Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]mm/ksm: fix flag-dropping behavior in ksm_madvise[EOL][EOL]syzkaller discovered the following crash: (kernel BUG)[EOL][EOL][   44.607039] ------------[ cut here ]------------[EOL][   44.607422] kernel BUG at mm/userfaultfd.c:2067![EOL][   44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI[EOL][   44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)[EOL][   44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[EOL][   44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460[EOL][EOL]<snip other registers, drop unreliable trace>[EOL][EOL][   44.617726] Call Trace:[EOL][   44.617926]  <TASK>[EOL][   44.619284]  userfaultfd_release+0xef/0x1b0[EOL][   44.620976]  __fput+0x3f9/0xb60[EOL][   44.621240]  fput_close_sync+0x110/0x210[EOL][   44.622222]  __x64_sys_close+0x8f/0x120[EOL][   44.622530]  do_syscall_64+0x5b/0x2f0[EOL][   44.622840]  entry_SYSCALL_64_after_hwframe+0x76/0x7e[EOL][   44.623244] RIP: 0033:0x7f365bb3f227[EOL][EOL]Kernel panics because it detects UFFD inconsistency during[EOL]userfaultfd_release_all().  Specifically, a VMA which has a valid pointer[EOL]to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags.[EOL][EOL]The inconsistency is caused in ksm_madvise(): when user calls madvise()[EOL]with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,[EOL]it accidentally clears all flags stored in the upper 32 bits of[EOL]vma->vm_flags.[EOL][EOL]Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and[EOL]int are 32-bit wide.  This setup causes the following mishap during the &=[EOL]~VM_MERGEABLE assignment.[EOL][EOL]VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. [EOL]After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then[EOL]promoted to unsigned long before the & operation.  This promotion fills[EOL]upper 32 bits with leading 0s, as we're doing unsigned conversion (and[EOL]even for a signed conversion, this wouldn't help as the leading bit is 0).[EOL]& operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff[EOL]instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears[EOL]the upper 32-bits of its value.[EOL][EOL]Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the[EOL]BIT() macro.[EOL][EOL]Note: other VM_* flags are not affected: This only happens to the[EOL]VM_MERGEABLE flag, as the other VM_* flags are all constants of type int[EOL]and after ~ operation, they end up with leading 1 and are thus converted[EOL]to unsigned long with leading 1s.[EOL][EOL]Note 2:[EOL]After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is[EOL]no longer a kernel BUG, but a WARNING at the same place:[EOL][EOL][   45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067[EOL][EOL]but the root-cause (flag-drop) remains the same.[EOL][EOL][akpm@linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel]