From patchwork Tue Aug 13 17:02:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Connor Kuehl X-Patchwork-Id: 1146514 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 467Jtl3BRrz9sN1; Wed, 14 Aug 2019 03:02:55 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1hxaBy-0002St-97; Tue, 13 Aug 2019 17:02:38 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1hxaBv-0002Sk-OA for kernel-team@lists.ubuntu.com; Tue, 13 Aug 2019 17:02:35 +0000 Received: from mail-pg1-f198.google.com ([209.85.215.198]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1hxaBv-0003sL-3k for kernel-team@lists.ubuntu.com; Tue, 13 Aug 2019 17:02:35 +0000 Received: by mail-pg1-f198.google.com with SMTP id l11so45383013pgc.14 for ; Tue, 13 Aug 2019 10:02:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=+aU0gfcMlb1eTrxm4pBjwzfrBSGb+5wgfjrWv/BxFJ8=; b=LdknjKYnsf8Xp82fwEid72jvksDOLmiyiSRkvDwNBUqKucBw5FHlpr6kW3gr2bD8MH kThvMsuDq9g2XI/CnNPapDpLeYUaq4u4qvpnEHz1jMZ6k4iZLiVr1snGTDyOHbAyT26e jsNpVnpXlfyDdRtRmlmKRyhAATTtCHMZmY6/33omOO9KSP7uFzoXdrkDHbybsxHpEpO/ ka1Az+XWNmjxppRYB1LJp1ovI0hb328EKh0Q2Ou1kYITNmDnq2DcbBQ5M/gFkqvFVwJV UJy9Xt8NPyvl6yu6XKdIVmPt+LEKTy8QKf+fc5t1CatJ2UpFI3qGZ2IFAIJMwudLddP6 qMYA== X-Gm-Message-State: APjAAAWVjc90g2IM6s4D6Y29GaQZt4oXrxr3Iy94lP4wgGMmvRIibZk9 1NjIVTt3hkFnbH29ml6sa+w69aUNf0404HGvraB61ogMhbvs4O92f0FhggEidyAXKY0ybe1xRmQ QKg7tYo3k6uIxCDtFCVzVqAxPF/mnxKldFMOeZ45sFQ== X-Received: by 2002:a62:640e:: with SMTP id y14mr18474192pfb.222.1565715753506; Tue, 13 Aug 2019 10:02:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqy5NqWsLmbXXqlv2pG+HOK3II1Lv/aY53hhuShoBgIYIX8AglIXFp6gRIUS8dUXwAz1xAoiFw== X-Received: by 2002:a62:640e:: with SMTP id y14mr18474159pfb.222.1565715753181; Tue, 13 Aug 2019 10:02:33 -0700 (PDT) Received: from localhost.localdomain (c-71-63-131-226.hsd1.or.comcast.net. [71.63.131.226]) by smtp.gmail.com with ESMTPSA id r27sm136590777pgn.25.2019.08.13.10.02.31 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 13 Aug 2019 10:02:31 -0700 (PDT) From: Connor Kuehl To: kernel-team@lists.ubuntu.com Subject: [Pull v2][Xenial][SRU][CVE-2019-11487] Avoid overflowing page reference count Date: Tue, 13 Aug 2019 10:02:30 -0700 Message-Id: <20190813170230.22451-1-connor.kuehl@canonical.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" v1 -> v2: * Relocated 'mm: add 'try_get_page()' helper' to before its first use in the series. * Fixed whitespace issue in 'mm: add 'try_get_page()' helper' https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11487.html From the link above: "The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests." Bionic has already received these patches during an upstream sync: https://bugs.launchpad.net/bugs/1838459 Xenial felt like a bit of an involved backport that touched the mm subsystem, and because of that, I think it is possible there's a breakage risk here that I don't see as I'm not very familiar with mm. It builds on all arches and I boot-tested amd64. * mm: prevent get_user_pages() from overflowing page refcount This is the patch I'm most concerned about. It appears to be based on a refactoring patch which split a function into a number of others. Rather than try to backport the refactoring patch(es). I've backported the code to what I think is equivalent to what the refactored one does. In my backport, I didn't see an equivalent error path for this hunk from the original patch, so it was omitted: ======================================= ret = split_huge_page(page); * mm, gup: ensure real head page is ref-counted when using hugepages This patch wasn't named as part of the CVE fix itself, but bringing this one in made it easier to apply the last fix "mm: prevent get_user_pages() from overflowing page refcount" * mm: make page ref count overflow check tighter and more explicit Minor offset adjustments, and used atomic_read instead of a wrapper function that is introduced in a later commit (that commit makes a large number of changes so I felt it was better to just use the mechanism that it ultimately uses). * fs: prevent page refcount overflow in pipe_buf_get Offset adjustment and manually change the function signature for buffer_pipe_buf_get * mm: add 'try_get_page()' helper function Offset adjustment, directly use atomic_read and atomic_inc rather than the page_ref wrappers that aren't introduced until a later and larger commit. * pipe: add pipe_buf_get() helper Clean cherry pick. Needed for "fs: prevent page refcount overflow in pipe_buf_get" ---------------------------------------------------------------- The following changes since commit ccb7110c8c340a5008de4d1959a1a11c869feb79: platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi (2019-08-13 01:31:09 -0400) are available in the Git repository at: git://git.launchpad.net/~connork/+git/xenial CVE-2019-11487 for you to fetch changes up to b7f98e42ebcfe6bfdc45ba1b153bb4f92c945262: mm: prevent get_user_pages() from overflowing page refcount (2019-08-13 07:23:30 -0700) ---------------------------------------------------------------- Linus Torvalds (3): mm: add 'try_get_page()' helper function mm: make page ref count overflow check tighter and more explicit mm: prevent get_user_pages() from overflowing page refcount Matthew Wilcox (1): fs: prevent page refcount overflow in pipe_buf_get Miklos Szeredi (1): pipe: add pipe_buf_get() helper Punit Agrawal (1): mm, gup: ensure real head page is ref-counted when using hugepages fs/fuse/dev.c | 12 ++++++------ fs/pipe.c | 4 ++-- fs/splice.c | 12 ++++++++++-- include/linux/mm.h | 15 +++++++++++++- include/linux/pipe_fs_i.h | 17 ++++++++++++++-- kernel/trace/trace.c | 6 +++++- mm/gup.c | 50 ++++++++++++++++++++++++++++++++++------------- mm/hugetlb.c | 16 ++++++++++++++- 8 files changed, 103 insertions(+), 29 deletions(-) Acked-by: Stefan Bader diff --git a/mm/gup.c b/mm/gup.c index 75029649baca..81e0bdefa2cc 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -295,7 +299,10 @@ static struct page *follow_pmd_mask(struct vm_area_struct *vma, if (pmd_trans_unstable(pmd)) ret = -EBUSY; } else { - get_page(page); + if (unlikely(!try_get_page(page))) { + spin_unlock(ptl); + return ERR_PTR(-ENOMEM); + } spin_unlock(ptl); lock_page(page);