diff options
author | Mark H Weaver <mhw@netris.org> | 2016-10-22 00:24:51 -0400 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2016-10-22 00:30:38 -0400 |
commit | a861665b75cb0e727204370aaa43d373ecec3a5a (patch) | |
tree | bd1c03cb8b96d450816e78ce537c38e897e2ec44 | |
parent | 64de7d1ceb863ad5cebd6ea266de704eac7dea7d (diff) | |
download | patches-a861665b75cb0e727204370aaa43d373ecec3a5a.tar patches-a861665b75cb0e727204370aaa43d373ecec3a5a.tar.gz |
gnu: linux-libre@4.1: Add fix for CVE-2016-5195.
* gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/linux.scm (linux-libre-4.1): Add patch.
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/linux.scm | 5 | ||||
-rw-r--r-- | gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch | 99 |
3 files changed, 104 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index c6cd5869d2..cfd44803f3 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -680,6 +680,7 @@ dist_patch_DATA = \ %D%/packages/patches/libxv-CVE-2016-5407.patch \ %D%/packages/patches/libxvmc-CVE-2016-7953.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ + %D%/packages/patches/linux-libre-4.1-CVE-2016-5195.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/llvm-for-extempore.patch \ %D%/packages/patches/lm-sensors-hwmon-attrs.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 4c64bbe1db..f5f683dd69 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -339,7 +339,10 @@ It has been modified to remove all non-free binary blobs.") (make-linux-libre "4.1.34" "0dajsb363p9lgga22ml8gp9k9lxd8mvrzxk9y3h9c6hpzfcmqdqr" %intel-compatible-systems - #:configuration-file kernel-config)) + #:configuration-file kernel-config + #:patches (list %boot-logo-patch + (search-patch + "linux-libre-4.1-CVE-2016-5195.patch")))) ;; Avoid rebuilding kernel variants when there is a minor version bump. (define %linux-libre-version "4.8.3") diff --git a/gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch b/gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch new file mode 100644 index 0000000000..37a41f61e4 --- /dev/null +++ b/gnu/packages/patches/linux-libre-4.1-CVE-2016-5195.patch @@ -0,0 +1,99 @@ +Fix CVE-2016-5195, a.k.a. Dirty COW. +Backported to linux-libre-4.1.x by Mark H Weaver <mhw@netris.org>. + +From 18652320ea99913c95e7130d654be7f1da6b694f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Thu, 13 Oct 2016 13:07:36 -0700 +Subject: [PATCH] mm: remove gup_flags FOLL_WRITE games from __get_user_pages() + +commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream. + +This is an ancient bug that was actually attempted to be fixed once +(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix +get_user_pages() race for write access") but that was then undone due to +problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). + +In the meantime, the s390 situation has long been fixed, and we can now +fix it by checking the pte_dirty() bit properly (and do it better). The +s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement +software dirty bits") which made it into v3.9. Earlier kernels will +have to look at the page state itself. + +Also, the VM has become more scalable, and what used a purely +theoretical race back then has become easier to trigger. + +To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, +we already did a COW" rather than play racy games with FOLL_WRITE that +is very fundamental, and then use the pte dirty flag to validate that +the FOLL_COW flag is still valid. + +Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com> +Acked-by: Hugh Dickins <hughd@google.com> +Reviewed-by: Michal Hocko <mhocko@suse.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Kees Cook <keescook@chromium.org> +Cc: Oleg Nesterov <oleg@redhat.com> +Cc: Willy Tarreau <w@1wt.eu> +Cc: Nick Piggin <npiggin@gmail.com> +Cc: Greg Thelen <gthelen@google.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/linux/mm.h | 1 + + mm/gup.c | 14 ++++++++++++-- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 6b85ec6..7cadf0a 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -2064,6 +2064,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma, + #define FOLL_NUMA 0x200 /* force NUMA hinting page fault */ + #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */ + #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */ ++#define FOLL_COW 0x4000 /* internal GUP flag */ + + typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr, + void *data); +diff --git a/mm/gup.c b/mm/gup.c +index 6297f6b..e6de9e7 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -32,6 +32,16 @@ static struct page *no_page_table(struct vm_area_struct *vma, + return NULL; + } + ++/* ++ * FOLL_FORCE can write to even unwritable pte's, but only ++ * after we've gone through a COW cycle and they are dirty. ++ */ ++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags) ++{ ++ return pte_write(pte) || ++ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte)); ++} ++ + static struct page *follow_page_pte(struct vm_area_struct *vma, + unsigned long address, pmd_t *pmd, unsigned int flags) + { +@@ -66,7 +76,7 @@ retry: + } + if ((flags & FOLL_NUMA) && pte_protnone(pte)) + goto no_page; +- if ((flags & FOLL_WRITE) && !pte_write(pte)) { ++ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) { + pte_unmap_unlock(ptep, ptl); + return NULL; + } +@@ -315,7 +325,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma, + * reCOWed by userspace write). + */ + if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE)) +- *flags &= ~FOLL_WRITE; ++ *flags |= FOLL_COW; + return 0; + } + +-- +2.10.1 + |