ACK/CMNT: [Pull][SRU][CVE-2019-11487][Xenial] Avoid overflowing page reference count
Tyler Hicks
tyhicks at canonical.com
Fri Aug 9 22:03:25 UTC 2019
On 2019-08-06 14:04:52, Connor Kuehl wrote:
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11487.html
>
> From the link above:
>
> "The Linux kernel before 5.1-rc5 allows page->_refcount reference count
> overflow, with resultant use-after-free issues, if about 140 GiB of RAM
> exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,
> include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c,
> mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests."
>
> Bionic has already received these patches during an upstream sync:
> https://bugs.launchpad.net/bugs/1838459
>
> Xenial felt like a bit of an involved backport that touched the mm subsystem,
> and because of that, I think it is possible there's a breakage risk here that
> I don't see as I'm not very familiar with mm.
This all looks good to me. The only thing that I noticed was a spaces vs
tab issue on the line that calls atomic_inc() in "mm: add
'try_get_page()' helper function". That's not a blocker, IMO, but maybe
you could fix it up before it is pulled.
Acked-by: Tyler Hicks <tyhicks at canonical.com>
Tyler
>
> It builds on all arches and I boot-tested amd64.
>
> * mm: prevent get_user_pages() from overflowing page refcount
>
> This is the patch I'm most concerned about. It appears to be based on a
> refactoring patch which split a function into a number of others. Rather
> than try to backport the refactoring patch(es). I've backported the code
> to what I think is equivalent to what the refactored one does.
>
> In my backport, I didn't see an equivalent error path for this hunk from
> the original patch, so it was omitted:
>
> diff --git a/mm/gup.c b/mm/gup.c
> index 75029649baca..81e0bdefa2cc 100644
> --- a/mm/gup.c
> +++ b/mm/gup.c
> @@ -295,7 +299,10 @@ static struct page *follow_pmd_mask(struct vm_area_struct *vma,
> if (pmd_trans_unstable(pmd))
> ret = -EBUSY;
> } else {
> - get_page(page);
> + if (unlikely(!try_get_page(page))) {
> + spin_unlock(ptl);
> + return ERR_PTR(-ENOMEM);
> + }
> spin_unlock(ptl);
> lock_page(page);
> ret = split_huge_page(page);
>
> * mm, gup: ensure real head page is ref-counted when using hugepages
>
> This patch wasn't named as part of the CVE fix itself, but bringing this one in
> made it easier to apply the last fix "mm: prevent get_user_pages() from overflowing page refcount"
>
> * mm: make page ref count overflow check tighter and more explicit
>
> Minor offset adjustments, and used atomic_read instead of a wrapper function
> that is introduced in a later commit (that commit makes a large number of changes
> so I felt it was better to just use the mechanism that it ultimately uses).
>
> * mm: add 'try_get_page()' helper function
>
> Offset adjustment, directly use atomic_read and atomic_inc rather than the
> page_ref wrappers that aren't introduced until a later and larger commit.
>
> * fs: prevent page refcount overflow in pipe_buf_get
>
> Offset adjustment and manually change the function signature for buffer_pipe_buf_get
>
> * pipe: add pipe_buf_get() helper
>
> Clean cherry pick. Needed for "fs: prevent page refcount overflow in pipe_buf_get"
>
> ----------------------------------------------------------------
> The following changes since commit 1ef87ecb69472da81f394f8229ec3e100b306252:
>
> Linux 4.4.186 (2019-08-05 18:19:52 +0200)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~connork/+git/xenial CVE-2019-11487
>
> for you to fetch changes up to 0af916186a039ec8029b12f64023f2786ab8fa6c:
>
> mm: prevent get_user_pages() from overflowing page refcount (2019-08-06 13:29:12 -0700)
>
> ----------------------------------------------------------------
> Linus Torvalds (3):
> mm: add 'try_get_page()' helper function
> mm: make page ref count overflow check tighter and more explicit
> mm: prevent get_user_pages() from overflowing page refcount
>
> Matthew Wilcox (1):
> fs: prevent page refcount overflow in pipe_buf_get
>
> Miklos Szeredi (1):
> pipe: add pipe_buf_get() helper
>
> Punit Agrawal (1):
> mm, gup: ensure real head page is ref-counted when using hugepages
>
> fs/fuse/dev.c | 12 ++++++------
> fs/pipe.c | 4 ++--
> fs/splice.c | 12 ++++++++++--
> include/linux/mm.h | 15 +++++++++++++-
> include/linux/pipe_fs_i.h | 17 ++++++++++++++--
> kernel/trace/trace.c | 6 +++++-
> mm/gup.c | 50 ++++++++++++++++++++++++++++++++++-------------
> mm/hugetlb.c | 16 ++++++++++++++-
> 8 files changed, 103 insertions(+), 29 deletions(-)
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list