wok-stable rev 12457
linux: CVE-2016-5195
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Fri Oct 21 16:31:54 2016 +0200 (2016-10-21) |
| parents | 798e77f83260 |
| children | 62cd9745716a |
| files | linux/receipt linux/stuff/linux-CVE-2016-5195.u |
line diff
1.1 --- a/linux/receipt Wed Jul 27 13:48:34 2016 +0200 1.2 +++ b/linux/receipt Fri Oct 21 16:31:54 2016 +0200 1.3 @@ -75,6 +75,7 @@ 1.4 003-squashfs-x86-support-xz-compressed-kernel.patch 1.5 004-squashfs-add-xz-compression-support.patch 1.6 005-squashfs-add-xz-compression-configuration-option.patch 1.7 +$PACKAGE-CVE-2016-5195.u 1.8 EOT 1.9 1.10 [ ! -x /usr/bin/cook ] && report step "Make kernel proper and then build lguest"
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/linux/stuff/linux-CVE-2016-5195.u Fri Oct 21 16:31:54 2016 +0200 2.3 @@ -0,0 +1,84 @@ 2.4 +--- linux-2.6.37/include/linux/mm.h 2.5 ++++ linux-2.6.37/include/linux/mm.h 2.6 +@@ -1415,6 +1415,7 @@ 2.7 + #define FOLL_GET 0x04 /* do get_page on page */ 2.8 + #define FOLL_DUMP 0x08 /* give error on hole if it would be zero */ 2.9 + #define FOLL_FORCE 0x10 /* get_user_pages read/write w/o permission */ 2.10 ++#define FOLL_COW 0x4000 /* internal GUP flag */ 2.11 + 2.12 + typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr, 2.13 + void *data); 2.14 +--- linux-2.6.37/mm/memory.c 2.15 ++++ linux-2.6.37/mm/memory.c 2.16 +@@ -1225,6 +1225,24 @@ 2.17 + } 2.18 + EXPORT_SYMBOL_GPL(zap_vma_ptes); 2.19 + 2.20 ++static inline bool can_follow_write_pte(pte_t pte, struct page *page, 2.21 ++ unsigned int flags) 2.22 ++{ 2.23 ++ if (pte_write(pte)) 2.24 ++ return true; 2.25 ++ 2.26 ++ /* 2.27 ++ * Make sure that we are really following CoWed page. We do not really 2.28 ++ * have to care about exclusiveness of the page because we only want 2.29 ++ * to ensure that once COWed page hasn't disappeared in the meantime 2.30 ++ * or it hasn't been merged to a KSM page. 2.31 ++ */ 2.32 ++ if ((flags & FOLL_FORCE) && (flags & FOLL_COW)) 2.33 ++ return page && PageAnon(page) && !PageKsm(page); 2.34 ++ 2.35 ++ return false; 2.36 ++} 2.37 ++ 2.38 + /** 2.39 + * follow_page - look up a page descriptor from a user-virtual address 2.40 + * @vma: vm_area_struct mapping @address 2.41 +@@ -1286,10 +1304,13 @@ 2.42 + pte = *ptep; 2.43 + if (!pte_present(pte)) 2.44 + goto no_page; 2.45 +- if ((flags & FOLL_WRITE) && !pte_write(pte)) 2.46 +- goto unlock; 2.47 + 2.48 + page = vm_normal_page(vma, address, pte); 2.49 ++ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) { 2.50 ++ pte_unmap_unlock(ptep, ptl); 2.51 ++ return NULL; 2.52 ++ } 2.53 ++ 2.54 + if (unlikely(!page)) { 2.55 + if ((flags & FOLL_DUMP) || 2.56 + !is_zero_pfn(pte_pfn(pte))) 2.57 +@@ -1310,7 +1331,7 @@ 2.58 + */ 2.59 + mark_page_accessed(page); 2.60 + } 2.61 +-unlock: 2.62 ++ 2.63 + pte_unmap_unlock(ptep, ptl); 2.64 + out: 2.65 + return page; 2.66 +@@ -1464,17 +1485,13 @@ 2.67 + * The VM_FAULT_WRITE bit tells us that 2.68 + * do_wp_page has broken COW when necessary, 2.69 + * even if maybe_mkwrite decided not to set 2.70 +- * pte_write. We can thus safely do subsequent 2.71 +- * page lookups as if they were reads. But only 2.72 +- * do so when looping for pte_write is futile: 2.73 +- * in some cases userspace may also be wanting 2.74 +- * to write to the gotten user page, which a 2.75 +- * read fault here might prevent (a readonly 2.76 +- * page might get reCOWed by userspace write). 2.77 ++ * pte_write. We cannot simply drop FOLL_WRITE 2.78 ++ * here because the COWed page might be gone by 2.79 ++ * the time we do the subsequent page lookups. 2.80 + */ 2.81 + if ((ret & VM_FAULT_WRITE) && 2.82 + !(vma->vm_flags & VM_WRITE)) 2.83 +- foll_flags &= ~FOLL_WRITE; 2.84 ++ foll_flags |= FOLL_COW; 2.85 + 2.86 + cond_resched(); 2.87 + }