[pve-kernel.git] / patches / kernel / 0222-x86-ldt-Make-LDT-pgtable-free-conditional.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Sun, 31 Dec 2017 16:52:15 +0100
Subject: [PATCH] x86/ldt: Make LDT pgtable free conditional
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

Andy prefers to be paranoid about the pagetable free in the error path of
write_ldt(). Make it conditional and warn whenever the installment of a
secondary LDT fails.

Requested-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
(cherry picked from commit 7f414195b0c3612acd12b4611a5fe75995cf10c7)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 4e23d9d8427c9b2bd10176bd56dfcaca5e0d6b0f)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/kernel/ldt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index 9a35b7e541bc..51af781fac85 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -425,7 +425,8 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
 		 * already installed then the PTE page is already
 		 * populated. Mop up a half populated page table.
 		 */
-		free_ldt_pgtables(mm);
+		if (!WARN_ON_ONCE(old_ldt))
+			free_ldt_pgtables(mm);
 		free_ldt_struct(new_ldt);
 		goto out_unlock;
 	}
-- 
2.14.2
Commit	Line	Data
59d5af67	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
321d628a FG	2	From: Thomas Gleixner <tglx@linutronix.de>
321d628a FG	3	Date: Sun, 31 Dec 2017 16:52:15 +0100
59d5af67	4	Subject: [PATCH] x86/ldt: Make LDT pgtable free conditional
321d628a FG	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	CVE-2017-5754
	10
	11	Andy prefers to be paranoid about the pagetable free in the error path of
	12	write_ldt(). Make it conditional and warn whenever the installment of a
	13	secondary LDT fails.
	14
	15	Requested-by: Andy Lutomirski <luto@amacapital.net>
	16	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	17	(cherry picked from commit 7f414195b0c3612acd12b4611a5fe75995cf10c7)
	18	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	19	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	20	(cherry picked from commit 4e23d9d8427c9b2bd10176bd56dfcaca5e0d6b0f)
	21	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	22	---
	23	arch/x86/kernel/ldt.c \| 3 ++-
	24	1 file changed, 2 insertions(+), 1 deletion(-)
	25
	26	diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
	27	index 9a35b7e541bc..51af781fac85 100644
	28	--- a/arch/x86/kernel/ldt.c
	29	+++ b/arch/x86/kernel/ldt.c
	30	@@ -425,7 +425,8 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
	31	* already installed then the PTE page is already
	32	* populated. Mop up a half populated page table.
	33	*/
	34	- free_ldt_pgtables(mm);
	35	+ if (!WARN_ON_ONCE(old_ldt))
	36	+ free_ldt_pgtables(mm);
	37	free_ldt_struct(new_ldt);
	38	goto out_unlock;
	39	}
	40	--
	41	2.14.2
	42