patches/kernel/0222-x86-ldt-Make-LDT-pgtable-free-conditional.patch

   1 From 35ef33d8c7a31a246e499588a28717ef0bfa2a91 Mon Sep 17 00:00:00 2001
   2 From: Thomas Gleixner <tglx@linutronix.de>
   3 Date: Sun, 31 Dec 2017 16:52:15 +0100
   4 Subject: [PATCH 222/241] x86/ldt: Make LDT pgtable free conditional
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 CVE-2017-5754
  10
  11 Andy prefers to be paranoid about the pagetable free in the error path of
  12 write_ldt(). Make it conditional and warn whenever the installment of a
  13 secondary LDT fails.
  14
  15 Requested-by: Andy Lutomirski <luto@amacapital.net>
  16 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
  17 (cherry picked from commit 7f414195b0c3612acd12b4611a5fe75995cf10c7)
  18 Signed-off-by: Andy Whitcroft <apw@canonical.com>
  19 Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
  20 (cherry picked from commit 4e23d9d8427c9b2bd10176bd56dfcaca5e0d6b0f)
  21 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  22 ---
  23  arch/x86/kernel/ldt.c | 3 ++-
  24  1 file changed, 2 insertions(+), 1 deletion(-)
  25
  26 diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
  27 index 9a35b7e541bc..51af781fac85 100644
  28 --- a/arch/x86/kernel/ldt.c
  29 +++ b/arch/x86/kernel/ldt.c
  30 @@ -425,7 +425,8 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
  31                  * already installed then the PTE page is already
  32                  * populated. Mop up a half populated page table.
  33                  */
  34 -               free_ldt_pgtables(mm);
  35 +               if (!WARN_ON_ONCE(old_ldt))
  36 +                       free_ldt_pgtables(mm);
  37                 free_ldt_struct(new_ldt);
  38                 goto out_unlock;
  39         }
  40 --
  41 2.14.2
  42