From patchwork Wed Jan 31 17:01:30 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 868022
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3zWqKL0rlZz9s4q;
	Thu,  1 Feb 2018 04:01:42 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1egvlS-00060I-2d; Wed, 31 Jan 2018 17:01:38 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1egvlQ-0005zy-Op
	for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 17:01:36 +0000
Received: from mail-wm0-f69.google.com ([74.125.82.69])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1egvlQ-00023q-Hi
	for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 17:01:36 +0000
Received: by mail-wm0-f69.google.com with SMTP id r82so159158wme.0
	for <kernel-team@lists.ubuntu.com>;
	Wed, 31 Jan 2018 09:01:36 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=4/kKsxQemp/Y88/s8AGOcMQfckRJM/0wecA2iQXhaM4=;
	b=B6vBuj1czry6OFsduCwsUS8BByYpmN+vC3yPJcIUqzQZVEW5MCMyePWpjJzrPBYIk+
	MM1qfuCfqvmPw3914TXrW+/sb854gNlIES4V6AzBFK8HOQZy4orXuJulpOHCdrQVZjsg
	/OGpUc1iHOYUm+VTCi6z6mfgVdE8hqv8ioxIrc/PUW+sDV1UDe2dAoNDSBVJ+f0lLDcZ
	bwVOEkhX8f9aLB9s90qcrGwIGfAOaBGQZZyMFiT6JCHRl9jRpRU01WKk1t18oW+2DOc6
	qSw2e1aEVOl9mFf+kIuPTFNztXu4AfhQiBfG7uOEjx/hvBNL7/0EkdLn3+dMphDzH7NK
	EkXg==
X-Gm-Message-State: AKwxytewOZ2PKYMwCMUULE5HSrqLzc3HWoKXgQGuhh6AMxF0SE/n5mqD
	65UraiMEbctSZRciAzpDx1ozOPGmBnuYMCbd1uxPHMAG51+dP7oxldz/uGEjcFLYzt2cLlEezKj
	c8WRVINH9rYFB9XlUgZpkcFiFO47Fz/qMutnDUBTq6g==
X-Received: by 10.223.195.78 with SMTP id e14mr26277539wrg.68.1517418095896;
	Wed, 31 Jan 2018 09:01:35 -0800 (PST)
X-Google-Smtp-Source: 
 AH8x224Dm/OMMnWRwUzr8xfcF7xzEbYwehwdUXNU5xcuIUvc0QyOaawIL25ICogvo0ZMxoNPz2+tMg==
X-Received: by 10.223.195.78 with SMTP id e14mr26277478wrg.68.1517418094828;
	Wed, 31 Jan 2018 09:01:34 -0800 (PST)
Received: from localhost (ip5f5bd4ba.dynamic.kabel-deutschland.de.
	[95.91.212.186]) by smtp.gmail.com with ESMTPSA id
	v21sm16896926wrd.94.2018.01.31.09.01.33
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Wed, 31 Jan 2018 09:01:33 -0800 (PST)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Artful][PATCH 1/1] mm/pagewalk.c: report holes in hugetlb
	ranges
Date: Wed, 31 Jan 2018 18:01:30 +0100
Message-Id: <20180131170130.2881-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20180131170130.2881-1-kleber.souza@canonical.com>
References: <20180131170130.2881-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Jann Horn <jannh@google.com>

This matters at least for the mincore syscall, which will otherwise copy
uninitialized memory from the page allocator to userspace.  It is
probably also a correctness error for /proc/$pid/pagemap, but I haven't
tested that.

Removing the `walk->hugetlb_entry` condition in walk_hugetlb_range() has
no effect because the caller already checks for that.

This only reports holes in hugetlb ranges to callers who have specified
a hugetlb_entry callback.

This issue was found using an AFL-based fuzzer.

v2:
 - don't crash on ->pte_hole==NULL (Andrew Morton)
 - add Cc stable (Andrew Morton)

Fixes: 1e25a271c8ac ("mincore: apply page table walker on do_mincore()")
Signed-off-by: Jann Horn <jannh@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

CVE-2017-16994
(cherry picked from commit 373c4557d2aa362702c4c2d41288fb1e54990b7c)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
---
 mm/pagewalk.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index 1a4197965415..7d973f63088c 100644
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -187,8 +187,12 @@ static int walk_hugetlb_range(unsigned long addr, unsigned long end,
 	do {
 		next = hugetlb_entry_end(h, addr, end);
 		pte = huge_pte_offset(walk->mm, addr & hmask, sz);
-		if (pte && walk->hugetlb_entry)
+
+		if (pte)
 			err = walk->hugetlb_entry(pte, hmask, addr, next, walk);
+		else if (walk->pte_hole)
+			err = walk->pte_hole(addr, next, walk);
+
 		if (err)
 			break;
 	} while (addr = next, addr != end);