452666 – (CVE-2008-2372) CVE-2008-2372 kernel: Reinstate ZERO_PAGE optimization in 'get_user_pages()' and fix XIP

Bug 452666 (CVE-2008-2372) - CVE-2008-2372 kernel: Reinstate ZERO_PAGE optimization in 'get_user_pages()' and fix XIP

Summary: CVE-2008-2372 kernel: Reinstate ZERO_PAGE optimization in 'get_user_pages()' ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-2372
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	452667 452668 453139
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-24 13:05 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:25 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-12-23 19:02:41 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0585	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2008-08-26 19:56:57 UTC
Red Hat Product Errata	RHSA-2008:0957	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2008-11-12 09:34:44 UTC

Description Jan Lieskovsky 2008-06-24 13:05:43 UTC

Description of problem:

KAMEZAWA Hiroyuki and Oleg Nesterov point out that since the commit
557ed1fa2620dc119adb86b34c614e152a629a80 ("remove ZERO_PAGE") removed
the ZERO_PAGE from the VM mappings, any users of get_user_pages() will
generally now populate the VM with real empty pages needlessly.

We used to get the ZERO_PAGE when we did the "handle_mm_fault()", but
since fault handling no longer uses ZERO_PAGE for new anonymous pages,
we now need to handle that special case in follow_page() instead.

In particular, the removal of ZERO_PAGE effectively removed the core
file writing optimization where we would skip writing pages that had not
been populated at all, and increased memory pressure a lot by allocating
all those useless newly zeroed pages.

This reinstates the optimization by making the unmapped PTE case the
same as for a non-existent page table, which already did this correctly.

While at it, this also fixes the XIP case for follow_page(), where the
caller could not differentiate between the case of a page that simply
could not be used (because it had no "struct page" associated with it)
and a page that just wasn't mapped.

We do that by simply returning an error pointer for pages that could not
be turned into a "struct page *".  The error is arbitrarily picked to be
EFAULT, since that was what get_user_pages() already used for the
equivalent IO-mapped page case.


Version-Release number of selected component (if applicable):
All kernel versions after commit b5810039a54e5babf428e9a1e89fc1940fabff11

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=557ed1fa2620dc119adb86b34c614e152a629a80;hp=aadb4bc4a1f9108c1d0fbd121827c936c2ed4217

Additional info:

Proposed upstream patch to fix this issue:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=89f5b7da2a6bad2e84670422ab8192382a5aeb9f

Please NOTE, the original patch from KAMEZAWA Hiroyuki and Oleg Nesterov
(the above link) did break out the vmware functionality. There is also
upstream fix to resolve these by 89f5b7da2a6bad2e84670422ab8192382a5aeb9f 
introduced issues -- the upstream patch to fix the vmware breakage:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=672ca28e300c17bf8d792a2a7a8631193e580c74

Comment 7 Vincent Danen 2010-12-23 19:02:41 UTC

This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2008:0585)
Red Hat Enterprise Linux version 5 (RHSA-2008:0957)

Note You need to log in before you can comment on or make changes to this bug.