cve/published/2021/CVE-2021-47214.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47214: hugetlb, userfaultfd: fix reservation restore on userfaultfd error

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 hugetlb, userfaultfd: fix reservation restore on userfaultfd error

 Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we
 bail out using "goto out_release_unlock;" in the cases where idx >=
 size, or !huge_pte_none(), the code will detect that new_pagecache_page
 == false, and so call restore_reserve_on_error().  In this case I see
 restore_reserve_on_error() delete the reservation, and the following
 call to remove_inode_hugepages() will increment h->resv_hugepages
 causing a 100% reproducible leak.

 We should treat the is_continue case similar to adding a page into the
 pagecache and set new_pagecache_page to true, to indicate that there is
 no reservation to restore on the error path, and we need not call
 restore_reserve_on_error().  Rename new_pagecache_page to
 page_in_pagecache to make that clear.

 The Linux kernel CVE team has assigned CVE-2021-47214 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.14 with commit c7b1850dfb41d0b4154aca8dbc04777fbd75616f and fixed in 5.15.5 with commit b5069d44e2fbc4a9093d005b3ef0949add3dd27e
 	Issue introduced in 5.14 with commit c7b1850dfb41d0b4154aca8dbc04777fbd75616f and fixed in 5.16 with commit cc30042df6fcc82ea18acf0dace831503e60a0b7
 	Issue introduced in 5.13.13 with commit 515b6124df6a84c957c5cc6bb6e8309dae7b1e9c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47214
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/hugetlb.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e
 	https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47214: hugetlb, userfaultfd: fix reservation restore on userfaultfd error

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	hugetlb, userfaultfd: fix reservation restore on userfaultfd error

	Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we
	bail out using "goto out_release_unlock;" in the cases where idx >=
	size, or !huge_pte_none(), the code will detect that new_pagecache_page
	== false, and so call restore_reserve_on_error(). In this case I see
	restore_reserve_on_error() delete the reservation, and the following
	call to remove_inode_hugepages() will increment h->resv_hugepages
	causing a 100% reproducible leak.

	We should treat the is_continue case similar to adding a page into the
	pagecache and set new_pagecache_page to true, to indicate that there is
	no reservation to restore on the error path, and we need not call
	restore_reserve_on_error(). Rename new_pagecache_page to
	page_in_pagecache to make that clear.

	The Linux kernel CVE team has assigned CVE-2021-47214 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.14 with commit c7b1850dfb41d0b4154aca8dbc04777fbd75616f and fixed in 5.15.5 with commit b5069d44e2fbc4a9093d005b3ef0949add3dd27e
	Issue introduced in 5.14 with commit c7b1850dfb41d0b4154aca8dbc04777fbd75616f and fixed in 5.16 with commit cc30042df6fcc82ea18acf0dace831503e60a0b7
	Issue introduced in 5.13.13 with commit 515b6124df6a84c957c5cc6bb6e8309dae7b1e9c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47214
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/hugetlb.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e
	https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7