[azure][PATCH 0/2] Fixes for CVE-2017-16939 and CVE-2017-1000405

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[azure][PATCH 0/2] Fixes for CVE-2017-16939 and CVE-2017-1000405

Marcelo Henrique Cerri
Both CVEs affect linux-azure 4.11.0-1015.15 and were tested with the
reproducers found at:

- CVE-2017-16939: https://bugzilla.suse.com/show_bug.cgi?id=1069702
- CVE-2017-1000405: https://github.com/bindecy/HugeDirtyCowPOC

The fixes are clean cherry picks from upstream.

Herbert Xu (1):
  ipsec: Fix aborted xfrm policy dump crash

Kirill A. Shutemov (1):
  mm, thp: Do not make page table dirty unconditionally in
    touch_p[mu]d()

 mm/huge_memory.c     | 36 +++++++++++++-----------------------
 net/xfrm/xfrm_user.c | 25 +++++++++++++++----------
 2 files changed, 28 insertions(+), 33 deletions(-)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[azure][PATCH 1/2] ipsec: Fix aborted xfrm policy dump crash

Marcelo Henrique Cerri
From: Herbert Xu <[hidden email]>

An independent security researcher, Mohamed Ghannam, has reported
this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
program.

The xfrm_dump_policy_done function expects xfrm_dump_policy to
have been called at least once or it will crash.  This can be
triggered if a dump fails because the target socket's receive
buffer is full.

This patch fixes it by using the cb->start mechanism to ensure that
the initialisation is always done regardless of the buffer situation.

Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list")
Signed-off-by: Herbert Xu <[hidden email]>
Signed-off-by: Steffen Klassert <[hidden email]>

CVE-2017-16939
(cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2)
Signed-off-by: Marcelo Henrique Cerri <[hidden email]>
---
 net/xfrm/xfrm_user.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 66698552fbd6..4638446c1c41 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1656,32 +1656,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr
 
 static int xfrm_dump_policy_done(struct netlink_callback *cb)
 {
- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
  struct net *net = sock_net(cb->skb->sk);
 
  xfrm_policy_walk_done(walk, net);
  return 0;
 }
 
+static int xfrm_dump_policy_start(struct netlink_callback *cb)
+{
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
+
+ BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));
+
+ xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
+ return 0;
+}
+
 static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
 {
  struct net *net = sock_net(skb->sk);
- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
  struct xfrm_dump_info info;
 
- BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >
-     sizeof(cb->args) - sizeof(cb->args[0]));
-
  info.in_skb = cb->skb;
  info.out_skb = skb;
  info.nlmsg_seq = cb->nlh->nlmsg_seq;
  info.nlmsg_flags = NLM_F_MULTI;
 
- if (!cb->args[0]) {
- cb->args[0] = 1;
- xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
- }
-
  (void) xfrm_policy_walk(net, walk, dump_one_policy, &info);
 
  return skb->len;
@@ -2416,6 +2418,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {
 
 static const struct xfrm_link {
  int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);
+ int (*start)(struct netlink_callback *);
  int (*dump)(struct sk_buff *, struct netlink_callback *);
  int (*done)(struct netlink_callback *);
  const struct nla_policy *nla_pol;
@@ -2429,6 +2432,7 @@ static const struct xfrm_link {
  [XFRM_MSG_NEWPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_add_policy    },
  [XFRM_MSG_DELPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_get_policy    },
  [XFRM_MSG_GETPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
+   .start = xfrm_dump_policy_start,
    .dump = xfrm_dump_policy,
    .done = xfrm_dump_policy_done },
  [XFRM_MSG_ALLOCSPI    - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
@@ -2480,6 +2484,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 
  {
  struct netlink_dump_control c = {
+ .start = link->start,
  .dump = link->dump,
  .done = link->done,
  };
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[azure][PATCH 2/2] mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d()

Marcelo Henrique Cerri
In reply to this post by Marcelo Henrique Cerri
From: Kirill A. Shutemov <[hidden email]>

Currently, we unconditionally make page table dirty in touch_pmd().
It may result in false-positive can_follow_write_pmd().

We may avoid the situation, if we would only make the page table entry
dirty if caller asks for write access -- FOLL_WRITE.

The patch also changes touch_pud() in the same way.

Signed-off-by: Kirill A. Shutemov <[hidden email]>
Cc: Michal Hocko <[hidden email]>
Cc: Hugh Dickins <[hidden email]>
Signed-off-by: Linus Torvalds <[hidden email]>

CVE-2017-1000405
(cherry picked from commit a8f97366452ed491d13cf1e44241bc0b5740b1f0)
Signed-off-by: Marcelo Henrique Cerri <[hidden email]>
---
 mm/huge_memory.c | 36 +++++++++++++-----------------------
 1 file changed, 13 insertions(+), 23 deletions(-)

diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 6560174edf2a..4c32bb392a5e 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -814,20 +814,15 @@ EXPORT_SYMBOL_GPL(vmf_insert_pfn_pud);
 #endif /* CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD */
 
 static void touch_pmd(struct vm_area_struct *vma, unsigned long addr,
- pmd_t *pmd)
+ pmd_t *pmd, int flags)
 {
  pmd_t _pmd;
 
- /*
- * We should set the dirty bit only for FOLL_WRITE but for now
- * the dirty bit in the pmd is meaningless.  And if the dirty
- * bit will become meaningful and we'll only set it with
- * FOLL_WRITE, an atomic set_bit will be required on the pmd to
- * set the young bit, instead of the current set_pmd_at.
- */
- _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));
+ _pmd = pmd_mkyoung(*pmd);
+ if (flags & FOLL_WRITE)
+ _pmd = pmd_mkdirty(_pmd);
  if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,
- pmd, _pmd,  1))
+ pmd, _pmd, flags & FOLL_WRITE))
  update_mmu_cache_pmd(vma, addr, pmd);
 }
 
@@ -856,7 +851,7 @@ struct page *follow_devmap_pmd(struct vm_area_struct *vma, unsigned long addr,
  return NULL;
 
  if (flags & FOLL_TOUCH)
- touch_pmd(vma, addr, pmd);
+ touch_pmd(vma, addr, pmd, flags);
 
  /*
  * device mapped pages can only be returned if the
@@ -945,20 +940,15 @@ int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm,
 
 #ifdef CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD
 static void touch_pud(struct vm_area_struct *vma, unsigned long addr,
- pud_t *pud)
+ pud_t *pud, int flags)
 {
  pud_t _pud;
 
- /*
- * We should set the dirty bit only for FOLL_WRITE but for now
- * the dirty bit in the pud is meaningless.  And if the dirty
- * bit will become meaningful and we'll only set it with
- * FOLL_WRITE, an atomic set_bit will be required on the pud to
- * set the young bit, instead of the current set_pud_at.
- */
- _pud = pud_mkyoung(pud_mkdirty(*pud));
+ _pud = pud_mkyoung(*pud);
+ if (flags & FOLL_WRITE)
+ _pud = pud_mkdirty(_pud);
  if (pudp_set_access_flags(vma, addr & HPAGE_PUD_MASK,
- pud, _pud,  1))
+ pud, _pud, flags & FOLL_WRITE))
  update_mmu_cache_pud(vma, addr, pud);
 }
 
@@ -981,7 +971,7 @@ struct page *follow_devmap_pud(struct vm_area_struct *vma, unsigned long addr,
  return NULL;
 
  if (flags & FOLL_TOUCH)
- touch_pud(vma, addr, pud);
+ touch_pud(vma, addr, pud, flags);
 
  /*
  * device mapped pages can only be returned if the
@@ -1343,7 +1333,7 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
  page = pmd_page(*pmd);
  VM_BUG_ON_PAGE(!PageHead(page) && !is_zone_device_page(page), page);
  if (flags & FOLL_TOUCH)
- touch_pmd(vma, addr, pmd);
+ touch_pmd(vma, addr, pmd, flags);
  if ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) {
  /*
  * We don't mlock() pte-mapped THPs. This way we can avoid
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [azure][PATCH 1/2] ipsec: Fix aborted xfrm policy dump crash

Kleber Souza
In reply to this post by Marcelo Henrique Cerri
On 12/05/17 15:03, Marcelo Henrique Cerri wrote:

> From: Herbert Xu <[hidden email]>
>
> An independent security researcher, Mohamed Ghannam, has reported
> this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
> program.
>
> The xfrm_dump_policy_done function expects xfrm_dump_policy to
> have been called at least once or it will crash.  This can be
> triggered if a dump fails because the target socket's receive
> buffer is full.
>
> This patch fixes it by using the cb->start mechanism to ensure that
> the initialisation is always done regardless of the buffer situation.
>
> Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list")
> Signed-off-by: Herbert Xu <[hidden email]>
> Signed-off-by: Steffen Klassert <[hidden email]>
>
> CVE-2017-16939
> (cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2)
> Signed-off-by: Marcelo Henrique Cerri <[hidden email]>

Clean cherry-pick, fix tested on other series as well and verified to
fix the issue.

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  net/xfrm/xfrm_user.c | 25 +++++++++++++++----------
>  1 file changed, 15 insertions(+), 10 deletions(-)
>
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index 66698552fbd6..4638446c1c41 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -1656,32 +1656,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr
>  
>  static int xfrm_dump_policy_done(struct netlink_callback *cb)
>  {
> - struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
> + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
>   struct net *net = sock_net(cb->skb->sk);
>  
>   xfrm_policy_walk_done(walk, net);
>   return 0;
>  }
>  
> +static int xfrm_dump_policy_start(struct netlink_callback *cb)
> +{
> + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
> +
> + BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));
> +
> + xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
> + return 0;
> +}
> +
>  static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
>  {
>   struct net *net = sock_net(skb->sk);
> - struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
> + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
>   struct xfrm_dump_info info;
>  
> - BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >
> -     sizeof(cb->args) - sizeof(cb->args[0]));
> -
>   info.in_skb = cb->skb;
>   info.out_skb = skb;
>   info.nlmsg_seq = cb->nlh->nlmsg_seq;
>   info.nlmsg_flags = NLM_F_MULTI;
>  
> - if (!cb->args[0]) {
> - cb->args[0] = 1;
> - xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
> - }
> -
>   (void) xfrm_policy_walk(net, walk, dump_one_policy, &info);
>  
>   return skb->len;
> @@ -2416,6 +2418,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {
>  
>  static const struct xfrm_link {
>   int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);
> + int (*start)(struct netlink_callback *);
>   int (*dump)(struct sk_buff *, struct netlink_callback *);
>   int (*done)(struct netlink_callback *);
>   const struct nla_policy *nla_pol;
> @@ -2429,6 +2432,7 @@ static const struct xfrm_link {
>   [XFRM_MSG_NEWPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_add_policy    },
>   [XFRM_MSG_DELPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_get_policy    },
>   [XFRM_MSG_GETPOLICY   - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
> +   .start = xfrm_dump_policy_start,
>     .dump = xfrm_dump_policy,
>     .done = xfrm_dump_policy_done },
>   [XFRM_MSG_ALLOCSPI    - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
> @@ -2480,6 +2484,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  
>   {
>   struct netlink_dump_control c = {
> + .start = link->start,
>   .dump = link->dump,
>   .done = link->done,
>   };
>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [azure][PATCH 2/2] mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d()

Kleber Souza
In reply to this post by Marcelo Henrique Cerri
On 12/05/17 15:03, Marcelo Henrique Cerri wrote:

> From: Kirill A. Shutemov <[hidden email]>
>
> Currently, we unconditionally make page table dirty in touch_pmd().
> It may result in false-positive can_follow_write_pmd().
>
> We may avoid the situation, if we would only make the page table entry
> dirty if caller asks for write access -- FOLL_WRITE.
>
> The patch also changes touch_pud() in the same way.
>
> Signed-off-by: Kirill A. Shutemov <[hidden email]>
> Cc: Michal Hocko <[hidden email]>
> Cc: Hugh Dickins <[hidden email]>
> Signed-off-by: Linus Torvalds <[hidden email]>
>
> CVE-2017-1000405
> (cherry picked from commit a8f97366452ed491d13cf1e44241bc0b5740b1f0)
> Signed-off-by: Marcelo Henrique Cerri <[hidden email]>

Clean cherry-pick, fix tested on other series as well and verified to
fix the issue.

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  mm/huge_memory.c | 36 +++++++++++++-----------------------
>  1 file changed, 13 insertions(+), 23 deletions(-)
>
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 6560174edf2a..4c32bb392a5e 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -814,20 +814,15 @@ EXPORT_SYMBOL_GPL(vmf_insert_pfn_pud);
>  #endif /* CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD */
>  
>  static void touch_pmd(struct vm_area_struct *vma, unsigned long addr,
> - pmd_t *pmd)
> + pmd_t *pmd, int flags)
>  {
>   pmd_t _pmd;
>  
> - /*
> - * We should set the dirty bit only for FOLL_WRITE but for now
> - * the dirty bit in the pmd is meaningless.  And if the dirty
> - * bit will become meaningful and we'll only set it with
> - * FOLL_WRITE, an atomic set_bit will be required on the pmd to
> - * set the young bit, instead of the current set_pmd_at.
> - */
> - _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));
> + _pmd = pmd_mkyoung(*pmd);
> + if (flags & FOLL_WRITE)
> + _pmd = pmd_mkdirty(_pmd);
>   if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,
> - pmd, _pmd,  1))
> + pmd, _pmd, flags & FOLL_WRITE))
>   update_mmu_cache_pmd(vma, addr, pmd);
>  }
>  
> @@ -856,7 +851,7 @@ struct page *follow_devmap_pmd(struct vm_area_struct *vma, unsigned long addr,
>   return NULL;
>  
>   if (flags & FOLL_TOUCH)
> - touch_pmd(vma, addr, pmd);
> + touch_pmd(vma, addr, pmd, flags);
>  
>   /*
>   * device mapped pages can only be returned if the
> @@ -945,20 +940,15 @@ int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm,
>  
>  #ifdef CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD
>  static void touch_pud(struct vm_area_struct *vma, unsigned long addr,
> - pud_t *pud)
> + pud_t *pud, int flags)
>  {
>   pud_t _pud;
>  
> - /*
> - * We should set the dirty bit only for FOLL_WRITE but for now
> - * the dirty bit in the pud is meaningless.  And if the dirty
> - * bit will become meaningful and we'll only set it with
> - * FOLL_WRITE, an atomic set_bit will be required on the pud to
> - * set the young bit, instead of the current set_pud_at.
> - */
> - _pud = pud_mkyoung(pud_mkdirty(*pud));
> + _pud = pud_mkyoung(*pud);
> + if (flags & FOLL_WRITE)
> + _pud = pud_mkdirty(_pud);
>   if (pudp_set_access_flags(vma, addr & HPAGE_PUD_MASK,
> - pud, _pud,  1))
> + pud, _pud, flags & FOLL_WRITE))
>   update_mmu_cache_pud(vma, addr, pud);
>  }
>  
> @@ -981,7 +971,7 @@ struct page *follow_devmap_pud(struct vm_area_struct *vma, unsigned long addr,
>   return NULL;
>  
>   if (flags & FOLL_TOUCH)
> - touch_pud(vma, addr, pud);
> + touch_pud(vma, addr, pud, flags);
>  
>   /*
>   * device mapped pages can only be returned if the
> @@ -1343,7 +1333,7 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
>   page = pmd_page(*pmd);
>   VM_BUG_ON_PAGE(!PageHead(page) && !is_zone_device_page(page), page);
>   if (flags & FOLL_TOUCH)
> - touch_pmd(vma, addr, pmd);
> + touch_pmd(vma, addr, pmd, flags);
>   if ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) {
>   /*
>   * We don't mlock() pte-mapped THPs. This way we can avoid
>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [azure][PATCH 0/2] Fixes for CVE-2017-16939 and CVE-2017-1000405

benjamin.romer
In reply to this post by Marcelo Henrique Cerri
Reply | Threaded
Open this post in threaded view
|

APPLIED: [azure][PATCH 0/2] Fixes for CVE-2017-16939 and CVE-2017-1000405

Marcelo Henrique Cerri
In reply to this post by Marcelo Henrique Cerri
--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (484 bytes) Download Attachment