wok-6.x annotate linux/stuff/linux-CVE-2016-5195.u @ rev 19458

linux: CVE-2016-5195
author Pascal Bellard <pascal.bellard@slitaz.org>
date Fri Oct 21 17:33:56 2016 +0200 (2016-10-21)
parents
children
rev   line source
pascal@19458 1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195
pascal@19458 2 --- a/include/linux/mm.h
pascal@19458 3 +++ b/include/linux/mm.h
pascal@19458 4 @@ -1611,6 +1611,7 @@ struct page *follow_page(struct vm_area_struct *, unsigned long address,
pascal@19458 5 #define FOLL_MLOCK 0x40 /* mark page as mlocked */
pascal@19458 6 #define FOLL_SPLIT 0x80 /* don't return transhuge pages, split them */
pascal@19458 7 #define FOLL_HWPOISON 0x100 /* check page is hwpoisoned */
pascal@19458 8 +#define FOLL_COW 0x4000 /* internal GUP flag */
pascal@19458 9
pascal@19458 10 typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
pascal@19458 11 void *data);
pascal@19458 12 diff --git a/mm/memory.c b/mm/memory.c
pascal@19458 13 index 675b211296fd..2917e9b2e4d4 100644
pascal@19458 14 --- a/mm/memory.c
pascal@19458 15 +++ b/mm/memory.c
pascal@19458 16 @@ -1427,6 +1427,24 @@ int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address,
pascal@19458 17 }
pascal@19458 18 EXPORT_SYMBOL_GPL(zap_vma_ptes);
pascal@19458 19
pascal@19458 20 +static inline bool can_follow_write_pte(pte_t pte, struct page *page,
pascal@19458 21 + unsigned int flags)
pascal@19458 22 +{
pascal@19458 23 + if (pte_write(pte))
pascal@19458 24 + return true;
pascal@19458 25 +
pascal@19458 26 + /*
pascal@19458 27 + * Make sure that we are really following CoWed page. We do not really
pascal@19458 28 + * have to care about exclusiveness of the page because we only want
pascal@19458 29 + * to ensure that once COWed page hasn't disappeared in the meantime
pascal@19458 30 + * or it hasn't been merged to a KSM page.
pascal@19458 31 + */
pascal@19458 32 + if ((flags & FOLL_FORCE) && (flags & FOLL_COW))
pascal@19458 33 + return page && PageAnon(page) && !PageKsm(page);
pascal@19458 34 +
pascal@19458 35 + return false;
pascal@19458 36 +}
pascal@19458 37 +
pascal@19458 38 /**
pascal@19458 39 * follow_page - look up a page descriptor from a user-virtual address
pascal@19458 40 * @vma: vm_area_struct mapping @address
pascal@19458 41 @@ -1509,10 +1527,13 @@ split_fallthrough:
pascal@19458 42 pte = *ptep;
pascal@19458 43 if (!pte_present(pte))
pascal@19458 44 goto no_page;
pascal@19458 45 - if ((flags & FOLL_WRITE) && !pte_write(pte))
pascal@19458 46 - goto unlock;
pascal@19458 47
pascal@19458 48 page = vm_normal_page(vma, address, pte);
pascal@19458 49 + if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) {
pascal@19458 50 + pte_unmap_unlock(ptep, ptl);
pascal@19458 51 + return NULL;
pascal@19458 52 + }
pascal@19458 53 +
pascal@19458 54 if (unlikely(!page)) {
pascal@19458 55 if ((flags & FOLL_DUMP) ||
pascal@19458 56 !is_zero_pfn(pte_pfn(pte)))
pascal@19458 57 @@ -1555,7 +1576,7 @@ split_fallthrough:
pascal@19458 58 unlock_page(page);
pascal@19458 59 }
pascal@19458 60 }
pascal@19458 61 -unlock:
pascal@19458 62 +
pascal@19458 63 pte_unmap_unlock(ptep, ptl);
pascal@19458 64 out:
pascal@19458 65 return page;
pascal@19458 66 @@ -1789,17 +1810,13 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
pascal@19458 67 * The VM_FAULT_WRITE bit tells us that
pascal@19458 68 * do_wp_page has broken COW when necessary,
pascal@19458 69 * even if maybe_mkwrite decided not to set
pascal@19458 70 - * pte_write. We can thus safely do subsequent
pascal@19458 71 - * page lookups as if they were reads. But only
pascal@19458 72 - * do so when looping for pte_write is futile:
pascal@19458 73 - * in some cases userspace may also be wanting
pascal@19458 74 - * to write to the gotten user page, which a
pascal@19458 75 - * read fault here might prevent (a readonly
pascal@19458 76 - * page might get reCOWed by userspace write).
pascal@19458 77 + * pte_write. We cannot simply drop FOLL_WRITE
pascal@19458 78 + * here because the COWed page might be gone by
pascal@19458 79 + * the time we do the subsequent page lookups.
pascal@19458 80 */
pascal@19458 81 if ((ret & VM_FAULT_WRITE) &&
pascal@19458 82 !(vma->vm_flags & VM_WRITE))
pascal@19458 83 - foll_flags &= ~FOLL_WRITE;
pascal@19458 84 + foll_flags |= FOLL_COW;
pascal@19458 85
pascal@19458 86 cond_resched();
pascal@19458 87 }