From ab54dce92e6c2a3df550184bd7c7de532201175e Mon Sep 17 00:00:00 2001 From: Peter Xu Date: Tue, 6 Aug 2024 16:49:31 +0800 Subject: [PATCH 1/2] mm/userfaultfd: fail uffd-wp registration if not supported mainline inclusion from mainline-v5.14-rc1 commit 00b151f21f390f1e0b294720a3660506abaf49cd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEN5 CVE: CVE-2024-41027 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=00b151f21f390f1e0b294720a3660506abaf49cd -------------------------------- We should fail uffd-wp registration immediately if the arch does not even have CONFIG_HAVE_ARCH_USERFAULTFD_WP defined. That'll block also relevant ioctls on e.g. UFFDIO_WRITEPROTECT because that'll check against VM_UFFD_WP, which can only be applied with a success registration. Remove the WP feature bit too for those archs when handling UFFDIO_API ioctl. Link: https://lkml.kernel.org/r/20210428225030.9708-5-peterx@redhat.com Signed-off-by: Peter Xu Cc: Alexander Viro Cc: Andrea Arcangeli Cc: Axel Rasmussen Cc: Brian Geffon Cc: "Dr . David Alan Gilbert" Cc: Hugh Dickins Cc: Jerome Glisse Cc: Joe Perches Cc: Kirill A. Shutemov Cc: Lokesh Gidra Cc: Mike Kravetz Cc: Mike Rapoport Cc: Mina Almasry Cc: Oliver Upton Cc: Shaohua Li Cc: Shuah Khan Cc: Stephen Rothwell Cc: Wang Qing Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/userfaultfd.c [Yongqiang: Only fix context] Signed-off-by: Yongqiang Liu --- fs/userfaultfd.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index dfa1a638640c..e92baac4c3de 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1306,8 +1306,12 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, goto out; if (uffdio_register.mode & UFFDIO_REGISTER_MODE_MISSING) vm_flags |= VM_UFFD_MISSING; - if (uffdio_register.mode & UFFDIO_REGISTER_MODE_WP) + if (uffdio_register.mode & UFFDIO_REGISTER_MODE_WP) { +#ifndef CONFIG_HAVE_ARCH_USERFAULTFD_WP + goto out; +#endif vm_flags |= VM_UFFD_WP; + } ret = validate_range(mm, uffdio_register.range.start, uffdio_register.range.len); @@ -1887,6 +1891,9 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx, goto err_out; /* report all available features and ioctls to userland */ uffdio_api.features = UFFD_API_FEATURES; +#ifndef CONFIG_HAVE_ARCH_USERFAULTFD_WP + uffdio_api.features &= ~UFFD_FEATURE_PAGEFAULT_FLAG_WP; +#endif uffdio_api.ioctls = UFFD_API_IOCTLS; ret = -EFAULT; if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api))) -- Gitee From de1b2a2023ce9f8d8dc33b9624ebc6f622c39d21 Mon Sep 17 00:00:00 2001 From: Audra Mitchell Date: Tue, 6 Aug 2024 16:49:32 +0800 Subject: [PATCH 2/2] Fix userfaultfd_api to return EINVAL as expected mainline inclusion from mainline-v6.10 commit 1723f04caacb32cadc4e063725d836a0c4450694 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEN5 CVE: CVE-2024-41027 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1723f04caacb32cadc4e063725d836a0c4450694 -------------------------------- Currently if we request a feature that is not set in the Kernel config we fail silently and return all the available features. However, the man page indicates we should return an EINVAL. We need to fix this issue since we can end up with a Kernel warning should a program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with the config not set with this feature. [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660 [ 200.820738] Modules linked in: [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8 [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022 [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660 Link: https://lkml.kernel.org/r/20240626130513.120193-1-audra@redhat.com Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API") Signed-off-by: Audra Mitchell Cc: Al Viro Cc: Andrea Arcangeli Cc: Christian Brauner Cc: Jan Kara Cc: Mike Rapoport Cc: Peter Xu Cc: Rafael Aquini Cc: Shaohua Li Cc: Shuah Khan Cc: Signed-off-by: Andrew Morton Conflicts: fs/userfaultfd.c [Yongqiang: Only fix context] Signed-off-by: Yongqiang Liu --- fs/userfaultfd.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index e92baac4c3de..3436c9917f51 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1884,7 +1884,7 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx, goto out; features = uffdio_api.features; ret = -EINVAL; - if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES)) + if (uffdio_api.api != UFFD_API) goto err_out; ret = -EPERM; if ((features & UFFD_FEATURE_EVENT_FORK) && !capable(CAP_SYS_PTRACE)) @@ -1894,6 +1894,11 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx, #ifndef CONFIG_HAVE_ARCH_USERFAULTFD_WP uffdio_api.features &= ~UFFD_FEATURE_PAGEFAULT_FLAG_WP; #endif + + ret = -EINVAL; + if (features & ~uffdio_api.features) + goto err_out; + uffdio_api.ioctls = UFFD_API_IOCTLS; ret = -EFAULT; if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api))) -- Gitee