wok-stable view linux/stuff/linux-CVE-2016-5195.u @ rev 12457
linux: CVE-2016-5195
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Fri Oct 21 16:31:54 2016 +0200 (2016-10-21) |
| parents | |
| children |
line source
1 --- linux-2.6.37/include/linux/mm.h
2 +++ linux-2.6.37/include/linux/mm.h
3 @@ -1415,6 +1415,7 @@
4 #define FOLL_GET 0x04 /* do get_page on page */
5 #define FOLL_DUMP 0x08 /* give error on hole if it would be zero */
6 #define FOLL_FORCE 0x10 /* get_user_pages read/write w/o permission */
7 +#define FOLL_COW 0x4000 /* internal GUP flag */
9 typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
10 void *data);
11 --- linux-2.6.37/mm/memory.c
12 +++ linux-2.6.37/mm/memory.c
13 @@ -1225,6 +1225,24 @@
14 }
15 EXPORT_SYMBOL_GPL(zap_vma_ptes);
17 +static inline bool can_follow_write_pte(pte_t pte, struct page *page,
18 + unsigned int flags)
19 +{
20 + if (pte_write(pte))
21 + return true;
22 +
23 + /*
24 + * Make sure that we are really following CoWed page. We do not really
25 + * have to care about exclusiveness of the page because we only want
26 + * to ensure that once COWed page hasn't disappeared in the meantime
27 + * or it hasn't been merged to a KSM page.
28 + */
29 + if ((flags & FOLL_FORCE) && (flags & FOLL_COW))
30 + return page && PageAnon(page) && !PageKsm(page);
31 +
32 + return false;
33 +}
34 +
35 /**
36 * follow_page - look up a page descriptor from a user-virtual address
37 * @vma: vm_area_struct mapping @address
38 @@ -1286,10 +1304,13 @@
39 pte = *ptep;
40 if (!pte_present(pte))
41 goto no_page;
42 - if ((flags & FOLL_WRITE) && !pte_write(pte))
43 - goto unlock;
45 page = vm_normal_page(vma, address, pte);
46 + if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) {
47 + pte_unmap_unlock(ptep, ptl);
48 + return NULL;
49 + }
50 +
51 if (unlikely(!page)) {
52 if ((flags & FOLL_DUMP) ||
53 !is_zero_pfn(pte_pfn(pte)))
54 @@ -1310,7 +1331,7 @@
55 */
56 mark_page_accessed(page);
57 }
58 -unlock:
59 +
60 pte_unmap_unlock(ptep, ptl);
61 out:
62 return page;
63 @@ -1464,17 +1485,13 @@
64 * The VM_FAULT_WRITE bit tells us that
65 * do_wp_page has broken COW when necessary,
66 * even if maybe_mkwrite decided not to set
67 - * pte_write. We can thus safely do subsequent
68 - * page lookups as if they were reads. But only
69 - * do so when looping for pte_write is futile:
70 - * in some cases userspace may also be wanting
71 - * to write to the gotten user page, which a
72 - * read fault here might prevent (a readonly
73 - * page might get reCOWed by userspace write).
74 + * pte_write. We cannot simply drop FOLL_WRITE
75 + * here because the COWed page might be gone by
76 + * the time we do the subsequent page lookups.
77 */
78 if ((ret & VM_FAULT_WRITE) &&
79 !(vma->vm_flags & VM_WRITE))
80 - foll_flags &= ~FOLL_WRITE;
81 + foll_flags |= FOLL_COW;
83 cond_resched();
84 }