Home Explore Help
Register Sign In
Apq
/
pve-edge-kernel
mirror of https://github.com/fabianishere/pve-edge-kernel.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 633c5ed17f
Branches Tags
pve-edge-kernel
/
patches
/
kernel
/
0221-x86-ldt-Plug-memory-leak-in-error-path.patch

0221-x86-ldt-Plug-memory-leak-in-error-path.patch 2.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. From f7b3a0038fd5bdc21d05f09002e16db3ea8e6e3b Mon Sep 17 00:00:00 2001
    2. 

  2. From: Thomas Gleixner <[email protected]>
    3. 

  3. Date: Sun, 31 Dec 2017 11:24:34 +0100
    4. 

  4. Subject: [PATCH 221/242] x86/ldt: Plug memory leak in error path
    5. 

  5. MIME-Version: 1.0
    6. 

  6. Content-Type: text/plain; charset=UTF-8
    7. 

  7. Content-Transfer-Encoding: 8bit
    8. 

  8. 

  9. CVE-2017-5754
    10. 

  10. 

  11. The error path in write_ldt() tries to free 'old_ldt' instead of the newly
    12. 

  12. allocated 'new_ldt', resulting in a memory leak. It also misses to clean up a
    13. 

  13. half populated LDT pagetable, which is not a leak as it gets cleaned up
    14. 

  14. when the process exits.
    15. 

  15. 

  16. Free both the potentially half populated LDT pagetable and the newly
    17. 

  17. allocated LDT struct. This can be done unconditionally because once an LDT
    18. 

  18. is mapped subsequent maps will succeed, because the PTE page is already
    19. 

  19. populated and the two LDTs fit into that single page.
    20. 

  20. 

  21. Reported-by: Mathieu Desnoyers <[email protected]>
    22. 

  22. Signed-off-by: Thomas Gleixner <[email protected]>
    23. 

  23. Cc: Andy Lutomirski <[email protected]>
    24. 

  24. Cc: Borislav Petkov <[email protected]>
    25. 

  25. Cc: Dave Hansen <[email protected]>
    26. 

  26. Cc: Dominik Brodowski <[email protected]>
    27. 

  27. Cc: Linus Torvalds <[email protected]>
    28. 

  28. Cc: Linus Torvalds <[email protected]>
    29. 

  29. Cc: Peter Zijlstra <[email protected]>
    30. 

  30. Fixes: f55f0501cbf6 ("x86/pti: Put the LDT in its own PGD if PTI is on")
    31. 

  31. Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1712311121340.1899@nanos
    32. 

  32. Signed-off-by: Ingo Molnar <[email protected]>
    33. 

  33. (cherry picked from commit a62d69857aab4caa43049e72fe0ed5c4a60518dd)
    34. 

  34. Signed-off-by: Andy Whitcroft <[email protected]>
    35. 

  35. Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
    36. 

  36. (cherry picked from commit 03d02494f6253d0bdca7254d85e50786448c14f9)
    37. 

  37. Signed-off-by: Fabian Grünbichler <[email protected]>
    38. 

  38. ---
    39. 

  39.  arch/x86/kernel/ldt.c | 8 +++++++-
    40. 

  40.  1 file changed, 7 insertions(+), 1 deletion(-)
    41. 

  41. 

  42. diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
    43. 

  43. index 2260eb6e2de7..9a35b7e541bc 100644
    44. 

  44. --- a/arch/x86/kernel/ldt.c
    45. 

  45. +++ b/arch/x86/kernel/ldt.c
    46. 

  46. @@ -420,7 +420,13 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
    47. 

  47.  	 */
    48. 

  48.  	error = map_ldt_struct(mm, new_ldt, old_ldt ? !old_ldt->slot : 0);
    49. 

  49.  	if (error) {
    50. 

  50. -		free_ldt_struct(old_ldt);
    51. 

  51. +		/*
    52. 

  52. +		 * This only can fail for the first LDT setup. If an LDT is
    53. 

  53. +		 * already installed then the PTE page is already
    54. 

  54. +		 * populated. Mop up a half populated page table.
    55. 

  55. +		 */
    56. 

  56. +		free_ldt_pgtables(mm);
    57. 

  57. +		free_ldt_struct(new_ldt);
    58. 

  58.  		goto out_unlock;
    59. 

  59.  	}
    60. 

  60.  
    61. 

  61. -- 
    62. 

  62. 2.14.2
    63. 

  63.