Commit e04862fd authored Oct 31, 2024 by Oleg Nesterov Committed by Chen Zhongjin Oct 31, 2024

uprobes: fix kernel info leak via "[uprobes]" vma

stable inclusion
from stable-v5.10.227
commit f561b48d633ac2e7d0d667020fc634a96ade33a0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRDD
CVE: CVE-2024-49975

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f561b48d633ac2e7d0d667020fc634a96ade33a0

--------------------------------

commit 34820304cc2cd1804ee1f8f3504ec77813d29c8e upstream.

xol_add_vma() maps the uninitialized page allocated by __create_xol_area()
into userspace. On some architectures (x86) this memory is readable even
without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ,
although this doesn't really matter, debugger can read this memory anyway.

Link: https://lore.kernel.org/all/20240929162047.GA12611@redhat.com/



Reported-by: Will Deacon <will@kernel.org>
Fixes: d4b3b638 ("uprobes/core: Allocate XOL slots for uprobes use")
Cc: stable@vger.kernel.org
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>

parent c67d418d

kernel/events/uprobes.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1497,7 +1497,7 @@ static struct xol_area *__create_xol_area(unsigned long vaddr)
		area->xol_mapping.name = "[uprobes]";
		area->xol_mapping.fault = NULL;
		area->xol_mapping.pages = area->pages;
		area->pages[0] = alloc_page(GFP_HIGHUSER);
		area->pages[0] = alloc_page(GFP_HIGHUSER \| __GFP_ZERO);
		if (!area->pages[0])
		goto free_bitmap;
		area->pages[1] = NULL;