Home Home > GIT Browse > SLE12-SP3-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-05-24 07:00:15 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-05-24 07:00:15 +0200
commitc4a4a529309711cdc1f2b885e2aa18d0260921d8 (patch)
treef15af712895a40ce2c018fb07e960ff25f7ce0b7
parent881585471e3e67e2f7676656785bb4e3bedb5629 (diff)
parentf8b017a1ade0bcdbba8ca228c6e6e731e34c9f0d (diff)
Merge branch 'SLE12-SP3' into SLE12-SP3-AZURESLE12-SP3-AZURE
-rw-r--r--patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch91
-rw-r--r--series.conf1
2 files changed, 92 insertions, 0 deletions
diff --git a/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch b/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
new file mode 100644
index 0000000000..4806f9cdee
--- /dev/null
+++ b/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
@@ -0,0 +1,91 @@
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Tue, 14 May 2019 15:41:38 -0700
+Subject: mm/mincore.c: make mincore() more conservative
+Git-commit: 134fca9063ad4851de767d1768180e5dede9a881
+Patch-mainline: v5.2-rc1
+References: CVE-2019-5489, bsc#1120843
+
+The semantics of what mincore() considers to be resident is not
+completely clear, but Linux has always (since 2.3.52, which is when
+mincore() was initially done) treated it as "page is available in page
+cache".
+
+That's potentially a problem, as that [in]directly exposes
+meta-information about pagecache / memory mapping state even about
+memory not strictly belonging to the process executing the syscall,
+opening possibilities for sidechannel attacks.
+
+Change the semantics of mincore() so that it only reveals pagecache
+information for non-anonymous mappings that belog to files that the
+calling process could (if it tried to) successfully open for writing;
+otherwise we'd be including shared non-exclusive mappings, which
+
+ - is the sidechannel
+
+ - is not the usecase for mincore(), as that's primarily used for data,
+ not (shared) text
+
+[jkosina@suse.cz: v2]
+ Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz
+[mhocko@suse.com: restructure can_do_mincore() conditions]
+Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Josh Snyder <joshs@netflix.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
+Originally-by: Dominique Martinet <asmadeus@codewreck.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: Kevin Easton <kevin@guarana.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Cyril Hrubis <chrubis@suse.cz>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Daniel Gruss <daniel@gruss.cc>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ mm/mincore.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/mm/mincore.c
++++ b/mm/mincore.c
+@@ -165,6 +165,22 @@ out:
+ return 0;
+ }
+
++static inline bool can_do_mincore(struct vm_area_struct *vma)
++{
++ if (vma_is_anonymous(vma))
++ return true;
++ if (!vma->vm_file)
++ return false;
++ /*
++ * Reveal pagecache information only for non-anonymous mappings that
++ * correspond to the files the calling process could (if tried) open
++ * for writing; otherwise we'd be including shared non-exclusive
++ * mappings, which opens a side channel.
++ */
++ return inode_owner_or_capable(file_inode(vma->vm_file)) ||
++ inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0;
++}
++
+ /*
+ * Do a chunk of "sys_mincore()". We've already checked
+ * all the arguments, we hold the mmap semaphore: we should
+@@ -185,8 +201,13 @@ static long do_mincore(unsigned long add
+ vma = find_vma(current->mm, addr);
+ if (!vma || addr < vma->vm_start)
+ return -ENOMEM;
+- mincore_walk.mm = vma->vm_mm;
+ end = min(vma->vm_end, addr + (pages << PAGE_SHIFT));
++ if (!can_do_mincore(vma)) {
++ unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE);
++ memset(vec, 1, pages);
++ return pages;
++ }
++ mincore_walk.mm = vma->vm_mm;
+ err = walk_page_range(addr, end, &mincore_walk);
+ if (err < 0)
+ return err;
diff --git a/series.conf b/series.conf
index c06d890d42..2507d29248 100644
--- a/series.conf
+++ b/series.conf
@@ -25551,6 +25551,7 @@
patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch
patches.fixes/0001-PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
patches.fixes/0001-backlight-lm3630a-Return-0-on-success-in-update_stat.patch
+ patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
patches.fixes/0003-drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch