[kernel/f19] CVE-2014-3940 missing check during hugepage migration (rhbz 1104097 1105042)
Josh Boyer
jwboyer at fedoraproject.org
Fri Jun 6 16:17:16 UTC 2014
commit cd5a0159c6314103bbc7c2f2320cd09300f398fa
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Fri Jun 6 10:05:59 2014 -0400
CVE-2014-3940 missing check during hugepage migration (rhbz 1104097 1105042)
kernel.spec | 9 +++
...check-on-existing-hugetlb_entry-callbacks.patch | 71 ++++++++++++++++++++
2 files changed, 80 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index a5a1354..b941443 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -778,6 +778,9 @@ Patch25093: auditsc-audit_krule-mask-accesses-need-bounds-checking.patch
#rhbz 1099857
Patch25095: team-fix-mtu-setting.patch
+# CVE-2014-3940 rhbz 1104097 1105042
+Patch25096: mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1499,6 +1502,9 @@ ApplyPatch auditsc-audit_krule-mask-accesses-need-bounds-checking.patch
#rhbz 1099857
ApplyPatch team-fix-mtu-setting.patch
+# CVE-2014-3940 rhbz 1104097 1105042
+ApplyPatch mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2311,6 +2317,9 @@ fi
# and build.
%changelog
+* Fri Jun 06 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-3940 missing check during hugepage migration (rhbz 1104097 1105042)
+
* Tue Jun 03 2014 Josh Boyer <jwboyer at fedoraproject.org>
- Add fix for team MTU settings from Jiri Pirko (rhbz 1099857)
- Backport fix for issues with Quagga introduced by CVE fixes (rhbz 1097684)
diff --git a/mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch b/mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch
new file mode 100644
index 0000000..0227d27
--- /dev/null
+++ b/mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch
@@ -0,0 +1,71 @@
+Bugzilla: 1104097 1105042
+Upstream-status: Queued in linux-next, CC'd to stable
+
+From ecc894926ef62080c2a4c4286eccce9d2f30f05a Mon Sep 17 00:00:00 2001
+From: Naoya Horiguchi <n-horiguchi at ah.jp.nec.com>
+Date: Fri, 6 Jun 2014 10:00:01 -0400
+Subject: [PATCH] mm: add !pte_present() check on existing hugetlb_entry
+ callbacks
+
+Page table walker doesn't check non-present hugetlb entry in common path,
+so hugetlb_entry() callbacks must check it. The reason for this behavior
+is that some callers want to handle it in its own way.
+
+However, some callers don't check it now, which causes unpredictable
+result, for example when we have a race between migrating hugepage and
+reading /proc/pid/numa_maps. This patch fixes it by adding !pte_present
+checks on buggy callbacks.
+
+This bug exists for years and got visible by introducing hugepage migration.
+
+ChangeLog v2:
+- fix if condition (check !pte_present() instead of pte_present())
+
+Reported-by: Sasha Levin <sasha.levin at oracle.com>
+Signed-off-by: Naoya Horiguchi <n-horiguchi at ah.jp.nec.com>
+Cc: Rik van Riel <riel at redhat.com>
+Cc: <stable at vger.kernel.org> [3.12+]
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+
+[ Backported to 3.15. Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org> ]
+---
+ fs/proc/task_mmu.c | 3 +++
+ mm/mempolicy.c | 6 +++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 442177b1119a..89620cdb57c9 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -1354,6 +1354,9 @@ static int gather_hugetbl_stats(pte_t *pte, unsigned long hmask,
+ if (pte_none(*pte))
+ return 0;
+
++ if (!pte_present(*pte))
++ return 0;
++
+ page = pte_page(*pte);
+ if (!page)
+ return 0;
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index 78e1472933ea..30cc47f8ffa0 100644
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -526,9 +526,13 @@ static void queue_pages_hugetlb_pmd_range(struct vm_area_struct *vma,
+ int nid;
+ struct page *page;
+ spinlock_t *ptl;
++ pte_t entry;
+
+ ptl = huge_pte_lock(hstate_vma(vma), vma->vm_mm, (pte_t *)pmd);
+- page = pte_page(huge_ptep_get((pte_t *)pmd));
++ entry = huge_ptep_get((pte_t *)pmd);
++ if (!pte_present(entry))
++ goto unlock;
++ page = pte_page(entry);
+ nid = page_to_nid(page);
+ if (node_isset(nid, *nodes) == !!(flags & MPOL_MF_INVERT))
+ goto unlock;
+--
+1.9.3
+
More information about the scm-commits
mailing list