aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-10-22 00:24:51 -0400
committerMark H Weaver <mhw@netris.org>2016-10-22 00:30:38 -0400
commita861665b75cb0e727204370aaa43d373ecec3a5a (patch)
treebd1c03cb8b96d450816e78ce537c38e897e2ec44
parent64de7d1ceb863ad5cebd6ea266de704eac7dea7d (diff)
downloadpatches-a861665b75cb0e727204370aaa43d373ecec3a5a.tar
patches-a861665b75cb0e727204370aaa43d373ecec3a5a.tar.gz
gnu: linux-libre@4.1: Add fix for CVE-2016-5195.
* gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/linux.scm (linux-libre-4.1): Add patch.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/linux.scm5
-rw-r--r--gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch99
3 files changed, 104 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index c6cd5869d2..cfd44803f3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -680,6 +680,7 @@ dist_patch_DATA = \
%D%/packages/patches/libxv-CVE-2016-5407.patch \
%D%/packages/patches/libxvmc-CVE-2016-7953.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
+ %D%/packages/patches/linux-libre-4.1-CVE-2016-5195.patch \
%D%/packages/patches/lirc-localstatedir.patch \
%D%/packages/patches/llvm-for-extempore.patch \
%D%/packages/patches/lm-sensors-hwmon-attrs.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 4c64bbe1db..f5f683dd69 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -339,7 +339,10 @@ It has been modified to remove all non-free binary blobs.")
(make-linux-libre "4.1.34"
"0dajsb363p9lgga22ml8gp9k9lxd8mvrzxk9y3h9c6hpzfcmqdqr"
%intel-compatible-systems
- #:configuration-file kernel-config))
+ #:configuration-file kernel-config
+ #:patches (list %boot-logo-patch
+ (search-patch
+ "linux-libre-4.1-CVE-2016-5195.patch"))))
;; Avoid rebuilding kernel variants when there is a minor version bump.
(define %linux-libre-version "4.8.3")
diff --git a/gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch b/gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch
new file mode 100644
index 0000000000..37a41f61e4
--- /dev/null
+++ b/gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch
@@ -0,0 +1,99 @@
+Fix CVE-2016-5195, a.k.a. Dirty COW.
+Backported to linux-libre-4.1.x by Mark H Weaver <mhw@netris.org>.
+
+From 18652320ea99913c95e7130d654be7f1da6b694f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 13 Oct 2016 13:07:36 -0700
+Subject: [PATCH] mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
+
+commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
+
+This is an ancient bug that was actually attempted to be fixed once
+(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
+get_user_pages() race for write access") but that was then undone due to
+problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
+
+In the meantime, the s390 situation has long been fixed, and we can now
+fix it by checking the pte_dirty() bit properly (and do it better). The
+s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
+software dirty bits") which made it into v3.9. Earlier kernels will
+have to look at the page state itself.
+
+Also, the VM has become more scalable, and what used a purely
+theoretical race back then has become easier to trigger.
+
+To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
+we already did a COW" rather than play racy games with FOLL_WRITE that
+is very fundamental, and then use the pte dirty flag to validate that
+the FOLL_COW flag is still valid.
+
+Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Reviewed-by: Michal Hocko <mhocko@suse.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Nick Piggin <npiggin@gmail.com>
+Cc: Greg Thelen <gthelen@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mm.h | 1 +
+ mm/gup.c | 14 ++++++++++++--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index 6b85ec6..7cadf0a 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -2064,6 +2064,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
+ #define FOLL_NUMA 0x200 /* force NUMA hinting page fault */
+ #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */
+ #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */
++#define FOLL_COW 0x4000 /* internal GUP flag */
+
+ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
+ void *data);
+diff --git a/mm/gup.c b/mm/gup.c
+index 6297f6b..e6de9e7 100644
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -32,6 +32,16 @@ static struct page *no_page_table(struct vm_area_struct *vma,
+ return NULL;
+ }
+
++/*
++ * FOLL_FORCE can write to even unwritable pte's, but only
++ * after we've gone through a COW cycle and they are dirty.
++ */
++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
++{
++ return pte_write(pte) ||
++ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
++}
++
+ static struct page *follow_page_pte(struct vm_area_struct *vma,
+ unsigned long address, pmd_t *pmd, unsigned int flags)
+ {
+@@ -66,7 +76,7 @@ retry:
+ }
+ if ((flags & FOLL_NUMA) && pte_protnone(pte))
+ goto no_page;
+- if ((flags & FOLL_WRITE) && !pte_write(pte)) {
++ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
+ pte_unmap_unlock(ptep, ptl);
+ return NULL;
+ }
+@@ -315,7 +325,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
+ * reCOWed by userspace write).
+ */
+ if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
+- *flags &= ~FOLL_WRITE;
++ *flags |= FOLL_COW;
+ return 0;
+ }
+
+--
+2.10.1
+