[linux] 01/01: Add fix for CVE-2016-3961 including prerequisites
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue May 31 11:51:48 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit b07f5015beabeadda16f0b562b62ad6b2c389d05
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue May 31 12:49:52 2016 +0100
Add fix for CVE-2016-3961 including prerequisites
---
debian/changelog | 3 +
...age-access-is-denied-if-hugepages-are-not.patch | 141 +++++++++++++++++++++
...allow-hugepages_supported-to-be-architect.patch | 52 ++++++++
...86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch | 68 ++++++++++
debian/patches/series | 3 +
5 files changed, 267 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 7ceef93..f0ae802 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -169,6 +169,9 @@ linux (3.2.80-1) UNRELEASED; urgency=medium
- for aufs: new f_op->setfl() to support fcntl(F_SETFL)
- aufs: implement new f_op->setfl()
- fs: Fix ABI change for aufs F_SETFL fix
+ * hugetlb: ensure hugepage access is denied if hugepages are not supported
+ * mm: hugetlb: allow hugepages_supported to be architecture specific
+ * [x86] mm/xen: Suppress hugetlbfs in PV guests (CVE-2016-3961)
[ Salvatore Bonaccorso ]
* get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913)
diff --git a/debian/patches/bugfix/all/hugetlb-ensure-hugepage-access-is-denied-if-hugepages-are-not.patch b/debian/patches/bugfix/all/hugetlb-ensure-hugepage-access-is-denied-if-hugepages-are-not.patch
new file mode 100644
index 0000000..19b360b
--- /dev/null
+++ b/debian/patches/bugfix/all/hugetlb-ensure-hugepage-access-is-denied-if-hugepages-are-not.patch
@@ -0,0 +1,141 @@
+From: Nishanth Aravamudan <nacc at linux.vnet.ibm.com>
+Date: Tue, 6 May 2014 12:50:00 -0700
+Subject: hugetlb: ensure hugepage access is denied if hugepages are not
+ supported
+
+commit 457c1b27ed56ec472d202731b12417bff023594a upstream.
+
+Currently, I am seeing the following when I `mount -t hugetlbfs /none
+/dev/hugetlbfs`, and then simply do a `ls /dev/hugetlbfs`. I think it's
+related to the fact that hugetlbfs is properly not correctly setting
+itself up in this state?:
+
+ Unable to handle kernel paging request for data at address 0x00000031
+ Faulting instruction address: 0xc000000000245710
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ SMP NR_CPUS=2048 NUMA pSeries
+ ....
+
+In KVM guests on Power, in a guest not backed by hugepages, we see the
+following:
+
+ AnonHugePages: 0 kB
+ HugePages_Total: 0
+ HugePages_Free: 0
+ HugePages_Rsvd: 0
+ HugePages_Surp: 0
+ Hugepagesize: 64 kB
+
+HPAGE_SHIFT == 0 in this configuration, which indicates that hugepages
+are not supported at boot-time, but this is only checked in
+hugetlb_init(). Extract the check to a helper function, and use it in a
+few relevant places.
+
+This does make hugetlbfs not supported (not registered at all) in this
+environment. I believe this is fine, as there are no valid hugepages
+and that won't change at runtime.
+
+[akpm at linux-foundation.org: use pr_info(), per Mel]
+[akpm at linux-foundation.org: fix build when HPAGE_SHIFT is undefined]
+Signed-off-by: Nishanth Aravamudan <nacc at linux.vnet.ibm.com>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
+Acked-by: Mel Gorman <mgorman at suse.de>
+Cc: Randy Dunlap <rdunlap at infradead.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2:
+ - Drop changes to hugetlb_show_meminfo()
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/hugetlbfs/inode.c | 5 +++++
+ include/linux/hugetlb.h | 10 ++++++++++
+ mm/hugetlb.c | 19 ++++++++++++++-----
+ 3 files changed, 29 insertions(+), 5 deletions(-)
+
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -979,6 +979,11 @@ static int __init init_hugetlbfs_fs(void
+ int error;
+ struct vfsmount *vfsmount;
+
++ if (!hugepages_supported()) {
++ pr_info("hugetlbfs: disabling because there are no supported hugepage sizes\n");
++ return -ENOTSUPP;
++ }
++
+ error = bdi_init(&hugetlbfs_backing_dev_info);
+ if (error)
+ return error;
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -344,6 +344,16 @@ static inline pgoff_t basepage_index(str
+ return __basepage_index(page);
+ }
+
++static inline bool hugepages_supported(void)
++{
++ /*
++ * Some platform decide whether they support huge pages at boot
++ * time. On these, such as powerpc, HPAGE_SHIFT is set to 0 when
++ * there is no such support
++ */
++ return HPAGE_SHIFT != 0;
++}
++
+ #else
+ struct hstate {};
+ #define alloc_huge_page_node(h, nid) NULL
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -1889,11 +1889,7 @@ module_exit(hugetlb_exit);
+
+ static int __init hugetlb_init(void)
+ {
+- /* Some platform decide whether they support huge pages at boot
+- * time. On these, such as powerpc, HPAGE_SHIFT is set to 0 when
+- * there is no such support
+- */
+- if (HPAGE_SHIFT == 0)
++ if (!hugepages_supported())
+ return 0;
+
+ if (!size_to_hstate(default_hstate_size)) {
+@@ -2010,6 +2006,9 @@ static int hugetlb_sysctl_handler_common
+ unsigned long tmp;
+ int ret;
+
++ if (!hugepages_supported())
++ return -ENOTSUPP;
++
+ tmp = h->max_huge_pages;
+
+ if (write && h->order >= MAX_ORDER)
+@@ -2075,6 +2074,9 @@ int hugetlb_overcommit_handler(struct ct
+ unsigned long tmp;
+ int ret;
+
++ if (!hugepages_supported())
++ return -ENOTSUPP;
++
+ tmp = h->nr_overcommit_huge_pages;
+
+ if (write && h->order >= MAX_ORDER)
+@@ -2100,6 +2102,8 @@ out:
+ void hugetlb_report_meminfo(struct seq_file *m)
+ {
+ struct hstate *h = &default_hstate;
++ if (!hugepages_supported())
++ return;
+ seq_printf(m,
+ "HugePages_Total: %5lu\n"
+ "HugePages_Free: %5lu\n"
+@@ -2116,6 +2120,8 @@ void hugetlb_report_meminfo(struct seq_f
+ int hugetlb_report_node_meminfo(int nid, char *buf)
+ {
+ struct hstate *h = &default_hstate;
++ if (!hugepages_supported())
++ return 0;
+ return sprintf(buf,
+ "Node %d HugePages_Total: %5u\n"
+ "Node %d HugePages_Free: %5u\n"
diff --git a/debian/patches/bugfix/all/mm-hugetlb-allow-hugepages_supported-to-be-architect.patch b/debian/patches/bugfix/all/mm-hugetlb-allow-hugepages_supported-to-be-architect.patch
new file mode 100644
index 0000000..d00d0ec
--- /dev/null
+++ b/debian/patches/bugfix/all/mm-hugetlb-allow-hugepages_supported-to-be-architect.patch
@@ -0,0 +1,52 @@
+From: Dominik Dingel <dingel at linux.vnet.ibm.com>
+Date: Fri, 17 Jul 2015 16:23:37 -0700
+Subject: mm: hugetlb: allow hugepages_supported to be architecture specific
+
+commit 2531c8cf56a640cd7d17057df8484e570716a450 upstream.
+
+s390 has a constant hugepage size, by setting HPAGE_SHIFT we also change
+e.g. the pageblock_order, which should be independent in respect to
+hugepage support.
+
+With this patch every architecture is free to define how to check
+for hugepage support.
+
+Signed-off-by: Dominik Dingel <dingel at linux.vnet.ibm.com>
+Acked-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens at de.ibm.com>
+Cc: Christian Borntraeger <borntraeger at de.ibm.com>
+Cc: Michael Holzheu <holzheu at linux.vnet.ibm.com>
+Cc: Gerald Schaefer <gerald.schaefer at de.ibm.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ include/linux/hugetlb.h | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -344,15 +344,14 @@ static inline pgoff_t basepage_index(str
+ return __basepage_index(page);
+ }
+
+-static inline bool hugepages_supported(void)
+-{
+- /*
+- * Some platform decide whether they support huge pages at boot
+- * time. On these, such as powerpc, HPAGE_SHIFT is set to 0 when
+- * there is no such support
+- */
+- return HPAGE_SHIFT != 0;
+-}
++#ifndef hugepages_supported
++/*
++ * Some platform decide whether they support huge pages at boot
++ * time. Some of them, such as powerpc, set HPAGE_SHIFT to 0
++ * when there is no such support
++ */
++#define hugepages_supported() (HPAGE_SHIFT != 0)
++#endif
+
+ #else
+ struct hstate {};
diff --git a/debian/patches/bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch b/debian/patches/bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch
new file mode 100644
index 0000000..69763f3
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch
@@ -0,0 +1,68 @@
+From: Jan Beulich <JBeulich at suse.com>
+Date: Thu, 21 Apr 2016 00:27:04 -0600
+Subject: x86/mm/xen: Suppress hugetlbfs in PV guests
+
+commit 103f6112f253017d7062cd74d17f4a514ed4485c upstream.
+
+Huge pages are not normally available to PV guests. Not suppressing
+hugetlbfs use results in an endless loop of page faults when user mode
+code tries to access a hugetlbfs mapped area (since the hypervisor
+denies such PTEs to be created, but error indications can't be
+propagated out of xen_set_pte_at(), just like for various of its
+siblings), and - once killed in an oops like this:
+
+ kernel BUG at .../fs/hugetlbfs/inode.c:428!
+ invalid opcode: 0000 [#1] SMP
+ ...
+ RIP: e030:[<ffffffff811c333b>] [<ffffffff811c333b>] remove_inode_hugepages+0x25b/0x320
+ ...
+ Call Trace:
+ [<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40
+ [<ffffffff81167b3d>] evict+0xbd/0x1b0
+ [<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0
+ [<ffffffff81165b0e>] dput+0x1fe/0x220
+ [<ffffffff81150535>] __fput+0x155/0x200
+ [<ffffffff81079fc0>] task_work_run+0x60/0xa0
+ [<ffffffff81063510>] do_exit+0x160/0x400
+ [<ffffffff810637eb>] do_group_exit+0x3b/0xa0
+ [<ffffffff8106e8bd>] get_signal+0x1ed/0x470
+ [<ffffffff8100f854>] do_signal+0x14/0x110
+ [<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0
+ [<ffffffff814178a5>] retint_user+0x8/0x13
+
+This is CVE-2016-3961 / XSA-174.
+
+Reported-by: Vitaly Kuznetsov <vkuznets at redhat.com>
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Andy Lutomirski <luto at amacapital.net>
+Cc: Boris Ostrovsky <boris.ostrovsky at oracle.com>
+Cc: Borislav Petkov <bp at alien8.de>
+Cc: Brian Gerst <brgerst at gmail.com>
+Cc: David Vrabel <david.vrabel at citrix.com>
+Cc: Denys Vlasenko <dvlasenk at redhat.com>
+Cc: H. Peter Anvin <hpa at zytor.com>
+Cc: Juergen Gross <JGross at suse.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Luis R. Rodriguez <mcgrof at suse.com>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: Toshi Kani <toshi.kani at hp.com>
+Cc: xen-devel <xen-devel at lists.xenproject.org>
+Link: http://lkml.kernel.org/r/57188ED802000078000E431C@prv-mh.provo.novell.com
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/include/asm/hugetlb.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/include/asm/hugetlb.h
++++ b/arch/x86/include/asm/hugetlb.h
+@@ -3,6 +3,7 @@
+
+ #include <asm/page.h>
+
++#define hugepages_supported() cpu_has_pse
+
+ static inline int is_hugepage_only_range(struct mm_struct *mm,
+ unsigned long addr,
diff --git a/debian/patches/series b/debian/patches/series
index cd105d6..5d12603 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1177,3 +1177,6 @@ bugfix/all/revert-net-validate-variable-length-ll-headers.patch
debian/revert-net-ipv6-add-sysctl-option-accept_ra_min_hop_limit.patch
debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch
bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch
+bugfix/all/hugetlb-ensure-hugepage-access-is-denied-if-hugepages-are-not.patch
+bugfix/all/mm-hugetlb-allow-hugepages_supported-to-be-architect.patch
+bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list