From patchwork Tue Aug 6 21:04:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Connor Kuehl X-Patchwork-Id: 1143056 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4636bK5CYRz9sNF; Wed, 7 Aug 2019 07:05:01 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1hv6de-0003Wv-2K; Tue, 06 Aug 2019 21:04:58 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1hv6dc-0003Wh-RO for kernel-team@lists.ubuntu.com; Tue, 06 Aug 2019 21:04:56 +0000 Received: from mail-pf1-f197.google.com ([209.85.210.197]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1hv6dc-0004I9-Bc for kernel-team@lists.ubuntu.com; Tue, 06 Aug 2019 21:04:56 +0000 Received: by mail-pf1-f197.google.com with SMTP id e25so56757685pfn.5 for ; Tue, 06 Aug 2019 14:04:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=PLyDLalSLz4CgqJUDPbi2/29thpGu/9DUyJQE/GmpVI=; b=INvUVF2gtKMP62zHZfKoji8zQkQIiYEcSMFHCcI3rFPkPDmhkKZ7RGuCzQl0KAQquw YhSXVNmuVX0DjQz2Y9jMfWd4bTZO/BuDd4YhOh5Wb7WW0VAYx1l4wy+KlDyShx5UmCAh UxVkGPoSPWWQxuOLSWtnOmeI727gNjDsMqqjaT6rzYYqyisI8oDJpx3ctWtJi4JZvgT8 GL3goC9tVuaKuJQ8wim2OCYmleYhzXn0LFTkwdIntcbhsBm6yRz3ruzNCMVb8mxWosgL Ef/WHbKfu9mYK6XWQ0u8xWUqX4zklMK64avBPpc4rXXWoO95GohgUl/4s+JOO+9FddtQ 1QRQ== X-Gm-Message-State: APjAAAX67g4nwariaG2/CHGe7f46eAuXF8MFA8eKKnXwawZBOnuwo9NL 4n2/TMv4cLZB83nePcVtXi5U3xAmpmnBEAeGkcHtb1j/NFPxE0MDkDzI/iIls3tMUnJkbKH/dFh qLgdluQuzWbXKaJZ2T5kgCiSjzbsCsazC9W0QfOW3lQ== X-Received: by 2002:a17:90a:228b:: with SMTP id s11mr4930215pjc.23.1565125494717; Tue, 06 Aug 2019 14:04:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqyfBe38JGQ0Q0h+mwNa8e917mAzhQFxCN3u+rUnl0b0k0FCQy+QDJIoZfoluFW8vEVxc5OBNQ== X-Received: by 2002:a17:90a:228b:: with SMTP id s11mr4930200pjc.23.1565125494434; Tue, 06 Aug 2019 14:04:54 -0700 (PDT) Received: from localhost.localdomain (c-71-63-131-226.hsd1.or.comcast.net. [71.63.131.226]) by smtp.gmail.com with ESMTPSA id b126sm128763678pfa.126.2019.08.06.14.04.53 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 06 Aug 2019 14:04:53 -0700 (PDT) From: Connor Kuehl To: kernel-team@lists.ubuntu.com Subject: [Pull][SRU][CVE-2019-11487][Xenial] Avoid overflowing page reference count Date: Tue, 6 Aug 2019 14:04:52 -0700 Message-Id: <20190806210452.14708-1-connor.kuehl@canonical.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11487.html From the link above: "The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests." Bionic has already received these patches during an upstream sync: https://bugs.launchpad.net/bugs/1838459 Xenial felt like a bit of an involved backport that touched the mm subsystem, and because of that, I think it is possible there's a breakage risk here that I don't see as I'm not very familiar with mm. It builds on all arches and I boot-tested amd64. * mm: prevent get_user_pages() from overflowing page refcount This is the patch I'm most concerned about. It appears to be based on a refactoring patch which split a function into a number of others. Rather than try to backport the refactoring patch(es). I've backported the code to what I think is equivalent to what the refactored one does. In my backport, I didn't see an equivalent error path for this hunk from the original patch, so it was omitted: * mm, gup: ensure real head page is ref-counted when using hugepages This patch wasn't named as part of the CVE fix itself, but bringing this one in made it easier to apply the last fix "mm: prevent get_user_pages() from overflowing page refcount" * mm: make page ref count overflow check tighter and more explicit Minor offset adjustments, and used atomic_read instead of a wrapper function that is introduced in a later commit (that commit makes a large number of changes so I felt it was better to just use the mechanism that it ultimately uses). * mm: add 'try_get_page()' helper function Offset adjustment, directly use atomic_read and atomic_inc rather than the page_ref wrappers that aren't introduced until a later and larger commit. * fs: prevent page refcount overflow in pipe_buf_get Offset adjustment and manually change the function signature for buffer_pipe_buf_get * pipe: add pipe_buf_get() helper Clean cherry pick. Needed for "fs: prevent page refcount overflow in pipe_buf_get" ---------------------------------------------------------------- The following changes since commit 1ef87ecb69472da81f394f8229ec3e100b306252: Linux 4.4.186 (2019-08-05 18:19:52 +0200) are available in the Git repository at: git://git.launchpad.net/~connork/+git/xenial CVE-2019-11487 for you to fetch changes up to 0af916186a039ec8029b12f64023f2786ab8fa6c: mm: prevent get_user_pages() from overflowing page refcount (2019-08-06 13:29:12 -0700) ---------------------------------------------------------------- Linus Torvalds (3): mm: add 'try_get_page()' helper function mm: make page ref count overflow check tighter and more explicit mm: prevent get_user_pages() from overflowing page refcount Matthew Wilcox (1): fs: prevent page refcount overflow in pipe_buf_get Miklos Szeredi (1): pipe: add pipe_buf_get() helper Punit Agrawal (1): mm, gup: ensure real head page is ref-counted when using hugepages fs/fuse/dev.c | 12 ++++++------ fs/pipe.c | 4 ++-- fs/splice.c | 12 ++++++++++-- include/linux/mm.h | 15 +++++++++++++- include/linux/pipe_fs_i.h | 17 ++++++++++++++-- kernel/trace/trace.c | 6 +++++- mm/gup.c | 50 ++++++++++++++++++++++++++++++++++------------- mm/hugetlb.c | 16 ++++++++++++++- 8 files changed, 103 insertions(+), 29 deletions(-) Acked-by: Tyler Hicks diff --git a/mm/gup.c b/mm/gup.c index 75029649baca..81e0bdefa2cc 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -295,7 +299,10 @@ static struct page *follow_pmd_mask(struct vm_area_struct *vma, if (pmd_trans_unstable(pmd)) ret = -EBUSY; } else { - get_page(page); + if (unlikely(!try_get_page(page))) { + spin_unlock(ptl); + return ERR_PTR(-ENOMEM); + } spin_unlock(ptl); lock_page(page); ret = split_huge_page(page);