wok view linux/stuff/linux-CVE-2016-5195.u @ rev 19823

Up cookutils(887), yandex-disk: up bdeps and rebuild.
author Aleksej Bobylev <al.bobylev@gmail.com>
date Fri Mar 03 02:42:35 2017 +0200 (2017-03-03)
parents
children
line source
1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195
2 --- a/include/linux/mm.h
3 +++ b/include/linux/mm.h
4 @@ -1611,6 +1611,7 @@ struct page *follow_page(struct vm_area_struct *, unsigned long address,
5 #define FOLL_MLOCK 0x40 /* mark page as mlocked */
6 #define FOLL_SPLIT 0x80 /* don't return transhuge pages, split them */
7 #define FOLL_HWPOISON 0x100 /* check page is hwpoisoned */
8 +#define FOLL_COW 0x4000 /* internal GUP flag */
10 typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
11 void *data);
12 diff --git a/mm/memory.c b/mm/memory.c
13 index 675b211296fd..2917e9b2e4d4 100644
14 --- a/mm/memory.c
15 +++ b/mm/memory.c
16 @@ -1427,6 +1427,24 @@ int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address,
17 }
18 EXPORT_SYMBOL_GPL(zap_vma_ptes);
20 +static inline bool can_follow_write_pte(pte_t pte, struct page *page,
21 + unsigned int flags)
22 +{
23 + if (pte_write(pte))
24 + return true;
25 +
26 + /*
27 + * Make sure that we are really following CoWed page. We do not really
28 + * have to care about exclusiveness of the page because we only want
29 + * to ensure that once COWed page hasn't disappeared in the meantime
30 + * or it hasn't been merged to a KSM page.
31 + */
32 + if ((flags & FOLL_FORCE) && (flags & FOLL_COW))
33 + return page && PageAnon(page) && !PageKsm(page);
34 +
35 + return false;
36 +}
37 +
38 /**
39 * follow_page - look up a page descriptor from a user-virtual address
40 * @vma: vm_area_struct mapping @address
41 @@ -1509,10 +1527,13 @@ split_fallthrough:
42 pte = *ptep;
43 if (!pte_present(pte))
44 goto no_page;
45 - if ((flags & FOLL_WRITE) && !pte_write(pte))
46 - goto unlock;
48 page = vm_normal_page(vma, address, pte);
49 + if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) {
50 + pte_unmap_unlock(ptep, ptl);
51 + return NULL;
52 + }
53 +
54 if (unlikely(!page)) {
55 if ((flags & FOLL_DUMP) ||
56 !is_zero_pfn(pte_pfn(pte)))
57 @@ -1555,7 +1576,7 @@ split_fallthrough:
58 unlock_page(page);
59 }
60 }
61 -unlock:
62 +
63 pte_unmap_unlock(ptep, ptl);
64 out:
65 return page;
66 @@ -1789,17 +1810,13 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
67 * The VM_FAULT_WRITE bit tells us that
68 * do_wp_page has broken COW when necessary,
69 * even if maybe_mkwrite decided not to set
70 - * pte_write. We can thus safely do subsequent
71 - * page lookups as if they were reads. But only
72 - * do so when looping for pte_write is futile:
73 - * in some cases userspace may also be wanting
74 - * to write to the gotten user page, which a
75 - * read fault here might prevent (a readonly
76 - * page might get reCOWed by userspace write).
77 + * pte_write. We cannot simply drop FOLL_WRITE
78 + * here because the COWed page might be gone by
79 + * the time we do the subsequent page lookups.
80 */
81 if ((ret & VM_FAULT_WRITE) &&
82 !(vma->vm_flags & VM_WRITE))
83 - foll_flags &= ~FOLL_WRITE;
84 + foll_flags |= FOLL_COW;
86 cond_resched();
87 }