git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Andrea Arcangeli <aarcange@redhat.com>
	Fri, 25 Jan 2019 02:01:24 +0000 (02:01 +0000)
committer	Khalid Elmously <khalid.elmously@canonical.com>
	Wed, 6 Feb 2019 04:53:01 +0000 (04:53 +0000)
commit	613c12df1eadb624f88659e39a8e609976194245
tree	23051ebcd690fc534a3021810e6e880247d8e253	tree
parent	ea2611742ce52a87c1b13142f348e9cc45917735	commit \| diff

userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas

After the VMA to register the uffd onto is found, check that it has
VM_MAYWRITE set before allowing registration. This way we inherit all
common code checks before allowing to fill file holes in shmem and
hugetlbfs with UFFDIO_COPY.

The userfaultfd memory model is not applicable for readonly files unless
it's a MAP_PRIVATE.

Link: http://lkml.kernel.org/r/20181126173452.26955-4-aarcange@redhat.com
Fixes: ff62a3421044 ("hugetlb: implement memfd sealing")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Hugh Dickins <hughd@google.com>
Reported-by: Jann Horn <jannh@google.com>
Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
Cc: <stable@vger.kernel.org>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
CVE-2018-18397

(cherry picked from commit 29ec90660d68bbdd69507c1c8b4e33aa299278b1)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Kleber Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

fs/userfaultfd.c		diff \| blob \| blame \| history
mm/userfaultfd.c		diff \| blob \| blame \| history