Bug 452666 - (CVE-2008-2372) CVE-2008-2372 kernel: Reinstate ZERO_PAGE optimization in 'get_user_pages()' and fix XIP
CVE-2008-2372 kernel: Reinstate ZERO_PAGE optimization in 'get_user_pages()' ...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 452667 452668 453139
  Show dependency treegraph
Reported: 2008-06-24 09:05 EDT by Jan Lieskovsky
Modified: 2010-12-23 14:02 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-23 14:02:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-06-24 09:05:43 EDT
Description of problem:

KAMEZAWA Hiroyuki and Oleg Nesterov point out that since the commit
557ed1fa2620dc119adb86b34c614e152a629a80 ("remove ZERO_PAGE") removed
the ZERO_PAGE from the VM mappings, any users of get_user_pages() will
generally now populate the VM with real empty pages needlessly.

We used to get the ZERO_PAGE when we did the "handle_mm_fault()", but
since fault handling no longer uses ZERO_PAGE for new anonymous pages,
we now need to handle that special case in follow_page() instead.

In particular, the removal of ZERO_PAGE effectively removed the core
file writing optimization where we would skip writing pages that had not
been populated at all, and increased memory pressure a lot by allocating
all those useless newly zeroed pages.

This reinstates the optimization by making the unmapped PTE case the
same as for a non-existent page table, which already did this correctly.

While at it, this also fixes the XIP case for follow_page(), where the
caller could not differentiate between the case of a page that simply
could not be used (because it had no "struct page" associated with it)
and a page that just wasn't mapped.

We do that by simply returning an error pointer for pages that could not
be turned into a "struct page *".  The error is arbitrarily picked to be
EFAULT, since that was what get_user_pages() already used for the
equivalent IO-mapped page case.

Version-Release number of selected component (if applicable):
All kernel versions after commit b5810039a54e5babf428e9a1e89fc1940fabff11


Additional info:

Proposed upstream patch to fix this issue:


Please NOTE, the original patch from KAMEZAWA Hiroyuki and Oleg Nesterov
(the above link) did break out the vmware functionality. There is also
upstream fix to resolve these by 89f5b7da2a6bad2e84670422ab8192382a5aeb9f 
introduced issues -- the upstream patch to fix the vmware breakage:

Comment 7 Vincent Danen 2010-12-23 14:02:41 EST
This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2008:0585)
Red Hat Enterprise Linux version 5 (RHSA-2008:0957)

Note You need to log in before you can comment on or make changes to this bug.