Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?
Yes you were absolutely right. On 161025-14:46-0400, Fernando Rodriguez wrote: > On Tue, Oct 25, 2016 at 07:38:01PM +0200, Miroslav Rovis wrote: > > Sorry about noticing your reply only now. > > > > Namely, thinking that people over at hardened ML would tell more about > > it, I indirectly initiated a thread over at hardened ML: > > https://archives.gentoo.org/gentoo-hardened/message/09bbf3bfe59a938f11ac044e891db77e > > > > Will surely check it! And am CC'ing hardened about this patch at the > > hardened ML. Maybe they patch and forward the 4.4.8-r1 to 4.4.8-r2 . > > --- > > Only now looked at the patch. > > > > No, you don't get it. And I'm not CC'ing this to hardened ML. Sorry about that. I was not getting it. After all if a patch isn't meant to patch something it only fails :-) . > > > > You can't just run the patch for a vanilla kernel onto a > > grsecurity-patched kernel. Look up the hardened-sources, and how they > > are patched, and what the mm.h and the gup.c in question (there are a > > few of so named files in various directories) look in the > > hardened-sources, and how they look in the vanilla-sources... > > fernan@navi /usr/src/linux-4.4.8-hardened-r1 $ sudo patch -p1 < > /home/fernan/dirtycow.patch > patching file include/linux/mm.h > Hunk #1 succeeded at 2131 (offset 19 lines). > patching file mm/gup.c > Hunk #3 succeeded at 357 (offset -5 lines). > It did work here too: # patch -p1 < /home/miro/dirtycow.patch patching file include/linux/mm.h Hunk #1 succeeded at 2131 (offset 19 lines). patching file mm/gup.c Hunk #3 succeeded at 357 (offset -5 lines). # where: # pwd /usr/src/linux # ls -l ../linux lrwxrwxrwx 1 root root 23 2016-10-23 02:37 ../linux -> linux-4.4.8-hardened-r1 # > It works so I guess you can. Never say you can't do something before > trying cause then you look like an idiot. > > And the patch says which are the files in question! > > > > > If I'm not mistaken, and I did check it. No, I'm not mistaken, you just > > sent me the Linus's patch. > > Yes you are mistaken, cause if you've tried it you wouldb't be asking > the question. And yes, that is Linus patch. Right! ... > > > > > > Did you tried it? > > > The patch attached comes straight from the git repo, just run: > > > > > > # cd /usr/src/linux > > > # patch -p1 < path/to/patch > > > > > > It'll likely work. > > > And it did, as above... > > > > Thanks for trying to help! Regards! Wrong on my part! Thanks for teaching me! And to teach an obstinate misunderstanding old man takes a little nerve. Regards! -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr signature.asc Description: Digital signature
Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?
On Tue, Oct 25, 2016 at 07:38:01PM +0200, Miroslav Rovis wrote: > Sorry about noticing your reply only now. > > Namely, thinking that people over at hardened ML would tell more about > it, I indirectly initiated a thread over at hardened ML: > https://archives.gentoo.org/gentoo-hardened/message/09bbf3bfe59a938f11ac044e891db77e > > Will surely check it! And am CC'ing hardened about this patch at the > hardened ML. Maybe they patch and forward the 4.4.8-r1 to 4.4.8-r2 . > --- > Only now looked at the patch. > > No, you don't get it. And I'm not CC'ing this to hardened ML. > > You can't just run the patch for a vanilla kernel onto a > grsecurity-patched kernel. Look up the hardened-sources, and how they > are patched, and what the mm.h and the gup.c in question (there are a > few of so named files in various directories) look in the > hardened-sources, and how they look in the vanilla-sources... fernan@navi /usr/src/linux-4.4.8-hardened-r1 $ sudo patch -p1 < /home/fernan/dirtycow.patch patching file include/linux/mm.h Hunk #1 succeeded at 2131 (offset 19 lines). patching file mm/gup.c Hunk #3 succeeded at 357 (offset -5 lines). It works so I guess you can. Never say you can't do something before trying cause then you look like an idiot. And the patch says which are the files in question! > > If I'm not mistaken, and I did check it. No, I'm not mistaken, you just > sent me the Linus's patch. Yes you are mistaken, cause if you've tried it you wouldb't be asking the question. And yes, that is Linus patch. > > No, wrong. But thanks for trying to help! > > On 161025-13:16-0400, Fernando Rodriguez wrote: > > On Tue, Oct 25, 2016 at 07:11:54AM +0200, Miroslav Rovis wrote: > > > On 161021-11:04-0400, Rich Freeman wrote: > > > > On Fri, Oct 21, 2016 at 10:49 AM, Mick> > > > wrote: > > > > > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails > > > > > > > > Not yet: > > > > https://bugs.gentoo.org/show_bug.cgi?id=597624 > > > > > > > > > > We are talking grsecurity-patched (kind of stable[*]) kernel sources, > > > the =sys-kernel/hardened-sources-4.4.8-r1 package [**]. > > > > > > I read most of the discussion, and I could easily patch the gup.c and > > > mm.h in question, but those files need to be patched before application > > > of the grsecurity patch, and that is a little more complex work. > > > > Did you tried it? > > The patch attached comes straight from the git repo, just run: > > > > # cd /usr/src/linux > > # patch -p1 < path/to/patch > > > > It'll likely work. > > > > > > > > Has anybody done this, as I have limited time available to practice user > > > patching (which in its simplest form, I was able to do here: > > > >=dev-libs/nss-3.24 - Add USE flag to enable SSL key > > > https://bugs.gentoo.org/show_bug.cgi?id=587116#c2 ), in case it can be > > > done with user patching, of course. > > > > > > Anyone? > > > > > > Regards! > > > --- > > > [*] kind of stable, because there are, since about 1 yrs ago, only > > > testing kernel available for the non-paying users ;-( > > > > > > [**] I have to use 4.4.8.r1 because recent kernel all crash with libirt > > > and qemu which I am trying to use: > > > https://bugs.gentoo.org/show_bug.cgi?id=597554 > > > -- > > > Miroslav Rovis > > > Zagreb, Croatia > > > http://www.CroatiaFidelis.hr > > > > > > > > -- > > Fernando Rodriguez > > > commit 1294d355881cc5c3421d24fee512f16974addb6c > > Author: Linus Torvalds > > Date: Thu Oct 13 13:07:36 2016 -0700 > > > > mm: remove gup_flags FOLL_WRITE games from __get_user_pages() > > > ... > > Thanks for trying to help! Regards! > -- > Miroslav Rovis > Zagreb, Croatia > http://www.CroatiaFidelis.hr -- Fernando Rodriguez signature.asc Description: Digital signature
Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?
Sorry about noticing your reply only now. Namely, thinking that people over at hardened ML would tell more about it, I indirectly initiated a thread over at hardened ML: https://archives.gentoo.org/gentoo-hardened/message/09bbf3bfe59a938f11ac044e891db77e Will surely check it! And am CC'ing hardened about this patch at the hardened ML. Maybe they patch and forward the 4.4.8-r1 to 4.4.8-r2 . --- Only now looked at the patch. No, you don't get it. And I'm not CC'ing this to hardened ML. You can't just run the patch for a vanilla kernel onto a grsecurity-patched kernel. Look up the hardened-sources, and how they are patched, and what the mm.h and the gup.c in question (there are a few of so named files in various directories) look in the hardened-sources, and how they look in the vanilla-sources... If I'm not mistaken, and I did check it. No, I'm not mistaken, you just sent me the Linus's patch. No, wrong. But thanks for trying to help! On 161025-13:16-0400, Fernando Rodriguez wrote: > On Tue, Oct 25, 2016 at 07:11:54AM +0200, Miroslav Rovis wrote: > > On 161021-11:04-0400, Rich Freeman wrote: > > > On Fri, Oct 21, 2016 at 10:49 AM, Mickwrote: > > > > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails > > > > > > Not yet: > > > https://bugs.gentoo.org/show_bug.cgi?id=597624 > > > > > > > We are talking grsecurity-patched (kind of stable[*]) kernel sources, > > the =sys-kernel/hardened-sources-4.4.8-r1 package [**]. > > > > I read most of the discussion, and I could easily patch the gup.c and > > mm.h in question, but those files need to be patched before application > > of the grsecurity patch, and that is a little more complex work. > > Did you tried it? > The patch attached comes straight from the git repo, just run: > > # cd /usr/src/linux > # patch -p1 < path/to/patch > > It'll likely work. > > > > > Has anybody done this, as I have limited time available to practice user > > patching (which in its simplest form, I was able to do here: > > >=dev-libs/nss-3.24 - Add USE flag to enable SSL key > > https://bugs.gentoo.org/show_bug.cgi?id=587116#c2 ), in case it can be > > done with user patching, of course. > > > > Anyone? > > > > Regards! > > --- > > [*] kind of stable, because there are, since about 1 yrs ago, only > > testing kernel available for the non-paying users ;-( > > > > [**] I have to use 4.4.8.r1 because recent kernel all crash with libirt > > and qemu which I am trying to use: > > https://bugs.gentoo.org/show_bug.cgi?id=597554 > > -- > > Miroslav Rovis > > Zagreb, Croatia > > http://www.CroatiaFidelis.hr > > > > -- > Fernando Rodriguez > commit 1294d355881cc5c3421d24fee512f16974addb6c > Author: Linus Torvalds > Date: Thu Oct 13 13:07:36 2016 -0700 > > mm: remove gup_flags FOLL_WRITE games from __get_user_pages() > ... Thanks for trying to help! Regards! -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr signature.asc Description: Digital signature
Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?
On Tue, Oct 25, 2016 at 07:11:54AM +0200, Miroslav Rovis wrote: > On 161021-11:04-0400, Rich Freeman wrote: > > On Fri, Oct 21, 2016 at 10:49 AM, Mickwrote: > > > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails > > > > Not yet: > > https://bugs.gentoo.org/show_bug.cgi?id=597624 > > > > We are talking grsecurity-patched (kind of stable[*]) kernel sources, > the =sys-kernel/hardened-sources-4.4.8-r1 package [**]. > > I read most of the discussion, and I could easily patch the gup.c and > mm.h in question, but those files need to be patched before application > of the grsecurity patch, and that is a little more complex work. Did you tried it? The patch attached comes straight from the git repo, just run: # cd /usr/src/linux # patch -p1 < path/to/patch It'll likely work. > > Has anybody done this, as I have limited time available to practice user > patching (which in its simplest form, I was able to do here: > >=dev-libs/nss-3.24 - Add USE flag to enable SSL key > https://bugs.gentoo.org/show_bug.cgi?id=587116#c2 ), in case it can be > done with user patching, of course. > > Anyone? > > Regards! > --- > [*] kind of stable, because there are, since about 1 yrs ago, only > testing kernel available for the non-paying users ;-( > > [**] I have to use 4.4.8.r1 because recent kernel all crash with libirt > and qemu which I am trying to use: > https://bugs.gentoo.org/show_bug.cgi?id=597554 > -- > Miroslav Rovis > Zagreb, Croatia > http://www.CroatiaFidelis.hr -- Fernando Rodriguez commit 1294d355881cc5c3421d24fee512f16974addb6c Author: Linus Torvalds Date: Thu Oct 13 13:07:36 2016 -0700 mm: remove gup_flags FOLL_WRITE games from __get_user_pages() commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream. This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better). The s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement software dirty bits") which made it into v3.9. Earlier kernels will have to look at the page state itself. Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger. To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, we already did a COW" rather than play racy games with FOLL_WRITE that is very fundamental, and then use the pte dirty flag to validate that the FOLL_COW flag is still valid. Reported-and-tested-by: Phil "not Paul" Oester Acked-by: Hugh Dickins Reviewed-by: Michal Hocko Cc: Andy Lutomirski Cc: Kees Cook Cc: Oleg Nesterov Cc: Willy Tarreau Cc: Nick Piggin Cc: Greg Thelen Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman diff --git a/include/linux/mm.h b/include/linux/mm.h index cfebb74..f0ffa01 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -2112,6 +2112,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma, #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */ #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */ #define FOLL_MLOCK 0x1000 /* lock present pages */ +#define FOLL_COW 0x4000 /* internal GUP flag */ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr, void *data); diff --git a/mm/gup.c b/mm/gup.c index deafa2c..4b0b7e7 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -58,6 +58,16 @@ static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address, return -EEXIST; } +/* + * FOLL_FORCE can write to even unwritable pte's, but only + * after we've gone through a COW cycle and they are dirty. + */ +static inline bool can_follow_write_pte(pte_t pte, unsigned int flags) +{ + return pte_write(pte) || + ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte)); +} + static struct page *follow_page_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd, unsigned int flags) { @@ -92,7 +102,7 @@ retry: } if ((flags & FOLL_NUMA) && pte_protnone(pte)) goto no_page; - if ((flags & FOLL_WRITE) && !pte_write(pte)) { + if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) { pte_unmap_unlock(ptep, ptl); return NULL; } @@ -352,7 +362,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma, *
Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?
On 161021-11:04-0400, Rich Freeman wrote: > On Fri, Oct 21, 2016 at 10:49 AM, Mickwrote: > > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails > > Not yet: > https://bugs.gentoo.org/show_bug.cgi?id=597624 > We are talking grsecurity-patched (kind of stable[*]) kernel sources, the =sys-kernel/hardened-sources-4.4.8-r1 package [**]. I read most of the discussion, and I could easily patch the gup.c and mm.h in question, but those files need to be patched before application of the grsecurity patch, and that is a little more complex work. Has anybody done this, as I have limited time available to practice user patching (which in its simplest form, I was able to do here: >=dev-libs/nss-3.24 - Add USE flag to enable SSL key https://bugs.gentoo.org/show_bug.cgi?id=587116#c2 ), in case it can be done with user patching, of course. Anyone? Regards! --- [*] kind of stable, because there are, since about 1 yrs ago, only testing kernel available for the non-paying users ;-( [**] I have to use 4.4.8.r1 because recent kernel all crash with libirt and qemu which I am trying to use: https://bugs.gentoo.org/show_bug.cgi?id=597554 -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr signature.asc Description: Digital signature