[SRU OEM-6.1,Lunar 00/14] CVE-2023-3269

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Wed Jul 5 12:33:58 UTC 2023 

[Impact]
The conversion to maple tree allows an attacker to cause a use-after-free
bug and cause a system denial of service (crash) or achieve kernel code
execution.

[Potential regression]
High potential regression as this touches memory management.

Ben Hutchings (3):
  mips/mm: Convert to using lock_mm_and_find_vma()
  riscv/mm: Convert to using lock_mm_and_find_vma()
  arm/mm: Convert to using lock_mm_and_find_vma()

Kees Cook (1):
  exec: Remove FOLL_FORCE for stack setup

Liam R. Howlett (1):
  mm: make find_extend_vma() fail if write lock not held

Linus Torvalds (7):
  mm: introduce new 'lock_mm_and_find_vma()' page fault helper
  mm: make the page fault mmap locking killable
  arm64/mm: Convert to using lock_mm_and_find_vma()
  mm/fault: convert remaining simple cases to lock_mm_and_find_vma()
  powerpc/mm: convert coprocessor fault to lock_mm_and_find_vma()
  execve: expand new process stack manually ahead of time
  mm: always expand the stack with the mmap write lock held

Michael Ellerman (1):
  powerpc/mm: Convert to using lock_mm_and_find_vma()

Thadeu Lima de Souza Cascardo (1):
  UBUNTU: [CONFIG]: Set CONFIG_LOCK_MM_AND_FIND_VMA

 arch/alpha/Kconfig            |   1 +
 arch/alpha/mm/fault.c         |  13 +---
 arch/arc/Kconfig              |   1 +
 arch/arc/mm/fault.c           |  11 +--
 arch/arm/Kconfig              |   1 +
 arch/arm/mm/fault.c           |  63 ++++-------------
 arch/arm64/Kconfig            |   1 +
 arch/arm64/mm/fault.c         |  46 +++---------
 arch/csky/Kconfig             |   1 +
 arch/csky/mm/fault.c          |  22 ++----
 arch/hexagon/Kconfig          |   1 +
 arch/hexagon/mm/vm_fault.c    |  18 ++---
 arch/ia64/mm/fault.c          |  36 ++--------
 arch/loongarch/Kconfig        |   1 +
 arch/loongarch/mm/fault.c     |  16 ++---
 arch/m68k/mm/fault.c          |   9 ++-
 arch/microblaze/mm/fault.c    |   5 +-
 arch/mips/Kconfig             |   1 +
 arch/mips/mm/fault.c          |  12 +---
 arch/nios2/Kconfig            |   1 +
 arch/nios2/mm/fault.c         |  17 +----
 arch/openrisc/mm/fault.c      |   5 +-
 arch/parisc/mm/fault.c        |  23 +++---
 arch/powerpc/Kconfig          |   1 +
 arch/powerpc/mm/copro_fault.c |  14 +---
 arch/powerpc/mm/fault.c       |  39 +----------
 arch/riscv/Kconfig            |   1 +
 arch/riscv/mm/fault.c         |  31 ++++-----
 arch/s390/mm/fault.c          |   5 +-
 arch/sh/Kconfig               |   1 +
 arch/sh/mm/fault.c            |  17 +----
 arch/sparc/Kconfig            |   1 +
 arch/sparc/mm/fault_32.c      |  32 +++------
 arch/sparc/mm/fault_64.c      |   8 ++-
 arch/um/kernel/trap.c         |  11 +--
 arch/x86/Kconfig              |   1 +
 arch/x86/mm/fault.c           |  52 +-------------
 arch/xtensa/Kconfig           |   1 +
 arch/xtensa/mm/fault.c        |  14 +---
 debian.oem/config/annotations |   1 +
 drivers/iommu/amd/iommu_v2.c  |   4 +-
 drivers/iommu/io-pgfault.c    |   2 +-
 fs/binfmt_elf.c               |   6 +-
 fs/exec.c                     |  38 +++++-----
 include/linux/mm.h            |  16 ++---
 mm/Kconfig                    |   4 ++
 mm/gup.c                      |   6 +-
 mm/memory.c                   | 127 ++++++++++++++++++++++++++++++++++
 mm/mmap.c                     | 121 +++++++++++++++++++++++++++-----
 mm/nommu.c                    |  17 ++---
 50 files changed, 422 insertions(+), 454 deletions(-)

-- 
2.34.1

More information about the kernel-team mailing list