diff mbox series

[UBUNTU,OEM-5.7,1/1] UBUNTU: SAUCE: Revert "mm/shmem: unconditionally set pte dirty in mfill_atomic_install_pte"

Message ID 20230404135514.2227926-2-cascardo@canonical.com
State New
Headers show
Series CVE-2022-2590 | expand

Commit Message

Thadeu Lima de Souza Cascardo April 4, 2023, 1:55 p.m. UTC 
This reverts commit 9ae0f87d009ca6c4aab2882641ddfc319727e3db.

Otherwise, pages might be set dirty even if they are not writable, which
tricks the kernel into not breaking COW, allowing shmem files without write
permissions to be modified.

CVE-2022-2590
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 mm/shmem.c       | 1 +
 mm/userfaultfd.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/mm/shmem.c b/mm/shmem.c
index 032479e48edd..fbcc100fa9bc 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2394,6 +2394,7 @@  int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
 	shmem_recalc_inode(inode);
 	spin_unlock_irq(&info->lock);
 
+	SetPageDirty(page);
 	unlock_page(page);
 	return 0;
 out_delete_from_cache:
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 7259f96faaa0..971ca756999d 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -69,9 +69,10 @@  int mfill_atomic_install_pte(struct mm_struct *dst_mm, pmd_t *dst_pmd,
 	pgoff_t offset, max_off;
 
 	_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
-	_dst_pte = pte_mkdirty(_dst_pte);
 	if (page_in_cache && !vm_shared)
 		writable = false;
+	if (writable || !page_in_cache)
+		_dst_pte = pte_mkdirty(_dst_pte);
 
 	/*
 	 * Always mark a PTE as write-protected when needed, regardless of