From e5dfc5da18f3734979f44c47f1442484b40feb24 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Fri, 29 Sep 2017 12:28:01 +0200
Subject: linux-cavium: CVE-2017-5669

Shmat allows mmap null page protection bypass

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5669

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 .../linux/linux-cavium/CVE-2017-5669.patch         | 81 ++++++++++++++++++++++
 recipes-kernel/linux/linux-cavium_4.9.inc          |  1 +
 2 files changed, 82 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch
new file mode 100644
index 0000000..7dcd09a
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5669.patch
@@ -0,0 +1,81 @@
+From 270e84a1e6effd6c0c6e9b13b196b5fdaa392954 Mon Sep 17 00:00:00 2001
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Mon, 27 Feb 2017 14:28:24 -0800
+Subject: [PATCH] ipc/shm: Fix shmat mmap nil-page protection
+
+commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream.
+
+The issue is described here, with a nice testcase:
+
+    https://bugzilla.kernel.org/show_bug.cgi?id=192931
+
+The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
+the address rounded down to 0.  For the regular mmap case, the
+protection mentioned above is that the kernel gets to generate the
+address -- arch_get_unmapped_area() will always check for MAP_FIXED and
+return that address.  So by the time we do security_mmap_addr(0) things
+get funky for shmat().
+
+The testcase itself shows that while a regular user crashes, root will
+not have a problem attaching a nil-page.  There are two possible fixes
+to this.  The first, and which this patch does, is to simply allow root
+to crash as well -- this is also regular mmap behavior, ie when hacking
+up the testcase and adding mmap(...  |MAP_FIXED).  While this approach
+is the safer option, the second alternative is to ignore SHM_RND if the
+rounded address is 0, thus only having MAP_SHARED flags.  This makes the
+behavior of shmat() identical to the mmap() case.  The downside of this
+is obviously user visible, but does make sense in that it maintains
+semantics after the round-down wrt 0 address and mmap.
+
+Passes shm related ltp tests.
+
+CVE: CVE-2017-5669
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+
+Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ipc/shm.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/ipc/shm.c b/ipc/shm.c
+index dbac886..e2072ae 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -1085,8 +1085,8 @@ static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
+  * "raddr" thing points to kernel space, and there has to be a wrapper around
+  * this.
+  */
+-long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+-	      unsigned long shmlba)
++long do_shmat(int shmid, char __user *shmaddr, int shmflg,
++	      ulong *raddr, unsigned long shmlba)
+ {
+ 	struct shmid_kernel *shp;
+ 	unsigned long addr;
+@@ -1107,8 +1107,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+ 		goto out;
+ 	else if ((addr = (ulong)shmaddr)) {
+ 		if (addr & (shmlba - 1)) {
+-			if (shmflg & SHM_RND)
+-				addr &= ~(shmlba - 1);	   /* round down */
++			/*
++			 * Round down to the nearest multiple of shmlba.
++			 * For sane do_mmap_pgoff() parameters, avoid
++			 * round downs that trigger nil-page and MAP_FIXED.
++			 */
++			if ((shmflg & SHM_RND) && addr >= shmlba)
++				addr &= ~(shmlba - 1);
+ 			else
+ #ifndef __ARCH_FORCE_SHMLBA
+ 				if (addr & ~PAGE_MASK)
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index 8ff28fd..e35c12f 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -19,6 +19,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
            file://CVE-2016-10208.patch \
            file://CVE-2017-5551.patch \
            file://CVE-2017-5577.patch \
+           file://CVE-2017-5669.patch \
            file://CVE-2017-7487.patch \
            file://CVE-2017-7618.patch \
            file://CVE-2017-7645.patch \
-- 
cgit v1.2.3-54-g00ecf