Home Home > GIT Browse > openSUSE-15.0
diff options
authorVlastimil Babka <vbabka@suse.cz>2018-12-07 14:58:25 +0100
committerVlastimil Babka <vbabka@suse.cz>2018-12-07 15:06:36 +0100
commitd4fc67969a19e179a9a31b587a8b0f62a0d563f7 (patch)
parentd70fb1112bc2365539afa4e7bed4ab1f3ca56b69 (diff)
userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE
shmem (CVE-2018-18397, bsc#1117656).
2 files changed, 83 insertions, 0 deletions
diff --git a/patches.fixes/userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch b/patches.fixes/userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch
new file mode 100644
index 0000000000..d3f76c77bb
--- /dev/null
+++ b/patches.fixes/userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch
@@ -0,0 +1,82 @@
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 30 Nov 2018 14:09:28 -0800
+Subject: userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem
+Git-commit: 5b51072e97d587186c2f5390c8c9c1fb7e179505
+Patch-mainline: v4.20-rc5
+References: CVE-2018-18397, bsc#1117656
+Userfaultfd did not create private memory when UFFDIO_COPY was invoked
+on a MAP_PRIVATE shmem mapping. Instead it wrote to the shmem file,
+even when that had not been opened for writing. Though, fortunately,
+that could only happen where there was a hole in the file.
+Fix the shmem-backed implementation of UFFDIO_COPY to create private
+memory for MAP_PRIVATE mappings. The hugetlbfs-backed implementation
+was already correct.
+This change is visible to userland, if userfaultfd has been used in
+unintended ways: so it introduces a small risk of incompatibility, but
+is necessary in order to respect file permissions.
+An app that uses UFFDIO_COPY for anything like postcopy live migration
+won't notice the difference, and in fact it'll run faster because there
+will be no copy-on-write and memory waste in the tmpfs pagecache
+Userfaults on MAP_PRIVATE shmem keep triggering only on file holes like
+The real zeropage can also be built on a MAP_PRIVATE shmem mapping
+through UFFDIO_ZEROPAGE and that's safe because the zeropage pte is
+never dirty, in turn even an mprotect upgrading the vma permission from
+PROT_READ to PROT_READ|PROT_WRITE won't make the zeropage pte writable.
+Link: http://lkml.kernel.org/r/20181126173452.26955-3-aarcange@redhat.com
+Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reported-by: Mike Rapoport <rppt@linux.ibm.com>
+Reviewed-by: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org>
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+ mm/userfaultfd.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -381,7 +381,17 @@ static __always_inline ssize_t mfill_ato
+ {
+ ssize_t err;
+- if (vma_is_anonymous(dst_vma)) {
++ /*
++ * The normal page fault path for a shmem will invoke the
++ * fault, fill the hole in the file and COW it right away. The
++ * result generates plain anonymous memory. So when we are
++ * asked to fill an hole in a MAP_PRIVATE shmem mapping, we'll
++ * generate anonymous memory directly without actually filling
++ * the hole. For the MAP_PRIVATE case the robustness check
++ * only happens in the pagetable (to verify it's still none)
++ * and not in the radix tree.
++ */
++ if (!(dst_vma->vm_flags & VM_SHARED)) {
+ if (!zeropage)
+ err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma,
+ dst_addr, src_addr, page);
+@@ -478,7 +488,8 @@ retry:
+ * dst_vma.
+ */
+ err = -ENOMEM;
+- if (vma_is_anonymous(dst_vma) && unlikely(anon_vma_prepare(dst_vma)))
++ if (!(dst_vma->vm_flags & VM_SHARED) &&
++ unlikely(anon_vma_prepare(dst_vma)))
+ goto out_unlock;
+ while (src_addr < src_start + len) {
diff --git a/series.conf b/series.conf
index c083e8886e..12ce76ccf8 100644
--- a/series.conf
+++ b/series.conf
@@ -19044,6 +19044,7 @@
+ patches.fixes/userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch