diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-06-04 12:29:58 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-06-04 12:29:58 -0500 |
commit | 11b2bd1547ebe4cfd307c8e5836a9824bd35ed89 (patch) | |
tree | ecf675a3fa60241838f362a0eb71190be4341d0e | |
parent | 7af45b5b25ace7c56fbea8d2b2569e99f2365cf8 (diff) | |
download | kernel-11b2bd1547ebe4cfd307c8e5836a9824bd35ed89.tar.gz kernel-11b2bd1547ebe4cfd307c8e5836a9824bd35ed89.tar.xz kernel-11b2bd1547ebe4cfd307c8e5836a9824bd35ed89.zip |
Fix CVE-2020-10757 (rhbz 1842525 184388)
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
-rw-r--r-- | kernel.spec | 8 | ||||
-rw-r--r-- | mm-fix-mremap-not-considering-huge-pmd-devmap.patch | 79 |
2 files changed, 86 insertions, 1 deletions
diff --git a/kernel.spec b/kernel.spec index 72afe9b45..1bb368415 100644 --- a/kernel.spec +++ b/kernel.spec @@ -914,6 +914,9 @@ Patch519: vboxguest-fixes.patch # rhbz 1830150 Patch520: 0001-platform-x86-sony-laptop-SNC-calls-should-handle-BUF.patch +# CVE-2020-10757 rhbz 1842525 1843883 +Patch521: mm-fix-mremap-not-considering-huge-pmd-devmap.patch + # END OF PATCH DEFINITIONS %endif @@ -2944,7 +2947,10 @@ fi # # %changelog -* Wed Jun 03 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.16-200 +* Thu Jun 04 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.16-200 +- Fix CVE-2020-10757 (rhbz 1842525 184388) + +* Wed Jun 03 2020 Justin M. Forbes <jforbes@fedoraproject.org> - Linux v5.6.16 * Thu May 28 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.15-200 diff --git a/mm-fix-mremap-not-considering-huge-pmd-devmap.patch b/mm-fix-mremap-not-considering-huge-pmd-devmap.patch new file mode 100644 index 000000000..328154df9 --- /dev/null +++ b/mm-fix-mremap-not-considering-huge-pmd-devmap.patch @@ -0,0 +1,79 @@ +From MAILER-DAEMON Thu Jun 4 17:23:35 2020 +From: Fan Yang <Fan_Yang@sjtu.edu.cn> +Subject: [PATCH v3] mm: Fix mremap not considering huge pmd devmap +Message-Id: <FB4049FE-AC4A-4B13-B39D-B96393EFCCB8@sjtu.edu.cn> +Date: Thu, 04 Jun 2020 18:22:07 +0800 +Cc: "Williams, Dan J" <dan.j.williams@intel.com>, "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>, Linus Torvalds <torvalds@linux-foundation.org> +To: linux-kernel@vger.kernel.org +Sender: linux-kernel-owner@vger.kernel.org +List-ID: <linux-kernel.vger.kernel.org> +X-Mailing-List: linux-kernel@vger.kernel.org +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +The original code in mm/mremap.c checks huge pmd by: + + if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { + +However, a DAX mapped nvdimm is mapped as huge page (by default) but +it is not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This +commit changes the condition to include the case. + +This addresses CVE-2020-10757. + +Fixes: 5c7fb56e5e3f ("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd") +Cc: <stable@vger.kernel.org> +Reported-by: Fan Yang <Fan_Yang@sjtu.edu.cn> +Signed-off-by: Fan Yang <Fan_Yang@sjtu.edu.cn> +Tested-by: Fan Yang <Fan_Yang@sjtu.edu.cn> +Tested-by: Dan Williams <dan.j.williams@intel.com> +Reviewed-by: Dan Williams <dan.j.williams@intel.com> +Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> + +--- + +Changelog v2->v3: +- Added "Acked-by: Kirill..." + +Changelog v1->v2: +- Removed some paragraph in commit msg, removed the comment in + mm/mremap.c, and added a NOTE in where pmd_trans_huge is defined. +- Added "Reviewed-by: Dan..." +- Added "Fixes: 5c7fb56e5e3f..." +- Added "Cc: <stable@vger.kernel.org>" +--- + arch/x86/include/asm/pgtable.h | 1 + + mm/mremap.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h +index 4d02e64af1b3..19cdeebfbde6 100644 +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -257,6 +257,7 @@ static inline int pmd_large(pmd_t pte) + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE ++/* NOTE: when predicate huge page, consider also pmd_devmap, or use pmd_large */ + static inline int pmd_trans_huge(pmd_t pmd) + { + return (pmd_val(pmd) & (_PAGE_PSE|_PAGE_DEVMAP)) == _PAGE_PSE; +diff --git a/mm/mremap.c b/mm/mremap.c +index 6aa6ea605068..57b1f999f789 100644 +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -266,7 +266,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma, + new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr); + if (!new_pmd) + break; +- if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { ++ if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) { + if (extent == HPAGE_PMD_SIZE) { + bool moved; + /* See comment in move_ptes() */ +-- +2.25.4 + + + |