NAK: [Focal] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()
Seth Forshee
seth.forshee at canonical.com
Fri Mar 6 20:53:35 UTC 2020
On Fri, Feb 28, 2020 at 10:03:19AM -0300, Thadeu Lima de Souza Cascardo wrote:
> From: Catalin Marinas <catalin.marinas at arm.com>
>
> CVE-2020-9391
>
> Currently the arm64 kernel ignores the top address byte passed to brk(),
> mmap() and mremap(). When the user is not aware of the 56-bit address
> limit or relies on the kernel to return an error, untagging such
> pointers has the potential to create address aliases in user-space.
> Passing a tagged address to munmap(), madvise() is permitted since the
> tagged pointer is expected to be inside an existing mapping.
>
> The current behaviour breaks the existing glibc malloc() implementation
> which relies on brk() with an address beyond 56-bit to be rejected by
> the kernel.
>
> Remove untagging in the above functions by partially reverting commit
> ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
> addition, update the arm64 tagged-address-abi.rst document accordingly.
>
> Link: https://bugzilla.redhat.com/1797052
> Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
> Cc: <stable at vger.kernel.org> # 5.4.x-
> Cc: Florian Weimer <fweimer at redhat.com>
> Reviewed-by: Andrew Morton <akpm at linux-foundation.org>
> Reported-by: Victor Stinner <vstinner at redhat.com>
> Acked-by: Will Deacon <will at kernel.org>
> Acked-by: Andrey Konovalov <andreyknvl at google.com>
> Signed-off-by: Catalin Marinas <catalin.marinas at arm.com>
> Signed-off-by: Will Deacon <will at kernel.org>
> (cherry picked from commit dcde237319e626d1ec3c9d8b7613032f0fd4663a)
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
This patch has already been applied to focal from upstream stable
updates.
More information about the kernel-team
mailing list