1 files changed, 127 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-7740-hugetlbfs-check-for-pgoff-value-overflow.patch b/patches/cve/CVE-2018-7740-hugetlbfs-check-for-pgoff-value-overflow.patch
new file mode 100644
index 0000000..eda2557
--- /dev/null
+++ b/patches/cve/CVE-2018-7740-hugetlbfs-check-for-pgoff-value-overflow.patch
@@ -0,0 +1,127 @@
+From 1e8628443ede418464b0ab101b24fbb7030949b2 Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Thu, 22 Mar 2018 16:17:13 -0700
+Subject: [PATCH] hugetlbfs: check for pgoff value overflow
+commit 63489f8e821144000e0bdca7e65a8d1cc23a7ee7 upstream.
+A vma with vm_pgoff large enough to overflow a loff_t type when
+converted to a byte offset can be passed via the remap_file_pages system
+call.  The hugetlbfs mmap routine uses the byte offset to calculate
+reservations and file size.
+A sequence such as:
+  mmap(0x20a00000, 0x600000, 0, 0x66033, -1, 0);
+  remap_file_pages(0x20a00000, 0x600000, 0, 0x20000000000000, 0);
+will result in the following when task exits/file closed,
+  kernel BUG at mm/hugetlb.c:749!
+  Call Trace:
+    hugetlbfs_evict_inode+0x2f/0x40
+    evict+0xcb/0x190
+    __dentry_kill+0xcb/0x150
+    __fput+0x164/0x1e0
+    task_work_run+0x84/0xa0
+    exit_to_usermode_loop+0x7d/0x80
+    do_syscall_64+0x18b/0x190
+    entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+The overflowed pgoff value causes hugetlbfs to try to set up a mapping
+with a negative range (end < start) that leaves invalid state which
+causes the BUG.
+The previous overflow fix to this code was incomplete and did not take
+the remap_file_pages system call into account.
+CVE: CVE-2018-7740
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=1e8628443ede418464b0ab101b24fbb7030949b2]
+[mike.kravetz@oracle.com: v3]
+  Link: http://lkml.kernel.org/r/20180309002726.7248-1-mike.kravetz@oracle.com
+[akpm@linux-foundation.org: include mmdebug.h]
+[akpm@linux-foundation.org: fix -ve left shift count on sh]
+Link: http://lkml.kernel.org/r/20180308210502.15952-1-mike.kravetz@oracle.com
+Fixes: 045c7a3f53d9 ("hugetlbfs: fix offset overflow in hugetlbfs mmap")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reported-by: Nic Losby <blurbdust@gmail.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Yisheng Xie <xieyisheng1@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/hugetlbfs/inode.c | 17 ++++++++++++++---
+ mm/hugetlb.c         |  7 +++++++
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
+index ed113ea17aff..3b293d0d1785 100644
+--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
+@@ -118,6 +118,16 @@ static void huge_pagevec_release(struct pagevec *pvec)
+        pagevec_reinit(pvec);
+ }
+ 
+/*
+ * Mask used when checking the page offset value passed in via system
+ * calls.  This value will be converted to a loff_t which is signed.
+ * Therefore, we want to check the upper PAGE_SHIFT + 1 bits of the
+ * value.  The extra bit (- 1 in the shift value) is to take the sign
+ * bit into account.
+ */
+#define PGOFF_LOFFT_MAX \
+       (((1UL << (PAGE_SHIFT + 1)) - 1) <<  (BITS_PER_LONG - (PAGE_SHIFT + 1)))
+
+ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
+ {
+        struct inode *inode = file_inode(file);
+@@ -137,12 +147,13 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
+        vma->vm_ops = &hugetlb_vm_ops;
+ 
+        /*
+-        * Offset passed to mmap (before page shift) could have been
+-        * negative when represented as a (l)off_t.
+        * page based offset in vm_pgoff could be sufficiently large to
+        * overflow a (l)off_t when converted to byte offset.
+         */
+-       if (((loff_t)vma->vm_pgoff << PAGE_SHIFT) < 0)
+       if (vma->vm_pgoff & PGOFF_LOFFT_MAX)
+                return -EINVAL;
+ 
+       /* must be huge page aligned */
+        if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
+                return -EINVAL;
+ 
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index c539941671b4..b1f841a9edd4 100644
+--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
+@@ -18,6 +18,7 @@
+ #include <linux/bootmem.h>
+ #include <linux/sysfs.h>
+ #include <linux/slab.h>
+#include <linux/mmdebug.h>
+ #include <linux/sched/signal.h>
+ #include <linux/rmap.h>
+ #include <linux/string_helpers.h>
+@@ -4344,6 +4345,12 @@ int hugetlb_reserve_pages(struct inode *inode,
+        struct resv_map *resv_map;
+        long gbl_reserve;
+ 
+       /* This should never happen */
+       if (from > to) {
+               VM_WARN(1, "%s called with a negative range\n", __func__);
+               return -EINVAL;
+       }
+
+        /*
+         * Only apply hugepage reservation if asked. At fault time, an
+         * attempt will be made for VM_NORESERVE to allocate a page
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2018-7740-hugetlbfs-check-for-pgoff-value-overflow.patch b/patches/cve/CVE-2018-7740-hugetlbfs-check-for-pgoff-value-overflow.patch new file mode 100644 index 0000000..eda2557 --- /dev/null +++ b/patches/cve/CVE-2018-7740-hugetlbfs-check-for-pgoff-value-overflow.patch
@@ -0,0 +1,127 @@
	1	From 1e8628443ede418464b0ab101b24fbb7030949b2 Mon Sep 17 00:00:00 2001
	2	From: Mike Kravetz <mike.kravetz@oracle.com>
	3	Date: Thu, 22 Mar 2018 16:17:13 -0700
	4	Subject: [PATCH] hugetlbfs: check for pgoff value overflow
	5
	6	commit 63489f8e821144000e0bdca7e65a8d1cc23a7ee7 upstream.
	7
	8	A vma with vm_pgoff large enough to overflow a loff_t type when
	9	converted to a byte offset can be passed via the remap_file_pages system
	10	call. The hugetlbfs mmap routine uses the byte offset to calculate
	11	reservations and file size.
	12
	13	A sequence such as:
	14
	15	mmap(0x20a00000, 0x600000, 0, 0x66033, -1, 0);
	16	remap_file_pages(0x20a00000, 0x600000, 0, 0x20000000000000, 0);
	17
	18	will result in the following when task exits/file closed,
	19
	20	kernel BUG at mm/hugetlb.c:749!
	21	Call Trace:
	22	hugetlbfs_evict_inode+0x2f/0x40
	23	evict+0xcb/0x190
	24	__dentry_kill+0xcb/0x150
	25	__fput+0x164/0x1e0
	26	task_work_run+0x84/0xa0
	27	exit_to_usermode_loop+0x7d/0x80
	28	do_syscall_64+0x18b/0x190
	29	entry_SYSCALL_64_after_hwframe+0x3d/0xa2
	30
	31	The overflowed pgoff value causes hugetlbfs to try to set up a mapping
	32	with a negative range (end < start) that leaves invalid state which
	33	causes the BUG.
	34
	35	The previous overflow fix to this code was incomplete and did not take
	36	the remap_file_pages system call into account.
	37
	38	CVE: CVE-2018-7740
	39	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=1e8628443ede418464b0ab101b24fbb7030949b2]
	40
	41	[mike.kravetz@oracle.com: v3]
	42	Link: http://lkml.kernel.org/r/20180309002726.7248-1-mike.kravetz@oracle.com
	43	[akpm@linux-foundation.org: include mmdebug.h]
	44	[akpm@linux-foundation.org: fix -ve left shift count on sh]
	45	Link: http://lkml.kernel.org/r/20180308210502.15952-1-mike.kravetz@oracle.com
	46	Fixes: 045c7a3f53d9 ("hugetlbfs: fix offset overflow in hugetlbfs mmap")
	47	Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
	48	Reported-by: Nic Losby <blurbdust@gmail.com>
	49	Acked-by: Michal Hocko <mhocko@suse.com>
	50	Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
	51	Cc: Yisheng Xie <xieyisheng1@huawei.com>
	52	Cc: <stable@vger.kernel.org>
	53	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	54	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	55	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	56	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	57	---
	58	fs/hugetlbfs/inode.c \| 17 ++++++++++++++---
	59	mm/hugetlb.c \| 7 +++++++
	60	2 files changed, 21 insertions(+), 3 deletions(-)
	61
	62	diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
	63	index ed113ea17aff..3b293d0d1785 100644
	64	--- a/fs/hugetlbfs/inode.c
	65	+++ b/fs/hugetlbfs/inode.c
	66	@@ -118,6 +118,16 @@ static void huge_pagevec_release(struct pagevec *pvec)
	67	pagevec_reinit(pvec);
	68	}
	69
	70	+/*
	71	+ * Mask used when checking the page offset value passed in via system
	72	+ * calls. This value will be converted to a loff_t which is signed.
	73	+ * Therefore, we want to check the upper PAGE_SHIFT + 1 bits of the
	74	+ * value. The extra bit (- 1 in the shift value) is to take the sign
	75	+ * bit into account.
	76	+ */
	77	+#define PGOFF_LOFFT_MAX \
	78	+ (((1UL << (PAGE_SHIFT + 1)) - 1) << (BITS_PER_LONG - (PAGE_SHIFT + 1)))
	79	+
	80	static int hugetlbfs_file_mmap(struct file file, struct vm_area_struct vma)
	81	{
	82	struct inode *inode = file_inode(file);
	83	@@ -137,12 +147,13 @@ static int hugetlbfs_file_mmap(struct file file, struct vm_area_struct vma)
	84	vma->vm_ops = &hugetlb_vm_ops;
	85
	86	/*
	87	- * Offset passed to mmap (before page shift) could have been
	88	- * negative when represented as a (l)off_t.
	89	+ * page based offset in vm_pgoff could be sufficiently large to
	90	+ * overflow a (l)off_t when converted to byte offset.
	91	*/
	92	- if (((loff_t)vma->vm_pgoff << PAGE_SHIFT) < 0)
	93	+ if (vma->vm_pgoff & PGOFF_LOFFT_MAX)
	94	return -EINVAL;
	95
	96	+ /* must be huge page aligned */
	97	if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
	98	return -EINVAL;
	99
	100	diff --git a/mm/hugetlb.c b/mm/hugetlb.c
	101	index c539941671b4..b1f841a9edd4 100644
	102	--- a/mm/hugetlb.c
	103	+++ b/mm/hugetlb.c
	104	@@ -18,6 +18,7 @@
	105	#include <linux/bootmem.h>
	106	#include <linux/sysfs.h>
	107	#include <linux/slab.h>
	108	+#include <linux/mmdebug.h>
	109	#include <linux/sched/signal.h>
	110	#include <linux/rmap.h>
	111	#include <linux/string_helpers.h>
	112	@@ -4344,6 +4345,12 @@ int hugetlb_reserve_pages(struct inode *inode,
	113	struct resv_map *resv_map;
	114	long gbl_reserve;
	115
	116	+ /* This should never happen */
	117	+ if (from > to) {
	118	+ VM_WARN(1, "%s called with a negative range\n", __func__);
	119	+ return -EINVAL;
	120	+ }
	121	+
	122	/*
	123	* Only apply hugepage reservation if asked. At fault time, an
	124	* attempt will be made for VM_NORESERVE to allocate a page
	125	--
	126	2.20.1
	127