Linux v4.16.10

2018-05-21 09:48:30 -04:00 · 2018-05-21 09:48:30 -04:00 · f2b2c6d600
parent 518d5bb753
commit f2b2c6d600
3 changed files with 5 additions and 111 deletions
--- a/0001-proc-do-not-access-cmdline-nor-environ-from-file-bac.patch
+++ b/0001-proc-do-not-access-cmdline-nor-environ-from-file-bac.patch
@ -1,106 +0,0 @@
-From 7f7ccc2ccc2e70c6054685f5e3522efa81556830 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Fri, 11 May 2018 08:11:44 +0200
-Subject: [PATCH] proc: do not access cmdline nor environ from file-backed
- areas
-
-proc_pid_cmdline_read() and environ_read() directly access the target
-process' VM to retrieve the command line and environment. If this
-process remaps these areas onto a file via mmap(), the requesting
-process may experience various issues such as extra delays if the
-underlying device is slow to respond.
-
-Let's simply refuse to access file-backed areas in these functions.
-For this we add a new FOLL_ANON gup flag that is passed to all calls
-to access_remote_vm(). The code already takes care of such failures
-(including unmapped areas). Accesses via /proc/pid/mem were not
-changed though.
-
-This was assigned CVE-2018-1120.
-
-Note for stable backports: the patch may apply to kernels prior to 4.11
-but silently miss one location; it must be checked that no call to
-access_remote_vm() keeps zero as the last argument.
-
-Reported-by: Qualys Security Advisory <qsa@qualys.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Andy Lutomirski <luto@amacapital.net>
-Cc: Oleg Nesterov <oleg@redhat.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Willy Tarreau <w@1wt.eu>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
- fs/proc/base.c     | 8 ++++----
- include/linux/mm.h | 1 +
- mm/gup.c           | 3 +++
- 3 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 1b2ede6abcdf..1a76d751cf3c 100644
--- a/fs/proc/base.c
-+++ b/fs/proc/base.c
-@@ -261,7 +261,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
- 	 * Inherently racy -- command line shares address space
- 	 * with code and data.
- 	 */
-	rv = access_remote_vm(mm, arg_end - 1, &c, 1, 0);
-+	rv = access_remote_vm(mm, arg_end - 1, &c, 1, FOLL_ANON);
- 	if (rv <= 0)
- 		goto out_free_page;
-
-@@ -279,7 +279,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
- 			int nr_read;
-
- 			_count = min3(count, len, PAGE_SIZE);
-			nr_read = access_remote_vm(mm, p, page, _count, 0);
-+			nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON);
- 			if (nr_read < 0)
- 				rv = nr_read;
- 			if (nr_read <= 0)
-@@ -325,7 +325,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
- 				bool final;
-
- 				_count = min3(count, len, PAGE_SIZE);
-				nr_read = access_remote_vm(mm, p, page, _count, 0);
-+				nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON);
- 				if (nr_read < 0)
- 					rv = nr_read;
- 				if (nr_read <= 0)
-@@ -946,7 +946,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
- 		max_len = min_t(size_t, PAGE_SIZE, count);
- 		this_len = min(max_len, this_len);
-
-		retval = access_remote_vm(mm, (env_start + src), page, this_len, 0);
-+		retval = access_remote_vm(mm, (env_start + src), page, this_len, FOLL_ANON);
-
- 		if (retval <= 0) {
- 			ret = retval;
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 1ac1f06a4be6..c080af584ddd 100644
--- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -2493,6 +2493,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
- #define FOLL_MLOCK	0x1000	/* lock present pages */
- #define FOLL_REMOTE	0x2000	/* we are working on non-current tsk/mm */
- #define FOLL_COW	0x4000	/* internal GUP flag */
-+#define FOLL_ANON	0x8000	/* don't do file mappings */
-
- static inline int vm_fault_to_errno(int vm_fault, int foll_flags)
- {
-diff --git a/mm/gup.c b/mm/gup.c
-index 76af4cfeaf68..541904a7c60f 100644
--- a/mm/gup.c
-+++ b/mm/gup.c
-@@ -544,6 +544,9 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
- 	if (vm_flags & (VM_IO | VM_PFNMAP))
- 		return -EFAULT;
-
-+	if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma))
-+		return -EFAULT;
-+
- 	if (write) {
- 		if (!(vm_flags & VM_WRITE)) {
- 			if (!(gup_flags & FOLL_FORCE))
-- 
-2.17.0
-
--- a/kernel.spec
+++ b/kernel.spec
@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}

 # Do we have a -stable update to apply?
-%define stable_update 9
+%define stable_update 10
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@ -660,9 +660,6 @@ Patch511: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
 # rhbz 1566258
 Patch512: KVM-vmx-update-sec-exec-controls-for-UMIP-iff-emulating-UMIP.patch

-# CVE-2018-1120 rhbz 1575472 1579542
-Patch513: 0001-proc-do-not-access-cmdline-nor-environ-from-file-bac.patch
-
 # END OF PATCH DEFINITIONS

 %endif
@ -1936,6 +1933,9 @@ fi
 #
 #
 %changelog
+* Mon May 21 2018 Jeremy Cline <jcline@redhat.com> - 4.16.10-100
+- Linux v4.16.10
+
 * Sun May 20 2018 Hans de Goede <hdegoede@redhat.com>
 - Enable GPIO_AMDPT, PINCTRL_AMD and X86_AMD_PLATFORM_DEVICE Kconfig options
  to fix i2c and GPIOs not working on AMD based laptops (rhbz#1510649)
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (linux-4.16.tar.xz) = ab47849314b177d0eec9dbf261f33972b0d89fb92fb0650130ffa7abc2f36c0fab2d06317dc1683c51a472a9a631573a9b1e7258d6281a2ee189897827f14662
-SHA512 (patch-4.16.9.xz) = d3a26957b13ba6e7e9488991cbdfe4ac20112efccbd3ed6a5c786e344731561323ec3d36e0b163debcbdcc33a8c7c545ee755b33e14c8d10e0ce3e27d90ac109
+SHA512 (patch-4.16.10.xz) = 53d700ca245341cd6493ecd01af069b2015564c9d7514751348e57047838bb1a6379f065dcf21312cf8f861f5569d28e7445846b40d14c225c644a69c09da5d1