Description of two problems (first is a longstanding security issue that is easily reproducible since vmsplice was introduced, the second is an user ABI break vs RHEL8 and all kernels before commit 09854ba94c6aad7886996bfbee2530b3d8a7f4f4): 1) the child can read private memory of the parent process misusing get_user_pages (easy to reproduce with vmsplice as vector) 2) wrprotecting any pinned page no matter if short term or FOLL_LONGTERM or FOLL_PIN or FOLL_GET, may result in silent user data corruption. It has become a userland bug to wrprotect any page that may be pinned with mprotect(), clear_refs or any other MM code that has the capability of wrprotecting memory. How reproducible: for 1) I modified the original testcase posted by Jann Horn on 27 May 2020 to show it still reproduces the security issue upstream. Steps to Reproduce defect 1): $ wget https://raw.githubusercontent.com/aagit/kernel-testcases-for-v5.11/main/vmsplice-v5.11.c $ gcc vmsplice-v5.11.c -o vmsplice-v5.11 -O2 $ ./vmsplice-v5.11 Actual results: read string from child: THIS IS SECRET Expected results: read string from child: BORING DATA Steps to Reproduce defect 2): $ wget https://raw.githubusercontent.com/aagit/kernel-testcases-for-v5.11/main/page_count_do_wp_page.c $ gcc -o page_count_do_wp_page page_count_do_wp_page.c -O2 -lpthread $ ./page_count_do_wp_page /tmp/whatever Actual results: random memory corruption (not happening in RHEL8 or any kernel before 09854ba94c6aad7886996bfbee2530b3d8a7f4f4 broke the user ABI) Expected results: same behavior as RHEL8, no output from this testcase, no user ABI break
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: kernel), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3907