summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-10-24 08:54:31 (GMT)
committerAdrian Dudau <adrian.dudau@enea.com>2016-10-24 12:50:18 (GMT)
commit7914c3cba2645ff204e252d1cfc83937aebb0f78 (patch)
tree63fcac0c69d7ebaa4ceb95435c6dd3e30ab8a40c
parent75c4229c4275a807dd0f89ad8c03da1e8d20f3bd (diff)
downloadmeta-enea-bsp-common-7914c3cba2645ff204e252d1cfc83937aebb0f78.tar.gz
kernel: CVE-2016-5195
Fixes privilege escalation via MAP_PRIVATE COW breakage. References: =========== https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5195 http://www.securityfocus.com/bid/93793 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r--recipes-kernel/linux/files/CVE-2016-5195.patch100
-rw-r--r--recipes-kernel/linux/linux-yocto_4.%.bbappend1
2 files changed, 101 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/CVE-2016-5195.patch b/recipes-kernel/linux/files/CVE-2016-5195.patch
new file mode 100644
index 0000000..3f81b19
--- /dev/null
+++ b/recipes-kernel/linux/files/CVE-2016-5195.patch
@@ -0,0 +1,100 @@
1From 1294d355881cc5c3421d24fee512f16974addb6c Mon Sep 17 00:00:00 2001
2From: Linus Torvalds <torvalds@linux-foundation.org>
3Date: Thu, 13 Oct 2016 13:07:36 -0700
4Subject: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
5
6commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
7
8This is an ancient bug that was actually attempted to be fixed once
9(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
10get_user_pages() race for write access") but that was then undone due to
11problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
12
13In the meantime, the s390 situation has long been fixed, and we can now
14fix it by checking the pte_dirty() bit properly (and do it better). The
15s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
16software dirty bits") which made it into v3.9. Earlier kernels will
17have to look at the page state itself.
18
19Also, the VM has become more scalable, and what used a purely
20theoretical race back then has become easier to trigger.
21
22To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
23we already did a COW" rather than play racy games with FOLL_WRITE that
24is very fundamental, and then use the pte dirty flag to validate that
25the FOLL_COW flag is still valid.
26
27Upstream-Status: Backport
28CVE: CVE-2016-5195
29
30Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
31Acked-by: Hugh Dickins <hughd@google.com>
32Reviewed-by: Michal Hocko <mhocko@suse.com>
33Cc: Andy Lutomirski <luto@kernel.org>
34Cc: Kees Cook <keescook@chromium.org>
35Cc: Oleg Nesterov <oleg@redhat.com>
36Cc: Willy Tarreau <w@1wt.eu>
37Cc: Nick Piggin <npiggin@gmail.com>
38Cc: Greg Thelen <gthelen@google.com>
39Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
40Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
41Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
42---
43 include/linux/mm.h | 1 +
44 mm/gup.c | 14 ++++++++++++--
45 2 files changed, 13 insertions(+), 2 deletions(-)
46
47diff --git a/include/linux/mm.h b/include/linux/mm.h
48index cfebb74..f0ffa01 100644
49--- a/include/linux/mm.h
50+++ b/include/linux/mm.h
51@@ -2112,6 +2112,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
52 #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */
53 #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */
54 #define FOLL_MLOCK 0x1000 /* lock present pages */
55+#define FOLL_COW 0x4000 /* internal GUP flag */
56
57 typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
58 void *data);
59diff --git a/mm/gup.c b/mm/gup.c
60index deafa2c..4b0b7e7 100644
61--- a/mm/gup.c
62+++ b/mm/gup.c
63@@ -58,6 +58,16 @@ static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address,
64 return -EEXIST;
65 }
66
67+/*
68+ * FOLL_FORCE can write to even unwritable pte's, but only
69+ * after we've gone through a COW cycle and they are dirty.
70+ */
71+static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
72+{
73+ return pte_write(pte) ||
74+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
75+}
76+
77 static struct page *follow_page_pte(struct vm_area_struct *vma,
78 unsigned long address, pmd_t *pmd, unsigned int flags)
79 {
80@@ -92,7 +102,7 @@ retry:
81 }
82 if ((flags & FOLL_NUMA) && pte_protnone(pte))
83 goto no_page;
84- if ((flags & FOLL_WRITE) && !pte_write(pte)) {
85+ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
86 pte_unmap_unlock(ptep, ptl);
87 return NULL;
88 }
89@@ -352,7 +362,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
90 * reCOWed by userspace write).
91 */
92 if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
93- *flags &= ~FOLL_WRITE;
94+ *flags |= FOLL_COW;
95 return 0;
96 }
97
98--
99cgit v0.12
100
diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend
index cd0de11..c2eff00 100644
--- a/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -6,6 +6,7 @@ SRC_URI += "file://hid-CVE-2016-5829.patch \
6 file://CVE-2016-5696-limiting-of-all-challenge.patch \ 6 file://CVE-2016-5696-limiting-of-all-challenge.patch \
7 file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \ 7 file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \
8 file://CVE-2016-4951.patch \ 8 file://CVE-2016-4951.patch \
9 file://CVE-2016-5195.patch \
9 " 10 "
10 11
11ENEA_KERNEL_FRAGMENTS += "\ 12ENEA_KERNEL_FRAGMENTS += "\