[UBUNTU OEM-5.7 1/1] UBUNTU: SAUCE: Revert "mm/shmem: unconditionally set pte dirty in mfill_atomic_install_pte"
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Tue Apr 4 13:55:14 UTC 2023
This reverts commit 9ae0f87d009ca6c4aab2882641ddfc319727e3db.
Otherwise, pages might be set dirty even if they are not writable, which
tricks the kernel into not breaking COW, allowing shmem files without write
permissions to be modified.
CVE-2022-2590
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
mm/shmem.c | 1 +
mm/userfaultfd.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index 032479e48edd..fbcc100fa9bc 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2394,6 +2394,7 @@ int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
shmem_recalc_inode(inode);
spin_unlock_irq(&info->lock);
+ SetPageDirty(page);
unlock_page(page);
return 0;
out_delete_from_cache:
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 7259f96faaa0..971ca756999d 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -69,9 +69,10 @@ int mfill_atomic_install_pte(struct mm_struct *dst_mm, pmd_t *dst_pmd,
pgoff_t offset, max_off;
_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
- _dst_pte = pte_mkdirty(_dst_pte);
if (page_in_cache && !vm_shared)
writable = false;
+ if (writable || !page_in_cache)
+ _dst_pte = pte_mkdirty(_dst_pte);
/*
* Always mark a PTE as write-protected when needed, regardless of
--
2.34.1
More information about the kernel-team
mailing list