[OpenWrt-Devel] [PATCH] CVE-2016-5195 backport to linux-3.18.36 for Chaos Calmer

revelstone revelstone at yahoo.com
Fri Oct 21 10:43:14 EDT 2016


Here is a backport for Chaos Calmer of commit https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619]19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 that patches https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195]CVE-2016-5195

/DL
Signed-off-by: dl12345 <revelstone at yahoo.com>--- .../generic/patches-3.18/099-CVE-2016-5195.patch   | 47 ++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 target/linux/generic/patches-3.18/099-CVE-2016-5195.patch
diff --git a/target/linux/generic/patches-3.18/099-CVE-2016-5195.patch b/target/linux/generic/patches-3.18/099-CVE-2016-5195.patchnew file mode 100644index 0000000..2febc79--- /dev/null+++ b/target/linux/generic/patches-3.18/099-CVE-2016-5195.patch@@ -0,0 +1,47 @@+--- a/include/linux/mm.h++++ b/include/linux/mm.h+@@ -2029,6 +2029,7 @@ static inline struct page *follow_page(s+ #define FOLL_NUMA 0x200 /* force NUMA hinting page fault */+ #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */+ #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */++#define FOLL_COW 0x4000 /* internal GUP flag */+ + typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,+  void *data);+--- a/mm/gup.c++++ b/mm/gup.c+@@ -32,6 +32,16 @@ static struct page *no_page_table(struct+  return NULL;+ }+ ++/*++ * FOLL_FORCE can write to even unwritable pte's, but only++ * after we've gone through a COW cycle and they are dirty.++ */++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)++{++ return pte_write(pte) ||++ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));++}+++ static struct page *follow_page_pte(struct vm_area_struct *vma,+  unsigned long address, pmd_t *pmd, unsigned int flags)+ {+@@ -66,7 +76,7 @@ retry:+  }+  if ((flags & FOLL_NUMA) && pte_numa(pte))+  goto no_page;+- if ((flags & FOLL_WRITE) && !pte_write(pte)) {++ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {+  pte_unmap_unlock(ptep, ptl);+  return NULL;+  }+@@ -315,7 +325,7 @@ static int faultin_page(struct task_stru+   * reCOWed by userspace write).+   */+  if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))+- *flags &= ~FOLL_WRITE;++ *flags |= FOLL_COW;+  return 0;+ }+ -- 1.8.3.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20161021/dde58e21/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list