From 22d13b8a2162a7a8fb3caf0e08ec00414c044906 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 4 Jun 2020 12:29:28 -0500 Subject: Fix CVE-2020-10757 (rhbz 1842525 184388) Signed-off-by: Justin M. Forbes --- kernel.spec | 8 ++- ...ix-mremap-not-considering-huge-pmd-devmap.patch | 79 ++++++++++++++++++++++ 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 mm-fix-mremap-not-considering-huge-pmd-devmap.patch diff --git a/kernel.spec b/kernel.spec index 0b22db525..d50056bc8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -921,6 +921,9 @@ Patch519: vboxguest-fixes.patch # rhbz 1830150 Patch520: 0001-platform-x86-sony-laptop-SNC-calls-should-handle-BUF.patch +# CVE-2020-10757 rhbz 1842525 1843883 +Patch521: mm-fix-mremap-not-considering-huge-pmd-devmap.patch + # END OF PATCH DEFINITIONS %endif @@ -3017,7 +3020,10 @@ fi # # %changelog -* Wed Jun 03 2020 Justin M. Forbes - 5.6.16-300 +* Thu Jun 04 2020 Justin M. Forbes - 5.6.16-300 +- Fix CVE-2020-10757 (rhbz 1842525 184388) + +* Wed Jun 03 2020 Justin M. Forbes - Linux v5.6.16 * Thu May 28 2020 Justin M. Forbes - 5.6.15-300 diff --git a/mm-fix-mremap-not-considering-huge-pmd-devmap.patch b/mm-fix-mremap-not-considering-huge-pmd-devmap.patch new file mode 100644 index 000000000..328154df9 --- /dev/null +++ b/mm-fix-mremap-not-considering-huge-pmd-devmap.patch @@ -0,0 +1,79 @@ +From MAILER-DAEMON Thu Jun 4 17:23:35 2020 +From: Fan Yang +Subject: [PATCH v3] mm: Fix mremap not considering huge pmd devmap +Message-Id: +Date: Thu, 04 Jun 2020 18:22:07 +0800 +Cc: "Williams, Dan J" , "Kirill A. Shutemov" , Linus Torvalds +To: linux-kernel@vger.kernel.org +Sender: linux-kernel-owner@vger.kernel.org +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit + +The original code in mm/mremap.c checks huge pmd by: + + if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { + +However, a DAX mapped nvdimm is mapped as huge page (by default) but +it is not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This +commit changes the condition to include the case. + +This addresses CVE-2020-10757. + +Fixes: 5c7fb56e5e3f ("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd") +Cc: +Reported-by: Fan Yang +Signed-off-by: Fan Yang +Tested-by: Fan Yang +Tested-by: Dan Williams +Reviewed-by: Dan Williams +Acked-by: Kirill A. Shutemov + +--- + +Changelog v2->v3: +- Added "Acked-by: Kirill..." + +Changelog v1->v2: +- Removed some paragraph in commit msg, removed the comment in + mm/mremap.c, and added a NOTE in where pmd_trans_huge is defined. +- Added "Reviewed-by: Dan..." +- Added "Fixes: 5c7fb56e5e3f..." +- Added "Cc: " +--- + arch/x86/include/asm/pgtable.h | 1 + + mm/mremap.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h +index 4d02e64af1b3..19cdeebfbde6 100644 +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -257,6 +257,7 @@ static inline int pmd_large(pmd_t pte) + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE ++/* NOTE: when predicate huge page, consider also pmd_devmap, or use pmd_large */ + static inline int pmd_trans_huge(pmd_t pmd) + { + return (pmd_val(pmd) & (_PAGE_PSE|_PAGE_DEVMAP)) == _PAGE_PSE; +diff --git a/mm/mremap.c b/mm/mremap.c +index 6aa6ea605068..57b1f999f789 100644 +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -266,7 +266,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma, + new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr); + if (!new_pmd) + break; +- if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { ++ if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) { + if (extent == HPAGE_PMD_SIZE) { + bool moved; + /* See comment in move_ptes() */ +-- +2.25.4 + + + -- cgit