| Message ID | 20230705123425.764300-1-cascardo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-3269 | expand |
On 23-07-05 09:33:58, Thadeu Lima de Souza Cascardo wrote: > [Impact] > The conversion to maple tree allows an attacker to cause a use-after-free > bug and cause a system denial of service (crash) or achieve kernel code > execution. > > [Potential regression] > High potential regression as this touches memory management. > > Ben Hutchings (3): > mips/mm: Convert to using lock_mm_and_find_vma() > riscv/mm: Convert to using lock_mm_and_find_vma() > arm/mm: Convert to using lock_mm_and_find_vma() > > Kees Cook (1): > exec: Remove FOLL_FORCE for stack setup > > Liam R. Howlett (1): > mm: make find_extend_vma() fail if write lock not held > > Linus Torvalds (7): > mm: introduce new 'lock_mm_and_find_vma()' page fault helper > mm: make the page fault mmap locking killable > arm64/mm: Convert to using lock_mm_and_find_vma() > mm/fault: convert remaining simple cases to lock_mm_and_find_vma() > powerpc/mm: convert coprocessor fault to lock_mm_and_find_vma() > execve: expand new process stack manually ahead of time > mm: always expand the stack with the mmap write lock held > > Michael Ellerman (1): > powerpc/mm: Convert to using lock_mm_and_find_vma() > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: [CONFIG]: Set CONFIG_LOCK_MM_AND_FIND_VMA Acked-by: Cengiz Can <cengiz.can@canonical.com> > > arch/alpha/Kconfig | 1 + > arch/alpha/mm/fault.c | 13 +--- > arch/arc/Kconfig | 1 + > arch/arc/mm/fault.c | 11 +-- > arch/arm/Kconfig | 1 + > arch/arm/mm/fault.c | 63 ++++------------- > arch/arm64/Kconfig | 1 + > arch/arm64/mm/fault.c | 46 +++--------- > arch/csky/Kconfig | 1 + > arch/csky/mm/fault.c | 22 ++---- > arch/hexagon/Kconfig | 1 + > arch/hexagon/mm/vm_fault.c | 18 ++--- > arch/ia64/mm/fault.c | 36 ++-------- > arch/loongarch/Kconfig | 1 + > arch/loongarch/mm/fault.c | 16 ++--- > arch/m68k/mm/fault.c | 9 ++- > arch/microblaze/mm/fault.c | 5 +- > arch/mips/Kconfig | 1 + > arch/mips/mm/fault.c | 12 +--- > arch/nios2/Kconfig | 1 + > arch/nios2/mm/fault.c | 17 +---- > arch/openrisc/mm/fault.c | 5 +- > arch/parisc/mm/fault.c | 23 +++--- > arch/powerpc/Kconfig | 1 + > arch/powerpc/mm/copro_fault.c | 14 +--- > arch/powerpc/mm/fault.c | 39 +---------- > arch/riscv/Kconfig | 1 + > arch/riscv/mm/fault.c | 31 ++++----- > arch/s390/mm/fault.c | 5 +- > arch/sh/Kconfig | 1 + > arch/sh/mm/fault.c | 17 +---- > arch/sparc/Kconfig | 1 + > arch/sparc/mm/fault_32.c | 32 +++------ > arch/sparc/mm/fault_64.c | 8 ++- > arch/um/kernel/trap.c | 11 +-- > arch/x86/Kconfig | 1 + > arch/x86/mm/fault.c | 52 +------------- > arch/xtensa/Kconfig | 1 + > arch/xtensa/mm/fault.c | 14 +--- > debian.oem/config/annotations | 1 + > drivers/iommu/amd/iommu_v2.c | 4 +- > drivers/iommu/io-pgfault.c | 2 +- > fs/binfmt_elf.c | 6 +- > fs/exec.c | 38 +++++----- > include/linux/mm.h | 16 ++--- > mm/Kconfig | 4 ++ > mm/gup.c | 6 +- > mm/memory.c | 127 ++++++++++++++++++++++++++++++++++ > mm/mmap.c | 121 +++++++++++++++++++++++++++----- > mm/nommu.c | 17 ++--- > 50 files changed, 422 insertions(+), 454 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 7/5/23 6:33 AM, Thadeu Lima de Souza Cascardo wrote: > [Impact] > The conversion to maple tree allows an attacker to cause a use-after-free > bug and cause a system denial of service (crash) or achieve kernel code > execution. > > [Potential regression] > High potential regression as this touches memory management. > > Ben Hutchings (3): > mips/mm: Convert to using lock_mm_and_find_vma() > riscv/mm: Convert to using lock_mm_and_find_vma() > arm/mm: Convert to using lock_mm_and_find_vma() > > Kees Cook (1): > exec: Remove FOLL_FORCE for stack setup > > Liam R. Howlett (1): > mm: make find_extend_vma() fail if write lock not held > > Linus Torvalds (7): > mm: introduce new 'lock_mm_and_find_vma()' page fault helper > mm: make the page fault mmap locking killable > arm64/mm: Convert to using lock_mm_and_find_vma() > mm/fault: convert remaining simple cases to lock_mm_and_find_vma() > powerpc/mm: convert coprocessor fault to lock_mm_and_find_vma() > execve: expand new process stack manually ahead of time > mm: always expand the stack with the mmap write lock held > > Michael Ellerman (1): > powerpc/mm: Convert to using lock_mm_and_find_vma() > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: [CONFIG]: Set CONFIG_LOCK_MM_AND_FIND_VMA > > arch/alpha/Kconfig | 1 + > arch/alpha/mm/fault.c | 13 +--- > arch/arc/Kconfig | 1 + > arch/arc/mm/fault.c | 11 +-- > arch/arm/Kconfig | 1 + > arch/arm/mm/fault.c | 63 ++++------------- > arch/arm64/Kconfig | 1 + > arch/arm64/mm/fault.c | 46 +++--------- > arch/csky/Kconfig | 1 + > arch/csky/mm/fault.c | 22 ++---- > arch/hexagon/Kconfig | 1 + > arch/hexagon/mm/vm_fault.c | 18 ++--- > arch/ia64/mm/fault.c | 36 ++-------- > arch/loongarch/Kconfig | 1 + > arch/loongarch/mm/fault.c | 16 ++--- > arch/m68k/mm/fault.c | 9 ++- > arch/microblaze/mm/fault.c | 5 +- > arch/mips/Kconfig | 1 + > arch/mips/mm/fault.c | 12 +--- > arch/nios2/Kconfig | 1 + > arch/nios2/mm/fault.c | 17 +---- > arch/openrisc/mm/fault.c | 5 +- > arch/parisc/mm/fault.c | 23 +++--- > arch/powerpc/Kconfig | 1 + > arch/powerpc/mm/copro_fault.c | 14 +--- > arch/powerpc/mm/fault.c | 39 +---------- > arch/riscv/Kconfig | 1 + > arch/riscv/mm/fault.c | 31 ++++----- > arch/s390/mm/fault.c | 5 +- > arch/sh/Kconfig | 1 + > arch/sh/mm/fault.c | 17 +---- > arch/sparc/Kconfig | 1 + > arch/sparc/mm/fault_32.c | 32 +++------ > arch/sparc/mm/fault_64.c | 8 ++- > arch/um/kernel/trap.c | 11 +-- > arch/x86/Kconfig | 1 + > arch/x86/mm/fault.c | 52 +------------- > arch/xtensa/Kconfig | 1 + > arch/xtensa/mm/fault.c | 14 +--- > debian.oem/config/annotations | 1 + > drivers/iommu/amd/iommu_v2.c | 4 +- > drivers/iommu/io-pgfault.c | 2 +- > fs/binfmt_elf.c | 6 +- > fs/exec.c | 38 +++++----- > include/linux/mm.h | 16 ++--- > mm/Kconfig | 4 ++ > mm/gup.c | 6 +- > mm/memory.c | 127 ++++++++++++++++++++++++++++++++++ > mm/mmap.c | 121 +++++++++++++++++++++++++++----- > mm/nommu.c | 17 ++--- > 50 files changed, 422 insertions(+), 454 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
Thadeu Lima de Souza Cascardo kirjoitti 5.7.2023 klo 15.33: > [Impact] > The conversion to maple tree allows an attacker to cause a use-after-free > bug and cause a system denial of service (crash) or achieve kernel code > execution. > > [Potential regression] > High potential regression as this touches memory management. > > Ben Hutchings (3): > mips/mm: Convert to using lock_mm_and_find_vma() > riscv/mm: Convert to using lock_mm_and_find_vma() > arm/mm: Convert to using lock_mm_and_find_vma() > > Kees Cook (1): > exec: Remove FOLL_FORCE for stack setup > > Liam R. Howlett (1): > mm: make find_extend_vma() fail if write lock not held > > Linus Torvalds (7): > mm: introduce new 'lock_mm_and_find_vma()' page fault helper > mm: make the page fault mmap locking killable > arm64/mm: Convert to using lock_mm_and_find_vma() > mm/fault: convert remaining simple cases to lock_mm_and_find_vma() > powerpc/mm: convert coprocessor fault to lock_mm_and_find_vma() > execve: expand new process stack manually ahead of time > mm: always expand the stack with the mmap write lock held > > Michael Ellerman (1): > powerpc/mm: Convert to using lock_mm_and_find_vma() > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: [CONFIG]: Set CONFIG_LOCK_MM_AND_FIND_VMA > > arch/alpha/Kconfig | 1 + > arch/alpha/mm/fault.c | 13 +--- > arch/arc/Kconfig | 1 + > arch/arc/mm/fault.c | 11 +-- > arch/arm/Kconfig | 1 + > arch/arm/mm/fault.c | 63 ++++------------- > arch/arm64/Kconfig | 1 + > arch/arm64/mm/fault.c | 46 +++--------- > arch/csky/Kconfig | 1 + > arch/csky/mm/fault.c | 22 ++---- > arch/hexagon/Kconfig | 1 + > arch/hexagon/mm/vm_fault.c | 18 ++--- > arch/ia64/mm/fault.c | 36 ++-------- > arch/loongarch/Kconfig | 1 + > arch/loongarch/mm/fault.c | 16 ++--- > arch/m68k/mm/fault.c | 9 ++- > arch/microblaze/mm/fault.c | 5 +- > arch/mips/Kconfig | 1 + > arch/mips/mm/fault.c | 12 +--- > arch/nios2/Kconfig | 1 + > arch/nios2/mm/fault.c | 17 +---- > arch/openrisc/mm/fault.c | 5 +- > arch/parisc/mm/fault.c | 23 +++--- > arch/powerpc/Kconfig | 1 + > arch/powerpc/mm/copro_fault.c | 14 +--- > arch/powerpc/mm/fault.c | 39 +---------- > arch/riscv/Kconfig | 1 + > arch/riscv/mm/fault.c | 31 ++++----- > arch/s390/mm/fault.c | 5 +- > arch/sh/Kconfig | 1 + > arch/sh/mm/fault.c | 17 +---- > arch/sparc/Kconfig | 1 + > arch/sparc/mm/fault_32.c | 32 +++------ > arch/sparc/mm/fault_64.c | 8 ++- > arch/um/kernel/trap.c | 11 +-- > arch/x86/Kconfig | 1 + > arch/x86/mm/fault.c | 52 +------------- > arch/xtensa/Kconfig | 1 + > arch/xtensa/mm/fault.c | 14 +--- > debian.oem/config/annotations | 1 + > drivers/iommu/amd/iommu_v2.c | 4 +- > drivers/iommu/io-pgfault.c | 2 +- > fs/binfmt_elf.c | 6 +- > fs/exec.c | 38 +++++----- > include/linux/mm.h | 16 ++--- > mm/Kconfig | 4 ++ > mm/gup.c | 6 +- > mm/memory.c | 127 ++++++++++++++++++++++++++++++++++ > mm/mmap.c | 121 +++++++++++++++++++++++++++----- > mm/nommu.c | 17 ++--- > 50 files changed, 422 insertions(+), 454 deletions(-) > applied to oem-6.1, thanks
Applied to lunar:linux master-next Thanks! - Luke On Wed, Jul 5, 2023 at 5:36 AM Thadeu Lima de Souza Cascardo < cascardo@canonical.com> wrote: > [Impact] > The conversion to maple tree allows an attacker to cause a use-after-free > bug and cause a system denial of service (crash) or achieve kernel code > execution. > > [Potential regression] > High potential regression as this touches memory management. > > Ben Hutchings (3): > mips/mm: Convert to using lock_mm_and_find_vma() > riscv/mm: Convert to using lock_mm_and_find_vma() > arm/mm: Convert to using lock_mm_and_find_vma() > > Kees Cook (1): > exec: Remove FOLL_FORCE for stack setup > > Liam R. Howlett (1): > mm: make find_extend_vma() fail if write lock not held > > Linus Torvalds (7): > mm: introduce new 'lock_mm_and_find_vma()' page fault helper > mm: make the page fault mmap locking killable > arm64/mm: Convert to using lock_mm_and_find_vma() > mm/fault: convert remaining simple cases to lock_mm_and_find_vma() > powerpc/mm: convert coprocessor fault to lock_mm_and_find_vma() > execve: expand new process stack manually ahead of time > mm: always expand the stack with the mmap write lock held > > Michael Ellerman (1): > powerpc/mm: Convert to using lock_mm_and_find_vma() > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: [CONFIG]: Set CONFIG_LOCK_MM_AND_FIND_VMA > > arch/alpha/Kconfig | 1 + > arch/alpha/mm/fault.c | 13 +--- > arch/arc/Kconfig | 1 + > arch/arc/mm/fault.c | 11 +-- > arch/arm/Kconfig | 1 + > arch/arm/mm/fault.c | 63 ++++------------- > arch/arm64/Kconfig | 1 + > arch/arm64/mm/fault.c | 46 +++--------- > arch/csky/Kconfig | 1 + > arch/csky/mm/fault.c | 22 ++---- > arch/hexagon/Kconfig | 1 + > arch/hexagon/mm/vm_fault.c | 18 ++--- > arch/ia64/mm/fault.c | 36 ++-------- > arch/loongarch/Kconfig | 1 + > arch/loongarch/mm/fault.c | 16 ++--- > arch/m68k/mm/fault.c | 9 ++- > arch/microblaze/mm/fault.c | 5 +- > arch/mips/Kconfig | 1 + > arch/mips/mm/fault.c | 12 +--- > arch/nios2/Kconfig | 1 + > arch/nios2/mm/fault.c | 17 +---- > arch/openrisc/mm/fault.c | 5 +- > arch/parisc/mm/fault.c | 23 +++--- > arch/powerpc/Kconfig | 1 + > arch/powerpc/mm/copro_fault.c | 14 +--- > arch/powerpc/mm/fault.c | 39 +---------- > arch/riscv/Kconfig | 1 + > arch/riscv/mm/fault.c | 31 ++++----- > arch/s390/mm/fault.c | 5 +- > arch/sh/Kconfig | 1 + > arch/sh/mm/fault.c | 17 +---- > arch/sparc/Kconfig | 1 + > arch/sparc/mm/fault_32.c | 32 +++------ > arch/sparc/mm/fault_64.c | 8 ++- > arch/um/kernel/trap.c | 11 +-- > arch/x86/Kconfig | 1 + > arch/x86/mm/fault.c | 52 +------------- > arch/xtensa/Kconfig | 1 + > arch/xtensa/mm/fault.c | 14 +--- > debian.oem/config/annotations | 1 + > drivers/iommu/amd/iommu_v2.c | 4 +- > drivers/iommu/io-pgfault.c | 2 +- > fs/binfmt_elf.c | 6 +- > fs/exec.c | 38 +++++----- > include/linux/mm.h | 16 ++--- > mm/Kconfig | 4 ++ > mm/gup.c | 6 +- > mm/memory.c | 127 ++++++++++++++++++++++++++++++++++ > mm/mmap.c | 121 +++++++++++++++++++++++++++----- > mm/nommu.c | 17 ++--- > 50 files changed, 422 insertions(+), 454 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >