From 3e765ace8283f02285de3e8e2287a913a06a3912 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sun, 26 Apr 2020 20:57:24 +0200 Subject: [PATCH] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED (CVE-2020-11565) --- debian/changelog | 2 + ...uire-at-least-one-nodeid-for-MPOL_PR.patch | 56 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 59 insertions(+) create mode 100644 debian/patches/bugfix/all/mm-mempolicy-require-at-least-one-nodeid-for-MPOL_PR.patch diff --git a/debian/changelog b/debian/changelog index 88b43e16a..70437d57e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,8 @@ linux (4.19.98-1+deb10u1) UNRELEASED; urgency=medium (CVE-2020-8428) * vfs: fix do_last() regression * vhost: Check docket sk_family instead of call getname (CVE-2020-10942) + * mm: mempolicy: require at least one nodeid for MPOL_PREFERRED + (CVE-2020-11565) -- Salvatore Bonaccorso Sun, 26 Apr 2020 20:32:58 +0200 diff --git a/debian/patches/bugfix/all/mm-mempolicy-require-at-least-one-nodeid-for-MPOL_PR.patch b/debian/patches/bugfix/all/mm-mempolicy-require-at-least-one-nodeid-for-MPOL_PR.patch new file mode 100644 index 000000000..c6e267a37 --- /dev/null +++ b/debian/patches/bugfix/all/mm-mempolicy-require-at-least-one-nodeid-for-MPOL_PR.patch @@ -0,0 +1,56 @@ +From: Randy Dunlap +Date: Wed, 1 Apr 2020 21:10:58 -0700 +Subject: mm: mempolicy: require at least one nodeid for MPOL_PREFERRED +Origin: https://git.kernel.org/linus/aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-11565 + +Using an empty (malformed) nodelist that is not caught during mount option +parsing leads to a stack-out-of-bounds access. + +The option string that was used was: "mpol=prefer:,". However, +MPOL_PREFERRED requires a single node number, which is not being provided +here. + +Add a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's +nodeid. + +Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display") +Reported-by: Entropy Moe <3ntr0py1337@gmail.com> +Reported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com +Signed-off-by: Randy Dunlap +Signed-off-by: Andrew Morton +Tested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com +Cc: Lee Schermerhorn +Link: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org +Signed-off-by: Linus Torvalds +--- + mm/mempolicy.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 460683bbe58c..5fb427aed612 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2898,7 +2898,9 @@ int mpol_parse_str(char *str, struct mempolicy **mpol) + switch (mode) { + case MPOL_PREFERRED: + /* +- * Insist on a nodelist of one node only ++ * Insist on a nodelist of one node only, although later ++ * we use first_node(nodes) to grab a single node, so here ++ * nodelist (or nodes) cannot be empty. + */ + if (nodelist) { + char *rest = nodelist; +@@ -2906,6 +2908,8 @@ int mpol_parse_str(char *str, struct mempolicy **mpol) + rest++; + if (*rest) + goto out; ++ if (nodes_empty(nodes)) ++ goto out; + } + break; + case MPOL_INTERLEAVE: +-- +2.26.2 + diff --git a/debian/patches/series b/debian/patches/series index 877f0e53a..000369bc8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -308,6 +308,7 @@ bugfix/x86/KVM-nVMX-Don-t-emulate-instructions-in-guest-mode.patch bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch bugfix/all/vfs-fix-do_last-regression.patch bugfix/all/vhost-Check-docket-sk_family-instead-of-call-getname.patch +bugfix/all/mm-mempolicy-require-at-least-one-nodeid-for-MPOL_PR.patch # Backported change to provide boot-time entropy bugfix/all/random-try-to-actively-add-entropy-rather-than-passi.patch