Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1c12c4cf authored by Venki Pallipadi's avatar Venki Pallipadi Committed by Linus Torvalds
Browse files

mprotect: prevent alteration of the PAT bits 



There is a defect in mprotect, which lets the user change the page cache
type bits by-passing the kernel reserve_memtype and free_memtype
wrappers.  Fix the problem by not letting mprotect change the PAT bits.

Signed-off-by: default avatarVenkatesh Pallipadi <venkatesh.pallipadi@intel.com>
Signed-off-by: default avatarSuresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 44c81433

include/asm-x86/pgtable.h

+13 −3
Original line number Diff line number Diff line
@@ -57,7 +57,8 @@ 
#define _KERNPG_TABLE	(_PAGE_PRESENT | _PAGE_RW | _PAGE_ACCESSED |	\

			 _PAGE_DIRTY)



#define _PAGE_CHG_MASK	(PTE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY)

#define _PAGE_CHG_MASK	(PTE_MASK | _PAGE_PCD | _PAGE_PWT |		\

			 _PAGE_ACCESSED | _PAGE_DIRTY)



#define _PAGE_CACHE_MASK	(_PAGE_PCD | _PAGE_PWT)

#define _PAGE_CACHE_WB		(0)
@@ -288,12 +289,21 @@ static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) 
	 * Chop off the NX bit (if present), and add the NX portion of

	 * the newprot (if present):

	 */

	val &= _PAGE_CHG_MASK & ~_PAGE_NX;

	val |= pgprot_val(newprot) & __supported_pte_mask;

	val &= _PAGE_CHG_MASK;

	val |= pgprot_val(newprot) & (~_PAGE_CHG_MASK) & __supported_pte_mask;



	return __pte(val);

}



/* mprotect needs to preserve PAT bits when updating vm_page_prot */

#define pgprot_modify pgprot_modify

static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)

{

	pgprotval_t preservebits = pgprot_val(oldprot) & _PAGE_CHG_MASK;

	pgprotval_t addbits = pgprot_val(newprot);

	return __pgprot(preservebits | addbits);

}



#define pte_pgprot(x) __pgprot(pte_val(x) & (0xfff | _PAGE_NX))



#define canon_pgprot(p) __pgprot(pgprot_val(p) & __supported_pte_mask)

mm/mprotect.c

+10 −1
Original line number Diff line number Diff line
@@ -26,6 +26,13 @@ 
#include <asm/cacheflush.h>

#include <asm/tlbflush.h>



#ifndef pgprot_modify

static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)

{

	return newprot;

}

#endif



static void change_pte_range(struct mm_struct *mm, pmd_t *pmd,

		unsigned long addr, unsigned long end, pgprot_t newprot,

		int dirty_accountable)
@@ -192,7 +199,9 @@ success: 
	 * held in write mode.

	 */

	vma->vm_flags = newflags;

	vma->vm_page_prot = vm_get_page_prot(newflags);

	vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,

					  vm_get_page_prot(newflags));



	if (vma_wants_writenotify(vma)) {

		vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);

		dirty_accountable = 1;