iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/mm
History
Willy Tarreau adc143b97d proc: do not access cmdline nor environ from file-backed areas 
commit 7f7ccc2ccc2e70c6054685f5e3522efa81556830 upstream.

proc_pid_cmdline_read() and environ_read() directly access the target
process' VM to retrieve the command line and environment. If this
process remaps these areas onto a file via mmap(), the requesting
process may experience various issues such as extra delays if the
underlying device is slow to respond.

Let's simply refuse to access file-backed areas in these functions.
For this we add a new FOLL_ANON gup flag that is passed to all calls
to access_remote_vm(). The code already takes care of such failures
(including unmapped areas). Accesses via /proc/pid/mem were not
changed though.

This was assigned CVE-2018-1120.

Note for stable backports: the patch may apply to kernels prior to 4.11
but silently miss one location; it must be checked that no call to
access_remote_vm() keeps zero as the last argument.

Reported-by: Qualys Security Advisory <qsa@qualys.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 4.4:
 - Update the extra call to access_remote_vm() from proc_pid_cmdline_read()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-17 21:55:17 +01:00
..
kasan
kasan: fix shadow_size calculation error in kasan_module_alloc
2018-08-24 13:26:58 +02:00
backing-dev.c
writeback: fix the wrong congested state variable definition
2018-04-08 11:51:56 +02:00
balloon_compaction.c
virtio_balloon: fix race between migration and ballooning
2016-03-03 15:07:18 -08:00
bootmem.c
bootmem: avoid freeing to bootmem after bootmem is done
2015-09-08 15:35:28 -07:00
cleancache.c
cleancache: remove limit on the number of cleancache enabled filesystems
2015-04-14 16:49:03 -07:00
cma_debug.c
mm/cma_debug: correct size input to bitmap function
2015-07-17 16:39:54 -07:00
cma.c
cma: fix calculation of aligned offset
2018-01-31 12:06:09 +01:00
cma.h
mm: cma: mark cma_bitmap_maxno() inline in header
2015-08-14 15:56:32 -07:00
compaction.c
mm/compaction: pass only pageblock aligned range to pageblock_pfn_to_page
2018-01-17 09:35:26 +01:00
debug-pagealloc.c
mm, hwpoison: fixup "mm: check the return value of lookup_page_ext for all call sites"
2017-11-24 11:26:29 +01:00
debug.c
mm: get rid of vmacache_flush_all() entirely
2018-09-19 22:49:00 +02:00
dmapool.c
mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd
2015-11-06 17:50:42 -08:00
early_ioremap.c
mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep
2018-02-25 11:03:41 +01:00
fadvise.c
mm/fadvise.c: fix signed overflow UBSAN complaint
2018-09-15 09:40:38 +02:00
failslab.c
mm, page_alloc: rename __GFP_WAIT to __GFP_RECLAIM
2015-11-06 17:50:42 -08:00
filemap.c
mm: filemap: avoid unnecessary calls to lock_page when waiting for IO to complete during a read
2018-05-26 08:48:54 +02:00
frame_vector.c
mm: replace get_vaddr_frames() write/force parameters with gup_flags
2018-12-17 21:55:16 +01:00
frontswap.c
frontswap: allow multiple backends
2015-06-24 17:49:45 -07:00
gup.c
proc: do not access cmdline nor environ from file-backed areas
2018-12-17 21:55:17 +01:00
highmem.c
mm/highmem: make kmap cache coloring aware
2014-08-06 18:01:22 -07:00
huge_memory.c
mremap: properly flush TLB before releasing the page
2018-11-10 07:41:42 -08:00
hugetlb_cgroup.c
mm: make compound_head() robust
2015-11-06 17:50:42 -08:00
hugetlb.c
hugetlbfs: check for pgoff value overflow
2018-12-17 21:55:15 +01:00
hwpoison-inject.c
hwpoison: use page_cgroup_ino for filtering by memcg
2015-09-10 13:29:01 -07:00
init-mm.c
mm: Add a user_ns owner to mm_struct and fix ptrace permission checks
2017-01-06 11:16:11 +01:00
internal.h
mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries
2017-08-11 09:08:50 -07:00
interval_tree.c
mm: replace vma->sharead.linear with vma->shared
2015-02-10 14:30:31 -08:00
Kconfig
mm: don't allow deferred pages with NEED_PER_CPU_KM
2018-05-26 08:48:55 +02:00
Kconfig.debug
mm/debug_pagealloc: remove obsolete Kconfig options
2015-01-08 15:10:52 -08:00
kmemcheck.c
mm/slab_common: move kmem_cache definition to internal header
2014-10-09 22:25:50 -04:00
kmemleak-test.c
mm/kmemleak-test.c: use pr_fmt for logging
2014-06-06 16:08:18 -07:00
kmemleak.c
mm/kmemleak.c: wait for scan completion before disabling free
2018-05-30 07:49:06 +02:00
ksm.c
mm/ksm: fix interaction with THP
2018-05-30 07:49:08 +02:00
list_lru.c
mm/list_lru.c: fix list_lru_count_node() to be race free
2017-07-21 07:44:56 +02:00
maccess.c
mm/maccess.c: actually return -EFAULT from strncpy_from_unsafe
2015-11-05 19:34:48 -08:00
madvise.c
mm: madvise(MADV_DODUMP): allow hugetlbfs pages
2018-10-10 08:52:11 +02:00
Makefile
media updates for v4.3-rc1
2015-09-11 16:42:39 -07:00
memblock.c
mm: consider memblock reservations for deferred memory initialization sizing
2017-06-14 13:16:26 +02:00
memcontrol.c
mm: memcg: fix use after free in mem_cgroup_iter()
2018-07-25 10:18:16 +02:00
memory_hotplug.c
base/memory, hotplug: fix a kernel oops in show_valid_zones()
2017-02-09 08:02:47 +01:00
memory-failure.c
hwpoison, memcg: forcibly uncharge LRU pages
2018-01-31 12:06:09 +01:00
memory.c
mm: replace access_remote_vm() write parameter with gup_flags
2018-12-17 21:55:17 +01:00
mempolicy.c
mm: replace get_user_pages() write/force parameters with gup_flags
2018-12-17 21:55:16 +01:00
mempool.c
mm/mempool: avoid KASAN marking mempool poison checks as use-after-free
2017-08-12 19:29:09 -07:00
memtest.c
memtest: remove unused header files
2015-09-08 15:35:28 -07:00
migrate.c
Sanitize 'move_pages()' permission checks
2017-08-24 17:02:36 -07:00
mincore.c
mm/mincore: use offset_in_page macro
2015-11-05 19:34:48 -08:00
mlock.c
mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,MLOCK_ONFAULT)
2018-12-13 09:21:33 +01:00
mm_init.c
mm: meminit: remove mminit_verify_page_links
2015-06-30 19:44:56 -07:00
mmap.c
mm: do not bug_on on incorrect length in __mm_populate()
2018-11-21 09:27:41 +01:00
mmu_context.c
mm/mmu_context, sched/core: Fix mmu_context.h assumption
2017-12-25 14:22:09 +01:00
mmu_notifier.c
mmu-notifier: add clear_young callback
2015-09-10 13:29:01 -07:00
mmzone.c
mm: microoptimize zonelist operations
2015-02-11 17:06:02 -08:00
mprotect.c
x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings
2018-08-15 17:42:10 +02:00
mremap.c
mremap: properly flush TLB before releasing the page
2018-11-10 07:41:42 -08:00
msync.c
mm/msync: use offset_in_page macro
2015-11-05 19:34:48 -08:00
nobootmem.c
mm: page_alloc: pass PFN to __free_pages_bootmem
2015-06-30 19:44:55 -07:00
nommu.c
mm: replace access_remote_vm() write parameter with gup_flags
2018-12-17 21:55:17 +01:00
oom_kill.c
mm/oom_kill.c: avoid attempting to kill init sharing same memory
2015-12-12 10:15:34 -08:00
page_alloc.c
mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
2018-07-11 16:03:51 +02:00
page_counter.c
mm: page_counter: let page_counter_try_charge() return bool
2015-11-05 19:34:48 -08:00
page_ext.c
mm/page_ext.c: check if page_ext is not prepared
2017-11-24 08:32:25 +01:00
page_idle.c
mm: introduce idle page tracking
2015-09-10 13:29:01 -07:00
page_io.c
fs: use helper bio_add_page() instead of open coding on bi_io_vec
2015-08-13 12:32:00 -06:00
page_isolation.c
mm: fix invalid node in alloc_migrate_target()
2016-04-20 15:41:53 +09:00
page_owner.c
mm: check the return value of lookup_page_ext for all call sites
2017-11-24 08:32:25 +01:00
page-writeback.c
writeback: safer lock nesting
2018-04-24 09:32:12 +02:00
pagewalk.c
mm/pagewalk.c: report holes in hugetlb ranges
2017-11-24 08:32:25 +01:00
percpu-km.c
percpu: implmeent pcpu_nr_empty_pop_pages and chunk->nr_populated
2014-09-02 14:46:05 -04:00
percpu-vm.c
percpu: move region iterations out of pcpu_[de]populate_chunk()
2014-09-02 14:46:02 -04:00
percpu.c
percpu: include linux/sched.h for cond_resched()
2018-05-16 10:06:46 +02:00
pgtable-generic.c
mm,thp: khugepaged: call pte flush at the time of collapse
2016-02-25 12:01:23 -08:00
process_vm_access.c
mm: replace get_user_pages_unlocked() write/force parameters with gup_flags
2018-12-17 21:55:16 +01:00
quicklist.c
readahead.c
mm, fs: introduce mapping_gfp_constraint()
2015-11-06 17:50:42 -08:00
rmap.c
mm: migration: fix migration of huge PMD shared pages
2018-11-21 09:27:44 +01:00
shmem.c
tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset
2018-12-01 09:46:35 +01:00
slab_common.c
slub: do not merge cache if slub_debug contains a never-merge flag
2017-10-21 17:09:05 +02:00
slab.c
mm, slab: reschedule cache_reap() on the same CPU
2018-04-24 09:32:05 +02:00
slab.h
slab/slub: adjust kmem_cache_alloc_bulk API
2015-11-22 11:58:44 -08:00
slob.c
slab/slub: adjust kmem_cache_alloc_bulk API
2015-11-22 11:58:44 -08:00
slub.c
slub: make ->cpu_partial unsigned int
2018-10-10 08:52:08 +02:00
sparse-vmemmap.c
sparse.c
swap_cgroup.c
mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff()
2017-07-05 14:37:15 +02:00
swap_state.c
mm: swap: zswap: maybe_preload & refactoring
2015-09-08 15:35:28 -07:00
swap.c
mm: make compound_head() robust
2015-11-06 17:50:42 -08:00
swapfile.c
x86/speculation/l1tf: Limit swap file size to MAX_PA/2
2018-08-15 17:42:10 +02:00
truncate.c
mm: cleancache: fix corruption on missed inode invalidation
2018-12-13 09:21:33 +01:00
userfaultfd.c
userfaultfd: avoid mmap_sem read recursion in mcopy_atomic
2015-09-04 16:54:41 -07:00
util.c
mm: replace get_user_pages_unlocked() write/force parameters with gup_flags
2018-12-17 21:55:16 +01:00
vmacache.c
mm: get rid of vmacache_flush_all() entirely
2018-09-19 22:49:00 +02:00
vmalloc.c
mm: vmalloc: avoid racy handling of debugobjects in vunmap
2018-08-06 16:24:30 +02:00
vmpressure.c
mm: vmpressure: fix sending wrong events on underflow
2017-03-12 06:37:25 +01:00
vmscan.c
mm: fix the NULL mapping case in __isolate_lru_page()
2018-06-06 16:46:23 +02:00
vmstat.c
mm/vmstat.c: fix outdated vmstat_text
2018-10-20 09:52:34 +02:00
workingset.c
mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page()
2016-10-28 03:01:34 -04:00
zbud.c
mm: zsmalloc: constify struct zs_pool name
2015-11-06 17:50:42 -08:00
zpool.c
mm: zsmalloc: constify struct zs_pool name
2015-11-06 17:50:42 -08:00
zsmalloc.c
zsmalloc: fix zs_can_compact() integer overflow
2016-05-18 17:06:44 -07:00
zswap.c
zswap: re-check zswap_is_full() after do zswap_shrink()
2018-09-05 09:18:36 +02:00