[pve-kernel.git] / patches / kernel / 0221-x86-ldt-Plug-memory-leak-in-error-path.patch

From f7b3a0038fd5bdc21d05f09002e16db3ea8e6e3b Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Sun, 31 Dec 2017 11:24:34 +0100
Subject: [PATCH 221/242] x86/ldt: Plug memory leak in error path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

The error path in write_ldt() tries to free 'old_ldt' instead of the newly
allocated 'new_ldt', resulting in a memory leak. It also misses to clean up a
half populated LDT pagetable, which is not a leak as it gets cleaned up
when the process exits.

Free both the potentially half populated LDT pagetable and the newly
allocated LDT struct. This can be done unconditionally because once an LDT
is mapped subsequent maps will succeed, because the PTE page is already
populated and the two LDTs fit into that single page.

Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linuxfoundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Fixes: f55f0501cbf6 ("x86/pti: Put the LDT in its own PGD if PTI is on")
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1712311121340.1899@nanos
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit a62d69857aab4caa43049e72fe0ed5c4a60518dd)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 03d02494f6253d0bdca7254d85e50786448c14f9)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/kernel/ldt.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index 2260eb6e2de7..9a35b7e541bc 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -420,7 +420,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
 	 */
 	error = map_ldt_struct(mm, new_ldt, old_ldt ? !old_ldt->slot : 0);
 	if (error) {
-		free_ldt_struct(old_ldt);
+		/*
+		 * This only can fail for the first LDT setup. If an LDT is
+		 * already installed then the PTE page is already
+		 * populated. Mop up a half populated page table.
+		 */
+		free_ldt_pgtables(mm);
+		free_ldt_struct(new_ldt);
 		goto out_unlock;
 	}
 
-- 
2.14.2
Commit	Line	Data
321d628a FG	1	From f7b3a0038fd5bdc21d05f09002e16db3ea8e6e3b Mon Sep 17 00:00:00 2001
	2	From: Thomas Gleixner <tglx@linutronix.de>
	3	Date: Sun, 31 Dec 2017 11:24:34 +0100
633c5ed1	4	Subject: [PATCH 221/242] x86/ldt: Plug memory leak in error path
321d628a FG	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	CVE-2017-5754
	10
	11	The error path in write_ldt() tries to free 'old_ldt' instead of the newly
	12	allocated 'new_ldt', resulting in a memory leak. It also misses to clean up a
	13	half populated LDT pagetable, which is not a leak as it gets cleaned up
	14	when the process exits.
	15
	16	Free both the potentially half populated LDT pagetable and the newly
	17	allocated LDT struct. This can be done unconditionally because once an LDT
	18	is mapped subsequent maps will succeed, because the PTE page is already
	19	populated and the two LDTs fit into that single page.
	20
	21	Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
	22	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	23	Cc: Andy Lutomirski <luto@kernel.org>
	24	Cc: Borislav Petkov <bp@alien8.de>
	25	Cc: Dave Hansen <dave.hansen@linux.intel.com>
	26	Cc: Dominik Brodowski <linux@dominikbrodowski.net>
	27	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	28	Cc: Linus Torvalds <torvalds@linuxfoundation.org>
	29	Cc: Peter Zijlstra <peterz@infradead.org>
	30	Fixes: f55f0501cbf6 ("x86/pti: Put the LDT in its own PGD if PTI is on")
	31	Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1712311121340.1899@nanos
	32	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	33	(cherry picked from commit a62d69857aab4caa43049e72fe0ed5c4a60518dd)
	34	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	35	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	36	(cherry picked from commit 03d02494f6253d0bdca7254d85e50786448c14f9)
	37	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	38	---
	39	arch/x86/kernel/ldt.c \| 8 +++++++-
	40	1 file changed, 7 insertions(+), 1 deletion(-)
	41
	42	diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
	43	index 2260eb6e2de7..9a35b7e541bc 100644
	44	--- a/arch/x86/kernel/ldt.c
	45	+++ b/arch/x86/kernel/ldt.c
	46	@@ -420,7 +420,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
	47	*/
	48	error = map_ldt_struct(mm, new_ldt, old_ldt ? !old_ldt->slot : 0);
	49	if (error) {
	50	- free_ldt_struct(old_ldt);
	51	+ /*
	52	+ * This only can fail for the first LDT setup. If an LDT is
	53	+ * already installed then the PTE page is already
	54	+ * populated. Mop up a half populated page table.
	55	+ */
	56	+ free_ldt_pgtables(mm);
	57	+ free_ldt_struct(new_ldt);
	58	goto out_unlock;
	59	}
	60
	61	--
	62	2.14.2
	63