NAK: [PATCH 0/1][SRU][T/X/B/C] CVE-2019-9213 - Incorrect memory protection check

Kleber Souza kleber.souza at canonical.com
Thu Mar 7 15:19:48 UTC 2019


On 3/7/19 4:26 AM, Tyler Hicks wrote:
> On 2019-03-07 11:11:30, You-Sheng Yang wrote:
>> This patch doesn't apply on current trusty master-next HEAD
>> 6a34acb7c2f8, and does apply on X/B/C.
> A cherry-pick works just fine on trusty master-next which is why I
> sent a single patch for all kernels:
>
> $ git cherry-pick 0a1d52994d440e21def1c2174932410b4f2a98a1
> [cves 9a5be15dfbfd] mm: enforce min addr even if capable() in expand_downwards()
>  Author: Jann Horn <jannh at google.com>
>  Date: Wed Feb 27 21:29:52 2019 +0100
>  1 file changed, 3 insertions(+), 4 deletions(-)
>
> I guess cherry-pick is including some merge logic to fix up fuzz.
>
> Do I need to resend a patch for Trusty or would the stable team rather
> just do a git cherry-pick?

The way we tag a patch as cherry pick or backport can be confusing exactly
because 'git cherry-pick' does fix up fuzz, whereas 'git am' doesn't. We expect
the patches sent to the ML to be applied cleanly with 'git am', and we consider
a cherry pick only if it can be applied from 'git format-patch'. So if any fixup
is needed, even if only fuzzing, they need to be tagged as 'backported', and if
the same patch can't be applied to the different trees it needs to be split up.

As Khaled mentioned, don't need to send another patch for Trusty, we can
fix it up when applying.

Thanks!
Kleber


>
> Tyler
>
>> On 2019/3/7 10:36 AM, Tyler Hicks wrote:
>>> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9213.html
>>>
>>>  In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a
>>>  check for the mmap minimum address, which makes it easier for attackers to
>>>  exploit kernel NULL pointer dereferences on non-SMAP platforms. This is
>>>  related to a capability check for the wrong task.
>>>
>>> Clean cherry pick. Clean build logs. Verified the fix in Cosmic through Trusty
>>> with the PoC in the Project Zero bug report[1].
>>>
>>> Tyler
>>>
>>> [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
>>>
>>> Jann Horn (1):
>>>   mm: enforce min addr even if capable() in expand_downwards()
>>>
>>>  mm/mmap.c | 7 +++----
>>>  1 file changed, 3 insertions(+), 4 deletions(-)
>>>
>
>
>





More information about the kernel-team mailing list