From 196e1c5a8123250428f00bb7a451bca02cb1012c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Jun 06 2014 15:01:53 +0000 Subject: CVE-2014-3940 missing check during hugepage migration (rhbz 1104097 1105042) --- diff --git a/kernel.spec b/kernel.spec index 7d60192..ca4bb62 100644 --- a/kernel.spec +++ b/kernel.spec @@ -771,6 +771,9 @@ Patch25093: auditsc-audit_krule-mask-accesses-need-bounds-checking.patch #rhbz 1099857 Patch25095: team-fix-mtu-setting.patch +# CVE-2014-3940 rhbz 1104097 1105042 +Patch25096: mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch + # END OF PATCH DEFINITIONS %endif @@ -1494,6 +1497,9 @@ ApplyPatch auditsc-audit_krule-mask-accesses-need-bounds-checking.patch #rhbz 1099857 ApplyPatch team-fix-mtu-setting.patch +# CVE-2014-3940 rhbz 1104097 1105042 +ApplyPatch mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch + # END OF PATCH APPLICATIONS %endif @@ -2305,6 +2311,9 @@ fi # ||----w | # || || %changelog +* Fri Jun 06 2014 Josh Boyer +- CVE-2014-3940 missing check during hugepage migration (rhbz 1104097 1105042) + * Tue Jun 03 2014 Josh Boyer - Add fix for team MTU settings from Jiri Pirko (rhbz 1099857) - Backport fix for issues with Quagga introduced by CVE fixes (rhbz 1097684) diff --git a/mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch b/mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch new file mode 100644 index 0000000..0227d27 --- /dev/null +++ b/mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch @@ -0,0 +1,71 @@ +Bugzilla: 1104097 1105042 +Upstream-status: Queued in linux-next, CC'd to stable + +From ecc894926ef62080c2a4c4286eccce9d2f30f05a Mon Sep 17 00:00:00 2001 +From: Naoya Horiguchi +Date: Fri, 6 Jun 2014 10:00:01 -0400 +Subject: [PATCH] mm: add !pte_present() check on existing hugetlb_entry + callbacks + +Page table walker doesn't check non-present hugetlb entry in common path, +so hugetlb_entry() callbacks must check it. The reason for this behavior +is that some callers want to handle it in its own way. + +However, some callers don't check it now, which causes unpredictable +result, for example when we have a race between migrating hugepage and +reading /proc/pid/numa_maps. This patch fixes it by adding !pte_present +checks on buggy callbacks. + +This bug exists for years and got visible by introducing hugepage migration. + +ChangeLog v2: +- fix if condition (check !pte_present() instead of pte_present()) + +Reported-by: Sasha Levin +Signed-off-by: Naoya Horiguchi +Cc: Rik van Riel +Cc: [3.12+] +Signed-off-by: Andrew Morton + +[ Backported to 3.15. Signed-off-by: Josh Boyer ] +--- + fs/proc/task_mmu.c | 3 +++ + mm/mempolicy.c | 6 +++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index 442177b1119a..89620cdb57c9 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1354,6 +1354,9 @@ static int gather_hugetbl_stats(pte_t *pte, unsigned long hmask, + if (pte_none(*pte)) + return 0; + ++ if (!pte_present(*pte)) ++ return 0; ++ + page = pte_page(*pte); + if (!page) + return 0; +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 78e1472933ea..30cc47f8ffa0 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -526,9 +526,13 @@ static void queue_pages_hugetlb_pmd_range(struct vm_area_struct *vma, + int nid; + struct page *page; + spinlock_t *ptl; ++ pte_t entry; + + ptl = huge_pte_lock(hstate_vma(vma), vma->vm_mm, (pte_t *)pmd); +- page = pte_page(huge_ptep_get((pte_t *)pmd)); ++ entry = huge_ptep_get((pte_t *)pmd); ++ if (!pte_present(entry)) ++ goto unlock; ++ page = pte_page(entry); + nid = page_to_nid(page); + if (node_isset(nid, *nodes) == !!(flags & MPOL_MF_INVERT)) + goto unlock; +-- +1.9.3 +