cachestat: fix page cache statistics permission checking

Rafael Aquini · Rafael Aquini · commit 86ca59c48668 · 2025-04-18T08:39:53.000-04:00
JIRA: https://issues.redhat.com/browse/RHEL-84184 JIRA: https://issues.redhat.com/browse/RHEL-78989 CVE: CVE-2025-21691 Conflicts: * minor differences on the 2nd hunk due to RHEL-9 missing upstream commit 65c8941 ("convert cachestat(2)") that transposes fdput() with copy_to_user(), as well as missing commit 1da91ea ("introduce fd_file(), convert all accessors to it."). These changes, however are irrelevant for this backport work. This patch is a backport of the following upstream commit: commit 5f53766 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Tue Jan 21 09:27:22 2025 -0800 cachestat: fix page cache statistics permission checking When the 'cachestat()' system call was added in commit cf264e1 ("cachestat: implement cachestat syscall"), it was meant to be a much more convenient (and performant) version of mincore() that didn't need mapping things into the user virtual address space in order to work. But it ended up missing the "check for writability or ownership" fix for mincore(), done in commit 134fca9 ("mm/mincore.c: make mincore() more conservative"). This just adds equivalent logic to 'cachestat()', modified for the file context (rather than vma). Reported-by: Sudheendra Raghav Neela <sneela@tugraz.at> Fixes: cf264e1 ("cachestat: implement cachestat syscall") Tested-by: Johannes Weiner <hannes@cmpxchg.org> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Acked-by: Nhat Pham <nphamcs@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Rafael Aquini <raquini@redhat.com>
diff --git a/mm/filemap.c b/mm/filemap.c
@@ -4212,6 +4212,20 @@ static void filemap_cachestat(struct address_space *mapping,
 	rcu_read_unlock();
 }
 
+/*
+ * See mincore: reveal pagecache information only for files
+ * that the calling process has write access to, or could (if
+ * tried) open for writing.
+ */
+static inline bool can_do_cachestat(struct file *f)
+{
+	if (f->f_mode & FMODE_WRITE)
+		return true;
+	if (inode_owner_or_capable(file_mnt_idmap(f), file_inode(f)))
+		return true;
+	return file_permission(f, MAY_WRITE) == 0;
+}
+
 /*
  * The cachestat(2) system call.
  *
@@ -4271,6 +4285,11 @@ SYSCALL_DEFINE4(cachestat, unsigned int, fd,
 		return -EOPNOTSUPP;
 	}
 
+	if (!can_do_cachestat(f.file)) {
+		fdput(f);
+		return -EPERM;
+	}
+
 	if (flags != 0) {
 		fdput(f);
 		return -EINVAL;
