Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2021-47461 #9

Merged
merged 1 commit into from
Nov 19, 2024
Merged

Fix CVE-2021-47461 #9

merged 1 commit into from
Nov 19, 2024

Conversation

gvrose8192
Copy link
Collaborator

@gvrose8192 gvrose8192 commented Nov 15, 2024
edited by PlaidCat
Loading

jira VULN-4370
cve CVE-2021-47461
commit-author Nadav Amit [email protected]
commit cb185d5

A race is possible when a process exits, its VMAs are removed by exit_mmap() and at the same time userfaultfd_writeprotect() is called.

The race was detected by KASAN on a development kernel, but it appears to be possible on vanilla kernels as well.

Use mmget_not_zero() to prevent the race as done in other userfaultfd operations.

Link: https://lkml.kernel.org/r/[email protected] Fixes: 63b2d41 ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl")
Signed-off-by: Nadav Amit [email protected]
Tested-by: Li Wang [email protected]
Reviewed-by: Peter Xu [email protected]
Cc: Andrea Arcangeli [email protected]
Cc: [email protected]
Signed-off-by: Andrew Morton [email protected]
Signed-off-by: Linus Torvalds [email protected]
(cherry picked from commit cb185d5)
Signed-off-by: Greg Rose [email protected]

  CLEAN   .config .config.old .version Module.symvers
[TIMER]{MRPROPER}: 29s
x86_64 architecture detected, copying config
'configs/kernel-4.18.0-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-debug-branch"
Making olddefconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  YACC    scripts/kconfig/zconf.tab.c
  LEX     scripts/kconfig/zconf.lex.c
  HOSTCC  scripts/kconfig/zconf.tab.o
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf  --syncconfig Kconfig

[SNIP]

  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0-debug-branch+
[TIMER]{MODULES}: 117s
Making Install
sh ./arch/x86/boot/install.sh 4.18.0-debug-branch+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 36s
Checking kABI
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-4.18.0-debug-branch+ and Index to 3
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 29s
[TIMER]{BUILD}: 3249s
[TIMER]{MODULES}: 117s
[TIMER]{INSTALL}: 36s
[TIMER]{TOTAL} 3442s
Rebooting in 10 seconds

Boots and runs:

[g.v.rose@lts86-base shell]$ uname -a
Linux lts86-base 4.18.0-debug-branch+ #1 SMP Fri Nov 15 14:41:28 EST 2024 x86_64 x86_64 x86_64 GNU/Linux

Test Logs:

Before and after kernel selftest logs:
kernel-selftest-before.log
kernel-selftest-after.log

Kernel selftests were run with lockdep and kmemleak enabled and with stress running in the background - some of the usual anomalies popped up but nothing exraordinary.

No changes to the netfilter tables test results which were also run with lockdep, kmemleak and stress running.
nftables-test.log

@gvrose8192
userfaultfd: fix a race between writeprotect and exit_mmap()
6fbe7a7 
jira VULN-4370
cve CVE-2021-47461
commit-author Nadav Amit <[email protected]>
commit cb185d5

A race is possible when a process exits, its VMAs are removed by
exit_mmap() and at the same time userfaultfd_writeprotect() is called.

The race was detected by KASAN on a development kernel, but it appears
to be possible on vanilla kernels as well.

Use mmget_not_zero() to prevent the race as done in other userfaultfd
operations.

Link: https://lkml.kernel.org/r/[email protected]
Fixes: 63b2d41 ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl")
	Signed-off-by: Nadav Amit <[email protected]>
	Tested-by: Li  Wang <[email protected]>
	Reviewed-by: Peter Xu <[email protected]>
	Cc: Andrea Arcangeli <[email protected]>
	Cc: <[email protected]>
	Signed-off-by: Andrew Morton <[email protected]>
	Signed-off-by: Linus Torvalds <[email protected]>
(cherry picked from commit cb185d5)
	Signed-off-by: Greg Rose <[email protected]>
@gvrose8192 gvrose8192 requested a review from PlaidCat November 15, 2024 22:40
PlaidCat
PlaidCat approved these changes Nov 19, 2024
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the hard work on figuring out the false positive testing anomalies that were seen initially.

:shipit:

@PlaidCat PlaidCat requested a review from bmastbergen November 19, 2024 14:44
bmastbergen
bmastbergen approved these changes Nov 19, 2024
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@gvrose8192 gvrose8192 merged commit 6362289 into fips-legacy-8-compliant/4.18.0-425.13.1 Nov 19, 2024
4 checks passed
@gvrose8192 gvrose8192 deleted the gvrose_fips-legacy-8-compliant_4.18.0-425.13.1 branch November 19, 2024 17:35
@gvrose8192 gvrose8192 mentioned this pull request Dec 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmastbergen bmastbergen bmastbergen approved these changes

@PlaidCat PlaidCat PlaidCat approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gvrose8192 @PlaidCat @bmastbergen