[packages/kernel/LINUX_4_1] - rel 2; fix CVE-2016-5195

Fri, 21 Oct 2016 05:03:53 -0700 

commit c3ff40a5f885b0cd55e953696201acc581e3f58e
Author: Arkadiusz Miƛkiewicz <ar...@maven.pl>
Date:   Fri Oct 21 14:03:22 2016 +0200

    - rel 2; fix CVE-2016-5195

 kernel-small_fixes.patch | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
 kernel.spec              |  2 +-
 2 files changed, 91 insertions(+), 1 deletion(-)
---
diff --git a/kernel.spec b/kernel.spec
index f20a9fa..6fb8141 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -68,7 +68,7 @@
 %define                have_pcmcia     0
 %endif
 
-%define                rel             1
+%define                rel             2
 %define                basever         4.1
 %define                postver         .34
 
diff --git a/kernel-small_fixes.patch b/kernel-small_fixes.patch
index 83a0b12..3b5a1a5 100644
--- a/kernel-small_fixes.patch
+++ b/kernel-small_fixes.patch
@@ -115,3 +115,93 @@ index 29531ec..65fbfb7 100644
  
 
 
+commit 1294d355881cc5c3421d24fee512f16974addb6c
+Author: Linus Torvalds <torva...@linux-foundation.org>
+Date:   Thu Oct 13 13:07:36 2016 -0700
+
+    mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
+    
+    commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
+    
+    This is an ancient bug that was actually attempted to be fixed once
+    (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
+    get_user_pages() race for write access") but that was then undone due to
+    problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
+    
+    In the meantime, the s390 situation has long been fixed, and we can now
+    fix it by checking the pte_dirty() bit properly (and do it better).  The
+    s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
+    software dirty bits") which made it into v3.9.  Earlier kernels will
+    have to look at the page state itself.
+    
+    Also, the VM has become more scalable, and what used a purely
+    theoretical race back then has become easier to trigger.
+    
+    To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
+    we already did a COW" rather than play racy games with FOLL_WRITE that
+    is very fundamental, and then use the pte dirty flag to validate that
+    the FOLL_COW flag is still valid.
+    
+    Reported-and-tested-by: Phil "not Paul" Oester <ker...@linuxace.com>
+    Acked-by: Hugh Dickins <hu...@google.com>
+    Reviewed-by: Michal Hocko <mho...@suse.com>
+    Cc: Andy Lutomirski <l...@kernel.org>
+    Cc: Kees Cook <keesc...@chromium.org>
+    Cc: Oleg Nesterov <o...@redhat.com>
+    Cc: Willy Tarreau <w...@1wt.eu>
+    Cc: Nick Piggin <npig...@gmail.com>
+    Cc: Greg Thelen <gthe...@google.com>
+    Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
+    Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
+
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index cfebb74..f0ffa01 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -2112,6 +2112,7 @@ static inline struct page *follow_page(struct 
vm_area_struct *vma,
+ #define FOLL_MIGRATION        0x400   /* wait for page to replace migration 
entry */
+ #define FOLL_TRIED    0x800   /* a retry, previous pass started an IO */
++#define FOLL_COW      0x1000  /* internal GUP flag */
+ 
+ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
+                       void *data);
+ extern int apply_to_page_range(struct mm_struct *mm, unsigned long address,
+diff --git a/mm/gup.c b/mm/gup.c
+index deafa2c..4b0b7e7 100644
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -58,6 +58,16 @@ static int follow_pfn_pte(struct vm_area_struct *vma, 
unsigned long address,
+       return -EEXIST;
+ }
+ 
++/*
++ * FOLL_FORCE can write to even unwritable pte's, but only
++ * after we've gone through a COW cycle and they are dirty.
++ */
++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
++{
++      return pte_write(pte) ||
++              ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
++}
++
+ static struct page *follow_page_pte(struct vm_area_struct *vma,
+               unsigned long address, pmd_t *pmd, unsigned int flags)
+ {
+@@ -92,7 +102,7 @@ retry:
+       }
+       if ((flags & FOLL_NUMA) && pte_protnone(pte))
+               goto no_page;
+-      if ((flags & FOLL_WRITE) && !pte_write(pte)) {
++      if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
+               pte_unmap_unlock(ptep, ptl);
+               return NULL;
+       }
+@@ -352,7 +362,7 @@ static int faultin_page(struct task_struct *tsk, struct 
vm_area_struct *vma,
+        * reCOWed by userspace write).
+        */
+       if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
+-              *flags &= ~FOLL_WRITE;
++              *flags |= FOLL_COW;
+       return 0;
+ }
+ 
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/c3ff40a5f885b0cd55e953696201acc581e3f58e

_______________________________________________
pld-cvs-commit mailing list
pld-cvs-commit@lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to