summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2020-06-04 12:29:28 -0500
committerJustin M. Forbes <jforbes@fedoraproject.org>2020-06-04 12:29:28 -0500
commit22d13b8a2162a7a8fb3caf0e08ec00414c044906 (patch)
tree969b4533d1bf767050c6d9afd2ac13c8e7385f37
parentf3c97b210459be0178586445ea7762ca1e7da09a (diff)
downloadkernel-22d13b8a2162a7a8fb3caf0e08ec00414c044906.tar.gz
kernel-22d13b8a2162a7a8fb3caf0e08ec00414c044906.tar.xz
kernel-22d13b8a2162a7a8fb3caf0e08ec00414c044906.zip
Fix CVE-2020-10757 (rhbz 1842525 184388)
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
-rw-r--r--kernel.spec8
-rw-r--r--mm-fix-mremap-not-considering-huge-pmd-devmap.patch79
2 files changed, 86 insertions, 1 deletions
diff --git a/kernel.spec b/kernel.spec
index 0b22db525..d50056bc8 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -921,6 +921,9 @@ Patch519: vboxguest-fixes.patch
# rhbz 1830150
Patch520: 0001-platform-x86-sony-laptop-SNC-calls-should-handle-BUF.patch
+# CVE-2020-10757 rhbz 1842525 1843883
+Patch521: mm-fix-mremap-not-considering-huge-pmd-devmap.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -3017,7 +3020,10 @@ fi
#
#
%changelog
-* Wed Jun 03 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.16-300
+* Thu Jun 04 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.16-300
+- Fix CVE-2020-10757 (rhbz 1842525 184388)
+
+* Wed Jun 03 2020 Justin M. Forbes <jforbes@fedoraproject.org>
- Linux v5.6.16
* Thu May 28 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.15-300
diff --git a/mm-fix-mremap-not-considering-huge-pmd-devmap.patch b/mm-fix-mremap-not-considering-huge-pmd-devmap.patch
new file mode 100644
index 000000000..328154df9
--- /dev/null
+++ b/mm-fix-mremap-not-considering-huge-pmd-devmap.patch
@@ -0,0 +1,79 @@
+From MAILER-DAEMON Thu Jun 4 17:23:35 2020
+From: Fan Yang <Fan_Yang@sjtu.edu.cn>
+Subject: [PATCH v3] mm: Fix mremap not considering huge pmd devmap
+Message-Id: <FB4049FE-AC4A-4B13-B39D-B96393EFCCB8@sjtu.edu.cn>
+Date: Thu, 04 Jun 2020 18:22:07 +0800
+Cc: "Williams, Dan J" <dan.j.williams@intel.com>, "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>, Linus Torvalds <torvalds@linux-foundation.org>
+To: linux-kernel@vger.kernel.org
+Sender: linux-kernel-owner@vger.kernel.org
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List: linux-kernel@vger.kernel.org
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 7bit
+
+The original code in mm/mremap.c checks huge pmd by:
+
+ if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {
+
+However, a DAX mapped nvdimm is mapped as huge page (by default) but
+it is not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This
+commit changes the condition to include the case.
+
+This addresses CVE-2020-10757.
+
+Fixes: 5c7fb56e5e3f ("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd")
+Cc: <stable@vger.kernel.org>
+Reported-by: Fan Yang <Fan_Yang@sjtu.edu.cn>
+Signed-off-by: Fan Yang <Fan_Yang@sjtu.edu.cn>
+Tested-by: Fan Yang <Fan_Yang@sjtu.edu.cn>
+Tested-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+---
+
+Changelog v2->v3:
+- Added "Acked-by: Kirill..."
+
+Changelog v1->v2:
+- Removed some paragraph in commit msg, removed the comment in
+ mm/mremap.c, and added a NOTE in where pmd_trans_huge is defined.
+- Added "Reviewed-by: Dan..."
+- Added "Fixes: 5c7fb56e5e3f..."
+- Added "Cc: <stable@vger.kernel.org>"
+---
+ arch/x86/include/asm/pgtable.h | 1 +
+ mm/mremap.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
+index 4d02e64af1b3..19cdeebfbde6 100644
+--- a/arch/x86/include/asm/pgtable.h
++++ b/arch/x86/include/asm/pgtable.h
+@@ -257,6 +257,7 @@ static inline int pmd_large(pmd_t pte)
+ }
+
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
++/* NOTE: when predicate huge page, consider also pmd_devmap, or use pmd_large */
+ static inline int pmd_trans_huge(pmd_t pmd)
+ {
+ return (pmd_val(pmd) & (_PAGE_PSE|_PAGE_DEVMAP)) == _PAGE_PSE;
+diff --git a/mm/mremap.c b/mm/mremap.c
+index 6aa6ea605068..57b1f999f789 100644
+--- a/mm/mremap.c
++++ b/mm/mremap.c
+@@ -266,7 +266,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
+ new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr);
+ if (!new_pmd)
+ break;
+- if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {
++ if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) {
+ if (extent == HPAGE_PMD_SIZE) {
+ bool moved;
+ /* See comment in move_ptes() */
+--
+2.25.4
+
+
+