Home Home > GIT Browse > SLE12-SP3
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-05-23 16:26:30 +0200
committerTakashi Iwai <tiwai@suse.de>2019-05-23 16:26:30 +0200
commitf8b017a1ade0bcdbba8ca228c6e6e731e34c9f0d (patch)
tree906bced75f80bdc7315e0cb8de71a0030622c9dd
parent5739ee56c9d6e64d011cd24360ae84cc6aadf17d (diff)
parentc0fc554ad1e7dd09cf178bb90ea02106e8ddfcc7 (diff)
Merge branch 'users/vbabka/cve/linux-4.4/for-next' into SLE12-SP3SLE12-SP3
Pull mm fix from Vlastimil Babka (CVE-2019-5489, bsc#1120843)
-rw-r--r--patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch91
-rw-r--r--series.conf1
2 files changed, 92 insertions, 0 deletions
diff --git a/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch b/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
new file mode 100644
index 0000000000..4806f9cdee
--- /dev/null
+++ b/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
@@ -0,0 +1,91 @@
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Tue, 14 May 2019 15:41:38 -0700
+Subject: mm/mincore.c: make mincore() more conservative
+Git-commit: 134fca9063ad4851de767d1768180e5dede9a881
+Patch-mainline: v5.2-rc1
+References: CVE-2019-5489, bsc#1120843
+
+The semantics of what mincore() considers to be resident is not
+completely clear, but Linux has always (since 2.3.52, which is when
+mincore() was initially done) treated it as "page is available in page
+cache".
+
+That's potentially a problem, as that [in]directly exposes
+meta-information about pagecache / memory mapping state even about
+memory not strictly belonging to the process executing the syscall,
+opening possibilities for sidechannel attacks.
+
+Change the semantics of mincore() so that it only reveals pagecache
+information for non-anonymous mappings that belog to files that the
+calling process could (if it tried to) successfully open for writing;
+otherwise we'd be including shared non-exclusive mappings, which
+
+ - is the sidechannel
+
+ - is not the usecase for mincore(), as that's primarily used for data,
+ not (shared) text
+
+[jkosina@suse.cz: v2]
+ Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz
+[mhocko@suse.com: restructure can_do_mincore() conditions]
+Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Josh Snyder <joshs@netflix.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
+Originally-by: Dominique Martinet <asmadeus@codewreck.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: Kevin Easton <kevin@guarana.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Cyril Hrubis <chrubis@suse.cz>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Daniel Gruss <daniel@gruss.cc>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ mm/mincore.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/mm/mincore.c
++++ b/mm/mincore.c
+@@ -165,6 +165,22 @@ out:
+ return 0;
+ }
+
++static inline bool can_do_mincore(struct vm_area_struct *vma)
++{
++ if (vma_is_anonymous(vma))
++ return true;
++ if (!vma->vm_file)
++ return false;
++ /*
++ * Reveal pagecache information only for non-anonymous mappings that
++ * correspond to the files the calling process could (if tried) open
++ * for writing; otherwise we'd be including shared non-exclusive
++ * mappings, which opens a side channel.
++ */
++ return inode_owner_or_capable(file_inode(vma->vm_file)) ||
++ inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0;
++}
++
+ /*
+ * Do a chunk of "sys_mincore()". We've already checked
+ * all the arguments, we hold the mmap semaphore: we should
+@@ -185,8 +201,13 @@ static long do_mincore(unsigned long add
+ vma = find_vma(current->mm, addr);
+ if (!vma || addr < vma->vm_start)
+ return -ENOMEM;
+- mincore_walk.mm = vma->vm_mm;
+ end = min(vma->vm_end, addr + (pages << PAGE_SHIFT));
++ if (!can_do_mincore(vma)) {
++ unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE);
++ memset(vec, 1, pages);
++ return pages;
++ }
++ mincore_walk.mm = vma->vm_mm;
+ err = walk_page_range(addr, end, &mincore_walk);
+ if (err < 0)
+ return err;
diff --git a/series.conf b/series.conf
index 3d96dfa655..dd85de06f0 100644
--- a/series.conf
+++ b/series.conf
@@ -25389,6 +25389,7 @@
patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch
patches.fixes/0001-PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
patches.fixes/0001-backlight-lm3630a-Return-0-on-success-in-update_stat.patch
+ patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
patches.fixes/0003-drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch