kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #168059
[Bug 1556141] Re: s390/mm: four page table levels vs. fork
This is s390x architecture specific. s390x architecture is only present
in Xenial and nowhere else. And only in generic flavour. No Security
update is needed in any other kernel flavour, nor in any other release
series.
** No longer affects: linux (Ubuntu Precise)
** No longer affects: linux (Ubuntu Trusty)
** No longer affects: linux (Ubuntu Wily)
** No longer affects: linux-armadaxp (Ubuntu)
** No longer affects: linux-flo (Ubuntu)
** No longer affects: linux-goldfish (Ubuntu)
** No longer affects: linux-lts-quantal (Ubuntu)
** No longer affects: linux-lts-raring (Ubuntu)
** No longer affects: linux-lts-saucy (Ubuntu)
** No longer affects: linux-lts-trusty (Ubuntu)
** No longer affects: linux-lts-utopic (Ubuntu)
** No longer affects: linux-lts-vivid (Ubuntu)
** No longer affects: linux-lts-wily (Ubuntu)
** No longer affects: linux-lts-xenial (Ubuntu)
** No longer affects: linux-mako (Ubuntu)
** No longer affects: linux-manta (Ubuntu)
** No longer affects: linux-raspi2 (Ubuntu)
** No longer affects: linux-ti-omap4 (Ubuntu)
** Changed in: linux-armadaxp (Ubuntu Precise)
Status: New => Invalid
** Changed in: linux-goldfish (Ubuntu Wily)
Status: New => Invalid
** Changed in: linux-goldfish (Ubuntu Xenial)
Status: New => Invalid
** Changed in: linux-ti-omap4 (Ubuntu Precise)
Status: New => Invalid
** Changed in: linux-raspi2 (Ubuntu Xenial)
Status: New => Invalid
** Changed in: linux-raspi2 (Ubuntu Wily)
Status: New => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1556141
Title:
s390/mm: four page table levels vs. fork
Status in linux package in Ubuntu:
New
Status in linux-armadaxp source package in Precise:
Invalid
Status in linux-flo source package in Precise:
Invalid
Status in linux-goldfish source package in Precise:
Invalid
Status in linux-lts-quantal source package in Precise:
Invalid
Status in linux-lts-raring source package in Precise:
Invalid
Status in linux-lts-saucy source package in Precise:
Invalid
Status in linux-lts-trusty source package in Precise:
New
Status in linux-lts-utopic source package in Precise:
Invalid
Status in linux-lts-vivid source package in Precise:
Invalid
Status in linux-lts-wily source package in Precise:
Invalid
Status in linux-lts-xenial source package in Precise:
Invalid
Status in linux-mako source package in Precise:
Invalid
Status in linux-manta source package in Precise:
Invalid
Status in linux-raspi2 source package in Precise:
Invalid
Status in linux-ti-omap4 source package in Precise:
Invalid
Status in linux-armadaxp source package in Trusty:
Invalid
Status in linux-flo source package in Trusty:
Invalid
Status in linux-goldfish source package in Trusty:
Invalid
Status in linux-lts-quantal source package in Trusty:
Invalid
Status in linux-lts-raring source package in Trusty:
Invalid
Status in linux-lts-saucy source package in Trusty:
Invalid
Status in linux-lts-trusty source package in Trusty:
Invalid
Status in linux-lts-utopic source package in Trusty:
New
Status in linux-lts-vivid source package in Trusty:
New
Status in linux-lts-wily source package in Trusty:
New
Status in linux-lts-xenial source package in Trusty:
New
Status in linux-mako source package in Trusty:
Invalid
Status in linux-manta source package in Trusty:
Invalid
Status in linux-raspi2 source package in Trusty:
Invalid
Status in linux-ti-omap4 source package in Trusty:
Invalid
Status in linux-armadaxp source package in Wily:
Invalid
Status in linux-flo source package in Wily:
New
Status in linux-goldfish source package in Wily:
Invalid
Status in linux-lts-quantal source package in Wily:
Invalid
Status in linux-lts-raring source package in Wily:
Invalid
Status in linux-lts-saucy source package in Wily:
Invalid
Status in linux-lts-trusty source package in Wily:
Invalid
Status in linux-lts-utopic source package in Wily:
Invalid
Status in linux-lts-vivid source package in Wily:
Invalid
Status in linux-lts-wily source package in Wily:
Invalid
Status in linux-lts-xenial source package in Wily:
Invalid
Status in linux-mako source package in Wily:
New
Status in linux-manta source package in Wily:
New
Status in linux-raspi2 source package in Wily:
Invalid
Status in linux-ti-omap4 source package in Wily:
Invalid
Status in linux source package in Xenial:
New
Status in linux-armadaxp source package in Xenial:
Invalid
Status in linux-flo source package in Xenial:
New
Status in linux-goldfish source package in Xenial:
Invalid
Status in linux-lts-quantal source package in Xenial:
Invalid
Status in linux-lts-raring source package in Xenial:
Invalid
Status in linux-lts-saucy source package in Xenial:
Invalid
Status in linux-lts-trusty source package in Xenial:
Invalid
Status in linux-lts-utopic source package in Xenial:
Invalid
Status in linux-lts-vivid source package in Xenial:
Invalid
Status in linux-lts-wily source package in Xenial:
Invalid
Status in linux-lts-xenial source package in Xenial:
Invalid
Status in linux-mako source package in Xenial:
New
Status in linux-manta source package in Xenial:
New
Status in linux-raspi2 source package in Xenial:
Invalid
Status in linux-ti-omap4 source package in Xenial:
Invalid
Bug description:
== Comment: #0 - Hendrik Brueckner <brueckner@xxxxxxxxxx> - 2016-03-11 08:30:57 ==
Please backport:
http://git.kernel.org/cgit/linux/kernel/git/s390/linux.git/commit/?h
=for-linus&id=3446c13b268af86391d06611327006b059b8bab1
s390/mm: four page table levels vs. fork
The fork of a process with four page table levels is broken since
git commit 6252d702c5311ce9 "[S390] dynamic page tables."
All new mm contexts are created with three page table levels and
an asce limit of 4TB. If the parent has four levels dup_mmap will
add vmas to the new context which are outside of the asce limit.
The subsequent call to copy_page_range will walk the three level
page table structure of the new process with non-zero pgd and pud
indexes. This leads to memory clobbers as the pgd_index *and* the
pud_index is added to the mm->pgd pointer without a pgd_deref
in between.
The init_new_context() function is selecting the number of page
table levels for a new context. The function is used by mm_init()
which in turn is called by dup_mm() and mm_alloc(). These two are
used by fork() and exec(). The init_new_context() function can
distinguish the two cases by looking at mm->context.asce_limit,
for fork() the mm struct has been copied and the number of page
table levels may not change. For exec() the mm_alloc() function
set the new mm structure to zero, in this case a three-level page
table is created as the temporary stack space is located at
STACK_TOP_MAX = 4TB.
This fixes CVE-2016-2143.
Reported-by: Marcin Ko?cielnicki <koriakin@xxxxxxxx>
Reviewed-by: Heiko Carstens <heiko.carstens@xxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Martin Schwidefsky <schwidefsky@xxxxxxxxxx>
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1556141/+subscriptions