--- /dev/null
+From 7f7ccc2ccc2e70c6054685f5e3522efa81556830 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Fri, 11 May 2018 08:11:44 +0200
+Subject: proc: do not access cmdline nor environ from file-backed areas
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit 7f7ccc2ccc2e70c6054685f5e3522efa81556830 upstream.
+
+proc_pid_cmdline_read() and environ_read() directly access the target
+process' VM to retrieve the command line and environment. If this
+process remaps these areas onto a file via mmap(), the requesting
+process may experience various issues such as extra delays if the
+underlying device is slow to respond.
+
+Let's simply refuse to access file-backed areas in these functions.
+For this we add a new FOLL_ANON gup flag that is passed to all calls
+to access_remote_vm(). The code already takes care of such failures
+(including unmapped areas). Accesses via /proc/pid/mem were not
+changed though.
+
+This was assigned CVE-2018-1120.
+
+Note for stable backports: the patch may apply to kernels prior to 4.11
+but silently miss one location; it must be checked that no call to
+access_remote_vm() keeps zero as the last argument.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/base.c | 8 ++++----
+ include/linux/mm.h | 1 +
+ mm/gup.c | 3 +++
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -263,7 +263,7 @@ static ssize_t proc_pid_cmdline_read(str
+ * Inherently racy -- command line shares address space
+ * with code and data.
+ */
+- rv = access_remote_vm(mm, arg_end - 1, &c, 1, 0);
++ rv = access_remote_vm(mm, arg_end - 1, &c, 1, FOLL_ANON);
+ if (rv <= 0)
+ goto out_free_page;
+
+@@ -281,7 +281,7 @@ static ssize_t proc_pid_cmdline_read(str
+ int nr_read;
+
+ _count = min3(count, len, PAGE_SIZE);
+- nr_read = access_remote_vm(mm, p, page, _count, 0);
++ nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON);
+ if (nr_read < 0)
+ rv = nr_read;
+ if (nr_read <= 0)
+@@ -327,7 +327,7 @@ static ssize_t proc_pid_cmdline_read(str
+ bool final;
+
+ _count = min3(count, len, PAGE_SIZE);
+- nr_read = access_remote_vm(mm, p, page, _count, 0);
++ nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON);
+ if (nr_read < 0)
+ rv = nr_read;
+ if (nr_read <= 0)
+@@ -946,7 +946,7 @@ static ssize_t environ_read(struct file
+ max_len = min_t(size_t, PAGE_SIZE, count);
+ this_len = min(max_len, this_len);
+
+- retval = access_remote_vm(mm, (env_start + src), page, this_len, 0);
++ retval = access_remote_vm(mm, (env_start + src), page, this_len, FOLL_ANON);
+
+ if (retval <= 0) {
+ ret = retval;
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -2383,6 +2383,7 @@ static inline struct page *follow_page(s
+ #define FOLL_MLOCK 0x1000 /* lock present pages */
+ #define FOLL_REMOTE 0x2000 /* we are working on non-current tsk/mm */
+ #define FOLL_COW 0x4000 /* internal GUP flag */
++#define FOLL_ANON 0x8000 /* don't do file mappings */
+
+ static inline int vm_fault_to_errno(int vm_fault, int foll_flags)
+ {
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -544,6 +544,9 @@ static int check_vma_flags(struct vm_are
+ if (vm_flags & (VM_IO | VM_PFNMAP))
+ return -EFAULT;
+
++ if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma))
++ return -EFAULT;
++
+ if (write) {
+ if (!(vm_flags & VM_WRITE)) {
+ if (!(gup_flags & FOLL_FORCE))
projects / thirdparty / kernel / stable-queue.git / commitdiff
