Unverified Commit f91bc9d0 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!15597 CVE-2025-21853 

Merge Pull Request from: @ci-robot 
 
PR sync from: Pu Lehui <pulehui@huawei.com>
https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/6ULX5NYGFNJ4QKWHVLDAWWVTWKHV4MZ5/ 
Andrii Nakryiko (2):
  bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic
  bpf: avoid holding freeze_mutex during mmap operation

 
https://gitee.com/src-openeuler/kernel/issues/IBSW0M 
 
Link:https://gitee.com/openeuler/kernel/pulls/15597

 

Reviewed-by: default avatarYe Weihua <yeweihua4@huawei.com>
Reviewed-by: default avatarZhang Peng <zhangpeng362@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents 59401c6f 48fdd1e9

kernel/bpf/ringbuf.c

+0 −4
Original line number Diff line number Diff line
@@ -268,8 +268,6 @@ static int ringbuf_map_mmap_kern(struct bpf_map *map, struct vm_area_struct *vma 
		/* allow writable mapping for the consumer_pos only */

		if (vma->vm_pgoff != 0 || vma->vm_end - vma->vm_start != PAGE_SIZE)

			return -EPERM;

	} else {

		vm_flags_clear(vma, VM_MAYWRITE);

	}

	/* remap_vmalloc_range() checks size and offset constraints */

	return remap_vmalloc_range(vma, rb_map->rb,
@@ -289,8 +287,6 @@ static int ringbuf_map_mmap_user(struct bpf_map *map, struct vm_area_struct *vma 
			 * position, and the ring buffer data itself.

			 */

			return -EPERM;

	} else {

		vm_flags_clear(vma, VM_MAYWRITE);

	}

	/* remap_vmalloc_range() checks size and offset constraints */

	return remap_vmalloc_range(vma, rb_map->rb, vma->vm_pgoff + RINGBUF_PGOFF);

kernel/bpf/syscall.c

+17 −8
Original line number Diff line number Diff line
@@ -883,7 +883,7 @@ static const struct vm_operations_struct bpf_map_default_vmops = { 
static int bpf_map_mmap(struct file *filp, struct vm_area_struct *vma)

{

	struct bpf_map *map = filp->private_data;

	int err;

	int err = 0;



	if (!map->ops->map_mmap || !IS_ERR_OR_NULL(map->record))

		return -ENOTSUPP;
@@ -907,24 +907,33 @@ static int bpf_map_mmap(struct file *filp, struct vm_area_struct *vma) 
			err = -EACCES;

			goto out;

		}

		bpf_map_write_active_inc(map);

	}

out:

	mutex_unlock(&map->freeze_mutex);

	if (err)

		return err;



	/* set default open/close callbacks */

	vma->vm_ops = &bpf_map_default_vmops;

	vma->vm_private_data = map;

	vm_flags_clear(vma, VM_MAYEXEC);

	/* If mapping is read-only, then disallow potentially re-mapping with

	 * PROT_WRITE by dropping VM_MAYWRITE flag. This VM_MAYWRITE clearing

	 * means that as far as BPF map's memory-mapped VMAs are concerned,

	 * VM_WRITE and VM_MAYWRITE and equivalent, if one of them is set,

	 * both should be set, so we can forget about VM_MAYWRITE and always

	 * check just VM_WRITE

	 */

	if (!(vma->vm_flags & VM_WRITE))

		/* disallow re-mapping with PROT_WRITE */

		vm_flags_clear(vma, VM_MAYWRITE);



	err = map->ops->map_mmap(map, vma);

	if (err)

		goto out;

	if (err) {

		if (vma->vm_flags & VM_WRITE)

			bpf_map_write_active_dec(map);

	}



	if (vma->vm_flags & VM_MAYWRITE)

		bpf_map_write_active_inc(map);

out:

	mutex_unlock(&map->freeze_mutex);

	return err;

}