diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-06-04 12:29:28 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-06-04 12:29:28 -0500 |
commit | 22d13b8a2162a7a8fb3caf0e08ec00414c044906 (patch) | |
tree | 969b4533d1bf767050c6d9afd2ac13c8e7385f37 | |
parent | f3c97b210459be0178586445ea7762ca1e7da09a (diff) | |
download | kernel-22d13b8a2162a7a8fb3caf0e08ec00414c044906.tar.gz kernel-22d13b8a2162a7a8fb3caf0e08ec00414c044906.tar.xz kernel-22d13b8a2162a7a8fb3caf0e08ec00414c044906.zip |
Fix CVE-2020-10757 (rhbz 1842525 184388)
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
-rw-r--r-- | kernel.spec | 8 | ||||
-rw-r--r-- | mm-fix-mremap-not-considering-huge-pmd-devmap.patch | 79 |
2 files changed, 86 insertions, 1 deletions
diff --git a/kernel.spec b/kernel.spec index 0b22db525..d50056bc8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -921,6 +921,9 @@ Patch519: vboxguest-fixes.patch # rhbz 1830150 Patch520: 0001-platform-x86-sony-laptop-SNC-calls-should-handle-BUF.patch +# CVE-2020-10757 rhbz 1842525 1843883 +Patch521: mm-fix-mremap-not-considering-huge-pmd-devmap.patch + # END OF PATCH DEFINITIONS %endif @@ -3017,7 +3020,10 @@ fi # # %changelog -* Wed Jun 03 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.16-300 +* Thu Jun 04 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.16-300 +- Fix CVE-2020-10757 (rhbz 1842525 184388) + +* Wed Jun 03 2020 Justin M. Forbes <jforbes@fedoraproject.org> - Linux v5.6.16 * Thu May 28 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.15-300 diff --git a/mm-fix-mremap-not-considering-huge-pmd-devmap.patch b/mm-fix-mremap-not-considering-huge-pmd-devmap.patch new file mode 100644 index 000000000..328154df9 --- /dev/null +++ b/mm-fix-mremap-not-considering-huge-pmd-devmap.patch @@ -0,0 +1,79 @@ +From MAILER-DAEMON Thu Jun 4 17:23:35 2020 +From: Fan Yang <Fan_Yang@sjtu.edu.cn> +Subject: [PATCH v3] mm: Fix mremap not considering huge pmd devmap +Message-Id: <FB4049FE-AC4A-4B13-B39D-B96393EFCCB8@sjtu.edu.cn> +Date: Thu, 04 Jun 2020 18:22:07 +0800 +Cc: "Williams, Dan J" <dan.j.williams@intel.com>, "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>, Linus Torvalds <torvalds@linux-foundation.org> +To: linux-kernel@vger.kernel.org +Sender: linux-kernel-owner@vger.kernel.org +List-ID: <linux-kernel.vger.kernel.org> +X-Mailing-List: linux-kernel@vger.kernel.org +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +The original code in mm/mremap.c checks huge pmd by: + + if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { + +However, a DAX mapped nvdimm is mapped as huge page (by default) but +it is not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This +commit changes the condition to include the case. + +This addresses CVE-2020-10757. + +Fixes: 5c7fb56e5e3f ("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd") +Cc: <stable@vger.kernel.org> +Reported-by: Fan Yang <Fan_Yang@sjtu.edu.cn> +Signed-off-by: Fan Yang <Fan_Yang@sjtu.edu.cn> +Tested-by: Fan Yang <Fan_Yang@sjtu.edu.cn> +Tested-by: Dan Williams <dan.j.williams@intel.com> +Reviewed-by: Dan Williams <dan.j.williams@intel.com> +Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> + +--- + +Changelog v2->v3: +- Added "Acked-by: Kirill..." + +Changelog v1->v2: +- Removed some paragraph in commit msg, removed the comment in + mm/mremap.c, and added a NOTE in where pmd_trans_huge is defined. +- Added "Reviewed-by: Dan..." +- Added "Fixes: 5c7fb56e5e3f..." +- Added "Cc: <stable@vger.kernel.org>" +--- + arch/x86/include/asm/pgtable.h | 1 + + mm/mremap.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h +index 4d02e64af1b3..19cdeebfbde6 100644 +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -257,6 +257,7 @@ static inline int pmd_large(pmd_t pte) + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE ++/* NOTE: when predicate huge page, consider also pmd_devmap, or use pmd_large */ + static inline int pmd_trans_huge(pmd_t pmd) + { + return (pmd_val(pmd) & (_PAGE_PSE|_PAGE_DEVMAP)) == _PAGE_PSE; +diff --git a/mm/mremap.c b/mm/mremap.c +index 6aa6ea605068..57b1f999f789 100644 +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -266,7 +266,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma, + new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr); + if (!new_pmd) + break; +- if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { ++ if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) { + if (extent == HPAGE_PMD_SIZE) { + bool moved; + /* See comment in move_ptes() */ +-- +2.25.4 + + + |