mm/mincore.c: make mincore() more conservative (CVE-2019-5489)

2019-06-17 19:29:35 +01:00 · 2019-06-17 19:29:35 +01:00 · e5664e23f5
parent 1894e89399
commit e5664e23f5
3 changed files with 97 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -12,6 +12,7 @@ linux (4.19.37-4) UNRELEASED; urgency=medium
    (CVE-2019-3846)
  * mwifiex: Abort at too short BSS descriptor element
  * mwifiex: Don't abort on small, spec-compliant vendor IEs
+  * mm/mincore.c: make mincore() more conservative (CVE-2019-5489)

  [ Romain Perier ]
  * [rt] Update to 4.19.37-rt20
--- a/debian/patches/bugfix/all/mm-mincore.c-make-mincore-more-conservative.patch
+++ b/debian/patches/bugfix/all/mm-mincore.c-make-mincore-more-conservative.patch
@ -0,0 +1,95 @@
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Tue, 14 May 2019 15:41:38 -0700
+Subject: mm/mincore.c: make mincore() more conservative
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?id=f580a54bbd522f2518fd642f7d4d73ad728e5d58
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-5489
+
+commit 134fca9063ad4851de767d1768180e5dede9a881 upstream.
+
+The semantics of what mincore() considers to be resident is not
+completely clear, but Linux has always (since 2.3.52, which is when
+mincore() was initially done) treated it as "page is available in page
+cache".
+
+That's potentially a problem, as that [in]directly exposes
+meta-information about pagecache / memory mapping state even about
+memory not strictly belonging to the process executing the syscall,
+opening possibilities for sidechannel attacks.
+
+Change the semantics of mincore() so that it only reveals pagecache
+information for non-anonymous mappings that belog to files that the
+calling process could (if it tried to) successfully open for writing;
+otherwise we'd be including shared non-exclusive mappings, which
+
+ - is the sidechannel
+
+ - is not the usecase for mincore(), as that's primarily used for data,
+   not (shared) text
+
+[jkosina@suse.cz: v2]
+  Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz
+[mhocko@suse.com: restructure can_do_mincore() conditions]
+Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Josh Snyder <joshs@netflix.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
+Originally-by: Dominique Martinet <asmadeus@codewreck.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: Kevin Easton <kevin@guarana.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Cyril Hrubis <chrubis@suse.cz>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Daniel Gruss <daniel@gruss.cc>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mincore.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/mm/mincore.c b/mm/mincore.c
+index fc37afe226e6..2732c8c0764c 100644
+--- a/mm/mincore.c
+++ b/mm/mincore.c
+@@ -169,6 +169,22 @@ static int mincore_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
+ 	return 0;
+ }
+ 
+static inline bool can_do_mincore(struct vm_area_struct *vma)
+{
+	if (vma_is_anonymous(vma))
+		return true;
+	if (!vma->vm_file)
+		return false;
+	/*
+	 * Reveal pagecache information only for non-anonymous mappings that
+	 * correspond to the files the calling process could (if tried) open
+	 * for writing; otherwise we'd be including shared non-exclusive
+	 * mappings, which opens a side channel.
+	 */
+	return inode_owner_or_capable(file_inode(vma->vm_file)) ||
+		inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0;
+}
+
+ /*
+  * Do a chunk of "sys_mincore()". We've already checked
+  * all the arguments, we hold the mmap semaphore: we should
+@@ -189,8 +205,13 @@ static long do_mincore(unsigned long addr, unsigned long pages, unsigned char *v
+ 	vma = find_vma(current->mm, addr);
+ 	if (!vma || addr < vma->vm_start)
+ 		return -ENOMEM;
+-	mincore_walk.mm = vma->vm_mm;
+ 	end = min(vma->vm_end, addr + (pages << PAGE_SHIFT));
+	if (!can_do_mincore(vma)) {
+		unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE);
+		memset(vec, 1, pages);
+		return pages;
+	}
+	mincore_walk.mm = vma->vm_mm;
+ 	err = walk_page_range(addr, end, &mincore_walk);
+ 	if (err < 0)
+ 		return err;
--- a/debian/patches/series
+++ b/debian/patches/series
@ -220,6 +220,7 @@ bugfix/all/Bluetooth-hidp-fix-buffer-overflow.patch
 bugfix/all/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch
 bugfix/all/mwifiex-abort-at-too-short-bss-descriptor-element.patch
 bugfix/all/mwifiex-don-t-abort-on-small-spec-compliant-vendor-ies.patch
+bugfix/all/mm-mincore.c-make-mincore-more-conservative.patch

 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch