diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-17 15:11:28 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-25 13:22:31 +0200 |
commit | 9a81c6699785afeba2d3afcdb682652bf7844108 (patch) | |
tree | 5dde44711696e6209af563b26e76e42e4a290cb0 | |
parent | 260a690d270fd1273f841e65a7eebea46ab34bfc (diff) | |
download | enea-kernel-cache-9a81c6699785afeba2d3afcdb682652bf7844108.tar.gz |
mm/mempolicy: CVE-2018-10675
mm/mempolicy: fix use after free when calling get_mempolicy
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=fd30faeaf0f5163356ec053ba9eb1d3b7923062c
Change-Id: I7eca8926a82fe573447c8742be055b3f2c5df6e5
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.1.x.scc | 3 | ||||
-rw-r--r-- | patches/cve/CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch | 91 |
2 files changed, 94 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 6386a9b..475bc09 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc | |||
@@ -22,3 +22,6 @@ patch CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch | |||
22 | #fixed in 4.1.44 | 22 | #fixed in 4.1.44 |
23 | patch CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch | 23 | patch CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch |
24 | 24 | ||
25 | #fixed in 4.1.45 | ||
26 | patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch | ||
27 | |||
diff --git a/patches/cve/CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch b/patches/cve/CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch new file mode 100644 index 0000000..47e6e78 --- /dev/null +++ b/patches/cve/CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From fd30faeaf0f5163356ec053ba9eb1d3b7923062c Mon Sep 17 00:00:00 2001 | ||
2 | From: zhong jiang <zhongjiang@huawei.com> | ||
3 | Date: Fri, 18 Aug 2017 15:16:24 -0700 | ||
4 | Subject: [PATCH] mm/mempolicy: fix use after free when calling get_mempolicy | ||
5 | |||
6 | [ Upstream commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 ] | ||
7 | |||
8 | I hit a use after free issue when executing trinity and repoduced it | ||
9 | with KASAN enabled. The related call trace is as follows. | ||
10 | |||
11 | BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766 | ||
12 | Read of size 2 by task syz-executor1/798 | ||
13 | |||
14 | INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799 | ||
15 | __slab_alloc+0x768/0x970 | ||
16 | kmem_cache_alloc+0x2e7/0x450 | ||
17 | mpol_new.part.2+0x74/0x160 | ||
18 | mpol_new+0x66/0x80 | ||
19 | SyS_mbind+0x267/0x9f0 | ||
20 | system_call_fastpath+0x16/0x1b | ||
21 | INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799 | ||
22 | __slab_free+0x495/0x8e0 | ||
23 | kmem_cache_free+0x2f3/0x4c0 | ||
24 | __mpol_put+0x2b/0x40 | ||
25 | SyS_mbind+0x383/0x9f0 | ||
26 | system_call_fastpath+0x16/0x1b | ||
27 | INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080 | ||
28 | INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600 | ||
29 | |||
30 | Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ | ||
31 | Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk | ||
32 | Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk. | ||
33 | Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb ........ | ||
34 | Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ | ||
35 | Memory state around the buggy address: | ||
36 | ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc | ||
37 | ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | ||
38 | >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc | ||
39 | |||
40 | !shared memory policy is not protected against parallel removal by other | ||
41 | thread which is normally protected by the mmap_sem. do_get_mempolicy, | ||
42 | however, drops the lock midway while we can still access it later. | ||
43 | |||
44 | Early premature up_read is a historical artifact from times when | ||
45 | put_user was called in this path see https://lwn.net/Articles/124754/ | ||
46 | but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_* | ||
47 | layering in the memory policy layer."). but when we have the the | ||
48 | current mempolicy ref count model. The issue was introduced | ||
49 | accordingly. | ||
50 | |||
51 | Fix the issue by removing the premature release. | ||
52 | |||
53 | Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com | ||
54 | |||
55 | CVE: CVE-2018-10675 | ||
56 | Upstream-Status: Backport | ||
57 | |||
58 | Signed-off-by: zhong jiang <zhongjiang@huawei.com> | ||
59 | Acked-by: Michal Hocko <mhocko@suse.com> | ||
60 | Cc: Minchan Kim <minchan@kernel.org> | ||
61 | Cc: Vlastimil Babka <vbabka@suse.cz> | ||
62 | Cc: David Rientjes <rientjes@google.com> | ||
63 | Cc: Mel Gorman <mgorman@techsingularity.net> | ||
64 | Cc: <stable@vger.kernel.org> [2.6+] | ||
65 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | ||
66 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
67 | Signed-off-by: Sasha Levin <alexander.levin@verizon.com> | ||
68 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
69 | --- | ||
70 | mm/mempolicy.c | 5 ----- | ||
71 | 1 file changed, 5 deletions(-) | ||
72 | |||
73 | diff --git a/mm/mempolicy.c b/mm/mempolicy.c | ||
74 | index ea06282..dacd2e9 100644 | ||
75 | --- a/mm/mempolicy.c | ||
76 | +++ b/mm/mempolicy.c | ||
77 | @@ -897,11 +897,6 @@ static long do_get_mempolicy(int *policy, nodemask_t *nmask, | ||
78 | *policy |= (pol->flags & MPOL_MODE_FLAGS); | ||
79 | } | ||
80 | |||
81 | - if (vma) { | ||
82 | - up_read(¤t->mm->mmap_sem); | ||
83 | - vma = NULL; | ||
84 | - } | ||
85 | - | ||
86 | err = 0; | ||
87 | if (nmask) { | ||
88 | if (mpol_store_user_nodemask(pol)) { | ||
89 | -- | ||
90 | 2.7.4 | ||
91 | |||