October 2024 - Linux-stable-mirror

Re: Patch "xen: tolerate ACPI NVS memory overlapping with Xen allocated memory" has been added to the 6.11-stable tree

by Jürgen Groß

On 01.10.24 01:15, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > xen: tolerate ACPI NVS memory overlapping with Xen allocated memory > > to the 6.11-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch > and it can be found in the queue-6.11 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 8302ac200e3fb2e8b669b96d7c36cdc266e47138 > Author: Juergen Gross <jgross(a)suse.com> > Date: Fri Aug 2 20:14:22 2024 +0200 > > xen: tolerate ACPI NVS memory overlapping with Xen allocated memory > > [ Upstream commit be35d91c8880650404f3bf813573222dfb106935 ] For this patch to have the desired effect there are the following prerequisite patches missing: c4498ae316da ("xen: move checks for e820 conflicts further up") 9221222c717d ("xen: allow mapping ACPI data using a different physical address") Please add those to the stable trees, too. Juergen

1 day, 3 hours

2
1
0 0

[PATCH 5.10.y] mptcp: fix sometimes-uninitialized warning

by Matthieu Baerts (NGI0)

Nathan reported this issue: $ make -skj"$(nproc)" ARCH=x86_64 LLVM=1 LLVM_IAS=1 mrproper allmodconfig net/mptcp/subflow.o net/mptcp/subflow.c:877:6: warning: variable 'incr' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized] 877 | if (WARN_ON_ONCE(offset > skb->len)) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/asm-generic/bug.h:101:33: note: expanded from macro 'WARN_ON_ONCE' 101 | #define WARN_ON_ONCE(condition) ({ \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 102 | int __ret_warn_on = !!(condition); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 103 | if (unlikely(__ret_warn_on)) \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 104 | __WARN_FLAGS(BUGFLAG_ONCE | \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 105 | BUGFLAG_TAINT(TAINT_WARN)); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 106 | unlikely(__ret_warn_on); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 107 | }) | ~~ net/mptcp/subflow.c:893:6: note: uninitialized use occurs here 893 | if (incr) | ^~~~ net/mptcp/subflow.c:877:2: note: remove the 'if' if its condition is always false 877 | if (WARN_ON_ONCE(offset > skb->len)) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 878 | goto out; | ~~~~~~~~ net/mptcp/subflow.c:874:18: note: initialize the variable 'incr' to silence this warning 874 | u32 offset, incr, avail_len; | ^ | = 0 1 warning generated. As mentioned by Nathan, this issue is present because 5.10 does not include commit ea4ca586b16f ("mptcp: refine MPTCP-level ack scheduling"), which removed the use of 'incr' in the error path added by this change. This other commit does not really look suitable for stable, hence this dedicated patch for 5.10. Fixes: e93fa44f0714 ("mptcp: fix duplicate data handling") Reported-by: Nathan Chancellor <nathan(a)kernel.org> Closes: https://lore.kernel.org/20240928175524.GA1713144@thelio-3990X Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/subflow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 8a0ef50c307c..843c61ebd421 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -871,7 +871,7 @@ static void mptcp_subflow_discard_data(struct sock *ssk, struct sk_buff *skb, struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); bool fin = TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN; struct tcp_sock *tp = tcp_sk(ssk); - u32 offset, incr, avail_len; + u32 offset, incr = 0, avail_len; offset = tp->copied_seq - TCP_SKB_CB(skb)->seq; if (WARN_ON_ONCE(offset > skb->len)) -- 2.45.2

1 day, 3 hours

2
1
0 0

[PATCH 5.4.y 0/2] tracing/kprobes: Backport request about

by Sherry Yang

The new test case which checks non unique symbol kprobe_non_uniq_symbol.tc failed because of missing kernel functionality support from commit b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols"). Backport it and its fix commit to 5.4.y together. Resolved minor context change conflicts. Andrii Nakryiko (1): tracing/kprobes: Fix symbol counting logic by looking at modules as well Francis Laniel (1): tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols kernel/trace/trace_kprobe.c | 76 +++++++++++++++++++++++++++++++++++++ kernel/trace/trace_probe.h | 1 + 2 files changed, 77 insertions(+) -- 2.46.0

1 day, 4 hours

2
3
0 0

[PATCH 5.10 v2 0/3] Re-adapt "bpf: Fix DEVMAP_HASH overflow check on 32-bit arches"

by Pu Lehui

Commit 70294d8bc31f ("bpf: Eliminate rlimit-based memory accounting for devmap maps") relies on the v5.11+ basic mechanism of memcg-based memory accounting [0]. The commit cannot be independently backported to the 5.10 stable branch, otherwise the related memory when creating devmap will be unrestricted and the associated bpf selftest map_ptr will fail. Let's roll back to rlimit-based memory accounting mode for devmap and re-adapt the commit 225da02acdc9 ("bpf: Fix DEVMAP_HASH overflow check on 32-bit arches") to the 5.10 stable branch. Link: https://lore.kernel.org/bpf/20201201215900.3569844-1-guro@fb.com [0] Pu Lehui (2): Revert "bpf: Fix DEVMAP_HASH overflow check on 32-bit arches" Revert "bpf: Eliminate rlimit-based memory accounting for devmap maps" Toke Høiland-Jørgensen (1): bpf: Fix DEVMAP_HASH overflow check on 32-bit arches kernel/bpf/devmap.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) -- 2.34.1

1 day, 4 hours

2
4
0 0

[PATCH 5.10.y 0/3] x86: Complete backports for x86_match_cpu()

by Ricardo Neri

Hi, Upstream commit 93022482b294 ("x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL") introduced a flags member to struct x86_cpu_id. Bit 0 of x86_cpu.id.flags must be set to 1 for x86_match_cpu() to work correctly. This upstream commit has been backported to 5.10.y. Callers that use the X86_MATCH_*() family of macros to compose the argument of x86_match_cpu() function correctly. Callers that use their own custom mechanisms may not work if they fail to set x86_cpu_id.flags correctly. There are three remaining callers in 5.10.y that use their own mechanisms: a) setup_pcid(), b) rapl_msr_probe(), and c) goodix_add_acpi_gpio_ mappings(). a) caused a regression that Thomas Lindroth reported in [1]. b) works by luck but it still populates its x86_cpu_id[] array incorrectly. I am not aware of any reports on c), but inspecting the code reveals that it will fail to identify INTEL_FAM6_ATOM_SILVERMONT for the reason described above. I backported three patches that fix these bugs in mainline. Hopefully the authors and/or maintainers can ack the backports? I tested patches 2/3 and 3/3 on Tiger Lake, Alder Lake, and Meteor Lake systems as the two involved callers behave differently on these systems. I wrote the testing details in each patch separately. I could not test patch 1/3 because I do not have access to Bay Trail hardware. Thanks and BR, Ricardo [1]. https://lore.kernel.org/all/eb709d67-2a8d-412f-905d-f3777d897bfa@gmail.com/ Hans de Goede (1): Input: goodix - use the new soc_intel_is_byt() helper Sumeet Pawnikar (1): powercap: RAPL: fix invalid initialization for pl4_supported field Tony Luck (1): x86/mm: Switch to new Intel CPU model defines arch/x86/mm/init.c | 16 ++++++---------- drivers/input/touchscreen/goodix.c | 18 ++---------------- drivers/powercap/intel_rapl_msr.c | 2 +- 3 files changed, 9 insertions(+), 27 deletions(-) -- 2.34.1

1 day, 4 hours

2
4
0 0

[PATCH 0/2] usb: dwc3: Disable susphy during initialization

by Thinh Nguyen

We notice some platforms set "snps,dis_u3_susphy_quirk" and "snps,dis_u2_susphy_quirk" when they should not need to. Just make sure that the GUSB3PIPECTL.SUSPENDENABLE and GUSB2PHYCFG.SUSPHY are clear during initialization. The host initialization involved xhci. So the dwc3 needs to implement the xhci_plat_priv->plat_start() for xhci to re-enable the suspend bits. Since there's a prerequisite patch to drivers/usb/host/xhci-plat.h that's not a fix patch, this series should go on Greg's usb-testing branch instead of usb-linus. Thinh Nguyen (2): usb: xhci-plat: Don't include xhci.h usb: dwc3: core: Prevent phy suspend during init drivers/usb/dwc3/core.c | 90 +++++++++++++++--------------------- drivers/usb/dwc3/core.h | 1 + drivers/usb/dwc3/gadget.c | 2 + drivers/usb/dwc3/host.c | 27 +++++++++++ drivers/usb/host/xhci-plat.h | 4 +- 5 files changed, 71 insertions(+), 53 deletions(-) base-commit: 3d122e6d27e417a9fa91181922743df26b2cd679 -- 2.28.0

1 day, 4 hours

4
10
0 0

Fix regression from "drm/amd/display: Fix MST BW calculation Regression"

by Mario Limonciello

Hello, The commit 338567d17627 ("drm/amd/display: Fix MST BW calculation Regression") caused a regression with some MST displays due to a mistake. For 6.11.y here is the series of commits that fixes it: commit 4599aef0c97b ("drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination") commit ecc4038ec1de ("drm/amd/display: Add DSC Debug Log") commit b2b4afb9cf07 ("drm/amdgpu/display: Fix a mistake in revert commit") Can you please bring them back to 6.11.y? Thanks!

1 day, 4 hours

2
3
0 0

FAILED: patch "[PATCH] mm: call the security_mmap_file() LSM hook in" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100103-banish-batboy-00df@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") 592b5fad1677 ("mm: Re-introduce vm_flags to do_mmap()") 183654ce26a5 ("mmap: change do_mas_munmap and do_mas_aligned_munmap() to use vma iterator") 0378c0a0e9e4 ("mm/mmap: remove preallocation from do_mas_align_munmap()") 92fed82047d7 ("mm/mmap: convert brk to use vma iterator") baabcfc93d3b ("mm/mmap: fix typo in comment") c5d5546ea065 ("maple_tree: remove the parameter entry of mas_preallocate") 675eaca1f441 ("mm/mmap: properly unaccount memory on mas_preallocate() failure") 6c28ca6485dd ("mmap: fix do_brk_flags() modifying obviously incorrect VMAs") f5ad5083404b ("mm: do not BUG_ON missing brk mapping, because userspace can unmap it") cc674ab3c018 ("mm/mmap: fix memory leak in mmap_region()") 120b116208a0 ("maple_tree: reorganize testing to restore module testing") a57b70519d1f ("mm/mmap: fix MAP_FIXED address return on VMA merge") 5789151e48ac ("mm/mmap: undo ->mmap() when mas_preallocate() fails") deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") 28c5609fb236 ("mm/mmap: preallocate maple nodes for brk vma expansion") 763ecb035029 ("mm: remove the vma linked list") 8220543df148 ("nommu: remove uses of VMA linked list") 67e7c16764c3 ("mm/mmap: change do_brk_munmap() to use do_mas_align_munmap()") 11f9a21ab655 ("mm/mmap: reorganize munmap to use maple states") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001 From: Shu Han <ebpqwerty472123(a)gmail.com> Date: Tue, 17 Sep 2024 17:41:04 +0800 Subject: [PATCH] mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) Link: https://project-zero.issues.chromium.org/issues/42452389 [1] Cc: stable(a)vger.kernel.org Signed-off-by: Shu Han <ebpqwerty472123(a)gmail.com> Acked-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> [PM: subject line tweaks] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/mm/mmap.c b/mm/mmap.c index d0dfc85b209b..18fddcce03b8 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3198,8 +3198,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, flags |= MAP_LOCKED; file = get_file(vma->vm_file); + ret = security_mmap_file(vma->vm_file, prot, flags); + if (ret) + goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); +out_fput: fput(file); out: mmap_write_unlock(mm);

1 day, 4 hours

1
0
0 0

FAILED: patch "[PATCH] mm: call the security_mmap_file() LSM hook in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100157-unpeeled-surprise-8138@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") 592b5fad1677 ("mm: Re-introduce vm_flags to do_mmap()") 183654ce26a5 ("mmap: change do_mas_munmap and do_mas_aligned_munmap() to use vma iterator") 0378c0a0e9e4 ("mm/mmap: remove preallocation from do_mas_align_munmap()") 92fed82047d7 ("mm/mmap: convert brk to use vma iterator") baabcfc93d3b ("mm/mmap: fix typo in comment") c5d5546ea065 ("maple_tree: remove the parameter entry of mas_preallocate") 675eaca1f441 ("mm/mmap: properly unaccount memory on mas_preallocate() failure") 6c28ca6485dd ("mmap: fix do_brk_flags() modifying obviously incorrect VMAs") f5ad5083404b ("mm: do not BUG_ON missing brk mapping, because userspace can unmap it") cc674ab3c018 ("mm/mmap: fix memory leak in mmap_region()") 120b116208a0 ("maple_tree: reorganize testing to restore module testing") a57b70519d1f ("mm/mmap: fix MAP_FIXED address return on VMA merge") 5789151e48ac ("mm/mmap: undo ->mmap() when mas_preallocate() fails") deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") 28c5609fb236 ("mm/mmap: preallocate maple nodes for brk vma expansion") 763ecb035029 ("mm: remove the vma linked list") 8220543df148 ("nommu: remove uses of VMA linked list") 67e7c16764c3 ("mm/mmap: change do_brk_munmap() to use do_mas_align_munmap()") 11f9a21ab655 ("mm/mmap: reorganize munmap to use maple states") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001 From: Shu Han <ebpqwerty472123(a)gmail.com> Date: Tue, 17 Sep 2024 17:41:04 +0800 Subject: [PATCH] mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) Link: https://project-zero.issues.chromium.org/issues/42452389 [1] Cc: stable(a)vger.kernel.org Signed-off-by: Shu Han <ebpqwerty472123(a)gmail.com> Acked-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> [PM: subject line tweaks] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/mm/mmap.c b/mm/mmap.c index d0dfc85b209b..18fddcce03b8 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3198,8 +3198,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, flags |= MAP_LOCKED; file = get_file(vma->vm_file); + ret = security_mmap_file(vma->vm_file, prot, flags); + if (ret) + goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); +out_fput: fput(file); out: mmap_write_unlock(mm);

1 day, 4 hours

1
0
0 0

FAILED: patch "[PATCH] mm: call the security_mmap_file() LSM hook in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024100151-evolution-apache-87b3@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap_file_pages()") 592b5fad1677 ("mm: Re-introduce vm_flags to do_mmap()") 183654ce26a5 ("mmap: change do_mas_munmap and do_mas_aligned_munmap() to use vma iterator") 0378c0a0e9e4 ("mm/mmap: remove preallocation from do_mas_align_munmap()") 92fed82047d7 ("mm/mmap: convert brk to use vma iterator") baabcfc93d3b ("mm/mmap: fix typo in comment") c5d5546ea065 ("maple_tree: remove the parameter entry of mas_preallocate") 675eaca1f441 ("mm/mmap: properly unaccount memory on mas_preallocate() failure") 6c28ca6485dd ("mmap: fix do_brk_flags() modifying obviously incorrect VMAs") f5ad5083404b ("mm: do not BUG_ON missing brk mapping, because userspace can unmap it") cc674ab3c018 ("mm/mmap: fix memory leak in mmap_region()") 120b116208a0 ("maple_tree: reorganize testing to restore module testing") a57b70519d1f ("mm/mmap: fix MAP_FIXED address return on VMA merge") 5789151e48ac ("mm/mmap: undo ->mmap() when mas_preallocate() fails") deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") 28c5609fb236 ("mm/mmap: preallocate maple nodes for brk vma expansion") 763ecb035029 ("mm: remove the vma linked list") 8220543df148 ("nommu: remove uses of VMA linked list") 67e7c16764c3 ("mm/mmap: change do_brk_munmap() to use do_mas_align_munmap()") 11f9a21ab655 ("mm/mmap: reorganize munmap to use maple states") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001 From: Shu Han <ebpqwerty472123(a)gmail.com> Date: Tue, 17 Sep 2024 17:41:04 +0800 Subject: [PATCH] mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) Link: https://project-zero.issues.chromium.org/issues/42452389 [1] Cc: stable(a)vger.kernel.org Signed-off-by: Shu Han <ebpqwerty472123(a)gmail.com> Acked-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> [PM: subject line tweaks] Signed-off-by: Paul Moore <paul(a)paul-moore.com> diff --git a/mm/mmap.c b/mm/mmap.c index d0dfc85b209b..18fddcce03b8 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3198,8 +3198,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, flags |= MAP_LOCKED; file = get_file(vma->vm_file); + ret = security_mmap_file(vma->vm_file, prot, flags); + if (ret) + goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); +out_fput: fput(file); out: mmap_write_unlock(mm);

1 day, 4 hours

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2024