happen in those production usages like with QEMU). | ||
20 | |||
21 | The whole patchset is marked for stable. | ||
22 | |||
23 | We verified QEMU postcopy live migration with guest running on shmem | ||
24 | MAP_PRIVATE run as well as before after the fix of shmem MAP_PRIVATE. | ||
25 | Regardless if it's shmem or hugetlbfs or MAP_PRIVATE or MAP_SHARED, QEMU | ||
26 | unconditionally invokes a punch hole if the guest mapping is filebacked | ||
27 | and a MADV_DONTNEED too (needed to get rid of the MAP_PRIVATE COWs and | ||
28 | for the anon backend). | ||
29 | |||
30 | This patch (of 5): | ||
31 | |||
32 | We internally used EFAULT to communicate with the caller, switch to | ||
33 | ENOENT, so EFAULT can be used as a non internal retval. | ||
34 | |||
35 | CVE: CVE-2018-18397 | ||
36 | Upstream-Status: Backport | ||
37 | |||
38 | Link: http://lkml.kernel.org/r/20181126173452.26955-2-aarcange@redhat.com | ||
39 | Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") | ||
40 | Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> | ||
41 | Reviewed-by: Mike Rapoport <rppt@linux.ibm.com> | ||
42 | Reviewed-by: Hugh Dickins <hughd@google.com> | ||
43 | Cc: Mike Kravetz <mike.kravetz@oracle.com> | ||
44 | Cc: Jann Horn <jannh@google.com> | ||
45 | Cc: Peter Xu <peterx@redhat.com> | ||
46 | Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com> | ||
47 | Cc: <stable@vger.kernel.org> | ||
48 | Cc: stable@vger.kernel.org | ||
49 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | ||
50 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
51 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
52 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
53 | --- | ||
54 | mm/hugetlb.c | 2 +- | ||
55 | mm/shmem.c | 2 +- | ||
56 | mm/userfaultfd.c | 6 +++--- | ||
57 | 3 files changed, 5 insertions(+), 5 deletions(-) | ||
58 | |||
59 | diff --git a/mm/hugetlb.c b/mm/hugetlb.c | ||
60 | index f46040aed2da..224cdd953a79 100644 | ||
61 | --- a/mm/hugetlb.c | ||
62 | +++ b/mm/hugetlb.c | ||
63 | @@ -4037,7 +4037,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm, | ||
64 | |||
65 | /* fallback to copy_from_user outside mmap_sem */ | ||
66 | if (unlikely(ret)) { | ||
67 | - ret = -EFAULT; | ||
68 | + ret = -ENOENT; | ||
69 | *pagep = page; | ||
70 | /* don't free the page */ | ||
71 | goto out; | ||
72 | diff --git a/mm/shmem.c b/mm/shmem.c | ||
73 | index ab7ff0aeae2d..9f856ecda73b 100644 | ||
74 | --- a/mm/shmem.c | ||
75 | +++ b/mm/shmem.c | ||
76 | @@ -2266,7 +2266,7 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, | ||
77 | *pagep = page; | ||
78 | shmem_inode_unacct_blocks(inode, 1); | ||
79 | /* don't free the page */ | ||
80 | - return -EFAULT; | ||
81 | + return -ENOENT; | ||
82 | } | ||
83 | } else { /* mfill_zeropage_atomic */ | ||
84 | clear_highpage(page); | ||
85 | diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c | ||
86 | index 81192701964d..c63c0fc5ecfa 100644 | ||
87 | --- a/mm/userfaultfd.c | ||
88 | +++ b/mm/userfaultfd.c | ||
89 | @@ -49,7 +49,7 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm, | ||
90 | |||
91 | /* fallback to copy_from_user outside mmap_sem */ | ||
92 | if (unlikely(ret)) { | ||
93 | - ret = -EFAULT; | ||
94 | + ret = -ENOENT; | ||
95 | *pagep = page; | ||
96 | /* don't free the page */ | ||
97 | goto out; | ||
98 | @@ -275,7 +275,7 @@ static __always_inline ssize_t __mcopy_atomic_hugetlb(struct mm_struct *dst_mm, | ||
99 | |||
100 | cond_resched(); | ||
101 | |||
102 | - if (unlikely(err == -EFAULT)) { | ||
103 | + if (unlikely(err == -ENOENT)) { | ||
104 | up_read(&dst_mm->mmap_sem); | ||
105 | BUG_ON(!page); | ||
106 | |||
107 | @@ -521,7 +521,7 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm, | ||
108 | src_addr, &page, zeropage); | ||
109 | cond_resched(); | ||
110 | |||
111 | - if (unlikely(err == -EFAULT)) { | ||
112 | + if (unlikely(err == -ENOENT)) { | ||
113 | void *page_kaddr; | ||
114 | |||
115 | up_read(&dst_mm->mmap_sem); | ||
116 | -- | ||
117 | 2.19.2 | ||
118 | |||