From 41f8ec53f2fcbb9cb476e355ed61d67cd77a03e4 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Wed, 10 Jul 2019 09:35:03 +0200 Subject: mm: CVE-2019-9213 mm: enforce min addr even if capable() in expand_downwards() References: https://nvd.nist.gov/vuln/detail/CVE-2019-9213 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9 Change-Id: I63e9ecc3091d8c0ff8bc9de49680fe4e7632eb81 Signed-off-by: Andreas Wellving --- patches/cve/4.9.x.scc | 3 ++ ...min-addr-even-if-capable-in-expand_downwa.patch | 50 ++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 2794efe..99eb8ce 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc @@ -31,3 +31,6 @@ patch CVE-2018-20169-USB-check-usb_get_extra_descriptor-for-proper-size.patch #CVEs fixed in 4.9.151: patch CVE-2018-16884-sunrpc-use-after-free-in-svc_process_common.patch + +#CVEs fixed in 4.9.162: +patch CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch diff --git a/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch new file mode 100644 index 0000000..f709596 --- /dev/null +++ b/patches/cve/CVE-2019-9213-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch @@ -0,0 +1,50 @@ +From 331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 27 Feb 2019 21:29:52 +0100 +Subject: [PATCH] mm: enforce min addr even if capable() in expand_downwards() + +commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream. + +security_mmap_addr() does a capability check with current_cred(), but +we can reach this code from contexts like a VFS write handler where +current_cred() must not be used. + +This can be abused on systems without SMAP to make NULL pointer +dereferences exploitable again. + +CVE: CVE-2019-9213 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=331fc4df776be3e5a88a1a9f08ef2f7e063ef1a9] + +Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses") +Cc: stable@kernel.org +Signed-off-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andreas Wellving +--- + mm/mmap.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 283755645d17..3f2314ad6acd 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2345,12 +2345,11 @@ int expand_downwards(struct vm_area_struct *vma, + struct mm_struct *mm = vma->vm_mm; + struct vm_area_struct *prev; + unsigned long gap_addr; +- int error; ++ int error = 0; + + address &= PAGE_MASK; +- error = security_mmap_addr(address); +- if (error) +- return error; ++ if (address < mmap_min_addr) ++ return -EPERM; + + /* Enforce stack_guard_gap */ + gap_addr = address - stack_guard_gap; +-- +2.20.1 + -- cgit v1.2.3-54-g00ecf