mm/mempolicy: CVE-2018-10675

mm/mempolicy: fix use after free when calling get_mempolicy References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=fd30faeaf0f5163356ec053ba9eb1d3b7923062c Change-Id: I7eca8926a82fe573447c8742be055b3f2c5df6e5 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 15:11:28 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-25 13:22:31 +0200
commit: 9a81c6699785afeba2d3afcdb682652bf7844108 (patch)
tree: 5dde44711696e6209af563b26e76e42e4a290cb0
parent: 260a690d270fd1273f841e65a7eebea46ab34bfc (diff)
download: enea-kernel-cache-9a81c6699785afeba2d3afcdb682652bf7844108.tar.gz
2 files changed, 94 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 6386a9b..475bc09 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -22,3 +22,6 @@ patch CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
 #fixed in 4.1.44
 patch CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch
+#fixed in 4.1.45
+patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
diff --git a/patches/cve/CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch b/patches/cve/CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
new file mode 100644
index 0000000..47e6e78
--- /dev/null
+++ b/patches/cve/CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
@@ -0,0 +1,91 @@
+From fd30faeaf0f5163356ec053ba9eb1d3b7923062c Mon Sep 17 00:00:00 2001
+From: zhong jiang <zhongjiang@huawei.com>
+Date: Fri, 18 Aug 2017 15:16:24 -0700
+Subject: [PATCH] mm/mempolicy: fix use after free when calling get_mempolicy
+[ Upstream commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 ]
+I hit a use after free issue when executing trinity and repoduced it
+with KASAN enabled.  The related call trace is as follows.
+  BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766
+  Read of size 2 by task syz-executor1/798
+  INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799
+     __slab_alloc+0x768/0x970
+     kmem_cache_alloc+0x2e7/0x450
+     mpol_new.part.2+0x74/0x160
+     mpol_new+0x66/0x80
+     SyS_mbind+0x267/0x9f0
+     system_call_fastpath+0x16/0x1b
+  INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799
+     __slab_free+0x495/0x8e0
+     kmem_cache_free+0x2f3/0x4c0
+     __mpol_put+0x2b/0x40
+     SyS_mbind+0x383/0x9f0
+     system_call_fastpath+0x16/0x1b
+  INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080
+  INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600
+  Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
+  Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
+  Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5                          kkkkkkk.
+  Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb                          ........
+  Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
+  Memory state around the buggy address:
+  ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
+  ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+  >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc
+!shared memory policy is not protected against parallel removal by other
+thread which is normally protected by the mmap_sem.  do_get_mempolicy,
+however, drops the lock midway while we can still access it later.
+Early premature up_read is a historical artifact from times when
+put_user was called in this path see https://lwn.net/Articles/124754/
+but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_*
+layering in the memory policy layer.").  but when we have the the
+current mempolicy ref count model.  The issue was introduced
+accordingly.
+Fix the issue by removing the premature release.
+Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com
+CVE: CVE-2018-10675 
+Upstream-Status: Backport  
+Signed-off-by: zhong jiang <zhongjiang@huawei.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: <stable@vger.kernel.org>    [2.6+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ mm/mempolicy.c | 5 -----
+ 1 file changed, 5 deletions(-)
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index ea06282..dacd2e9 100644
+--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
+@@ -897,11 +897,6 @@ static long do_get_mempolicy(int *policy, nodemask_t *nmask,
+                *policy |= (pol->flags & MPOL_MODE_FLAGS);
+        }
+ 
+-       if (vma) {
+-               up_read(&current->mm->mmap_sem);
+-               vma = NULL;
+-       }
+-
+        err = 0;
+        if (nmask) {
+                if (mpol_store_user_nodemask(pol)) {
+-- 
+2.7.4
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 15:11:28 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-25 13:22:31 +0200
commit	9a81c6699785afeba2d3afcdb682652bf7844108 (patch)
tree	5dde44711696e6209af563b26e76e42e4a290cb0
parent	260a690d270fd1273f841e65a7eebea46ab34bfc (diff)
download	enea-kernel-cache-9a81c6699785afeba2d3afcdb682652bf7844108.tar.gz

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 6386a9b..475bc09 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc
@@ -22,3 +22,6 @@ patch CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
22	#fixed in 4.1.44	22	#fixed in 4.1.44
23	patch CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch	23	patch CVE-2017-1000111-packet-fix-tp_reserve-race-in-packet_set_ring.patch
24		24
		25	#fixed in 4.1.45
		26	patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
		27


diff --git a/patches/cve/CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch b/patches/cve/CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch new file mode 100644 index 0000000..47e6e78 --- /dev/null +++ b/patches/cve/CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
@@ -0,0 +1,91 @@
		1	From fd30faeaf0f5163356ec053ba9eb1d3b7923062c Mon Sep 17 00:00:00 2001
		2	From: zhong jiang <zhongjiang@huawei.com>
		3	Date: Fri, 18 Aug 2017 15:16:24 -0700
		4	Subject: [PATCH] mm/mempolicy: fix use after free when calling get_mempolicy
		5
		6	[ Upstream commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 ]
		7
		8	I hit a use after free issue when executing trinity and repoduced it
		9	with KASAN enabled. The related call trace is as follows.
		10
		11	BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766
		12	Read of size 2 by task syz-executor1/798
		13
		14	INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799
		15	__slab_alloc+0x768/0x970
		16	kmem_cache_alloc+0x2e7/0x450
		17	mpol_new.part.2+0x74/0x160
		18	mpol_new+0x66/0x80
		19	SyS_mbind+0x267/0x9f0
		20	system_call_fastpath+0x16/0x1b
		21	INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799
		22	__slab_free+0x495/0x8e0
		23	kmem_cache_free+0x2f3/0x4c0
		24	__mpol_put+0x2b/0x40
		25	SyS_mbind+0x383/0x9f0
		26	system_call_fastpath+0x16/0x1b
		27	INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080
		28	INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600
		29
		30	Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
		31	Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
		32	Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk.
		33	Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb ........
		34	Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
		35	Memory state around the buggy address:
		36	ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
		37	ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
		38	>ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc
		39
		40	!shared memory policy is not protected against parallel removal by other
		41	thread which is normally protected by the mmap_sem. do_get_mempolicy,
		42	however, drops the lock midway while we can still access it later.
		43
		44	Early premature up_read is a historical artifact from times when
		45	put_user was called in this path see https://lwn.net/Articles/124754/
		46	but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_*
		47	layering in the memory policy layer."). but when we have the the
		48	current mempolicy ref count model. The issue was introduced
		49	accordingly.
		50
		51	Fix the issue by removing the premature release.
		52
		53	Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com
		54
		55	CVE: CVE-2018-10675
		56	Upstream-Status: Backport
		57
		58	Signed-off-by: zhong jiang <zhongjiang@huawei.com>
		59	Acked-by: Michal Hocko <mhocko@suse.com>
		60	Cc: Minchan Kim <minchan@kernel.org>
		61	Cc: Vlastimil Babka <vbabka@suse.cz>
		62	Cc: David Rientjes <rientjes@google.com>
		63	Cc: Mel Gorman <mgorman@techsingularity.net>
		64	Cc: <stable@vger.kernel.org> [2.6+]
		65	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
		66	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		67	Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
		68	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		69	---
		70	mm/mempolicy.c \| 5 -----
		71	1 file changed, 5 deletions(-)
		72
		73	diff --git a/mm/mempolicy.c b/mm/mempolicy.c
		74	index ea06282..dacd2e9 100644
		75	--- a/mm/mempolicy.c
		76	+++ b/mm/mempolicy.c
		77	@@ -897,11 +897,6 @@ static long do_get_mempolicy(int policy, nodemask_t nmask,
		78	*policy \|= (pol->flags & MPOL_MODE_FLAGS);
		79	}
		80
		81	- if (vma) {
		82	- up_read(&current->mm->mmap_sem);
		83	- vma = NULL;
		84	- }
		85	-
		86	err = 0;
		87	if (nmask) {
		88	if (mpol_store_user_nodemask(pol)) {
		89	--
		90	2.7.4
		91