r2291 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Andres Salomon dilinger-guest@costa.debian.org
Thu, 13 Jan 2005 17:06:09 +0100 

Author: dilinger-guest
Date: 2005-01-13 17:06:08 +0100 (Thu, 13 Jan 2005)
New Revision: 2291

Removed:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/033-rlimit_memlock_check.dpatch
Modified:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13
Log:
nuke rlimit patch


Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-01-13 10:00:48 UTC (rev 2290)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-01-13 16:06:08 UTC (rev 2291)
@@ -10,12 +10,6 @@
     that actually works.  Thanks to S?ren Hansen <sh@warma.dk> for finding
     and submitting it. (Christoph Hellwig) (closes: #283241).
 
-  * [SECURITY] 033-rlimit_memlock_check.dpatch
-    RLIMIT_MEMLOCK isn't checked properly, allowing for a DoS attack.
-    See http://seclists.org/lists/fulldisclosure/2005/Jan/0270.html for
-    more details.  This patch fixes it, and all reorganizes the stack resize
-    stuff a bit (*sigh*) (Andres Salomon).
-
   * [SECURITY] 034-stack_resize_exploit.dpatch
     Fix exploitable race condition on SMP and HT systems where two
     threads attempt to expand the stack at the same time.  This is

Deleted: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/033-rlimit_memlock_check.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/033-rlimit_memlock_check.dpatch	2005-01-13 10:00:48 UTC (rev 2290)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/033-rlimit_memlock_check.dpatch	2005-01-13 16:06:08 UTC (rev 2291)
@@ -1,179 +0,0 @@
-#! /bin/sh -e
-## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Description: Clean up stack growth checks and move them into a common function.
-## DP: Patch author: torvalds@ppc970.osdl.org
-## DP: Upstream status: backported
-
-. $(dirname $0)/DPATCH
-
-@DPATCH@
-# This is a BitKeeper generated diff -Nru style patch.
-#
-# ChangeSet
-#   2005/01/10 11:23:42-08:00 torvalds@ppc970.osdl.org 
-#   Clean up stack growth checks and move them into a common function.
-#   
-#   The grows-up and grows-down cases had all the same issues, but
-#   differered in the details. Additionlly, historical evolution of
-#   the tests had caused the result to be pretty unreadable with some
-#   rather long and complex conditionals.
-#   
-#   Fix it all up in a more readable helper function.
-#   
-#   This also adds the missing RLIMIT_MEMLOCK test.
-# 
-# mm/mmap.c
-#   2005/01/10 11:23:35-08:00 torvalds@ppc970.osdl.org +61 -44
-#   Clean up stack growth checks and move them into a common function.
-#   
-#   The grows-up and grows-down cases had all the same issues, but
-#   differered in the details. Additionlly, historical evolution of
-#   the tests had caused the result to be pretty unreadable with some
-#   rather long and complex conditionals.
-#   
-#   Fix it all up in a more readable helper function.
-#   
-#   This also adds the missing RLIMIT_MEMLOCK test.
-# 
-diff -Nru a/mm/mmap.c b/mm/mmap.c
---- a/mm/mmap.c	2005-01-12 20:21:10 -08:00
-+++ b/mm/mmap.c	2005-01-12 20:21:10 -08:00
-@@ -1335,13 +1335,57 @@
- 	return prev ? prev->vm_next : vma;
- }
- 
-+/*
-+ * Verify that the stack growth is acceptable and
-+ * update accounting. This is shared with both the
-+ * grow-up and grow-down cases.
-+ */
-+static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, unsigned long grow)
-+{
-+	struct mm_struct *mm = vma->vm_mm;
-+	struct rlimit *rlim = current->rlim;
-+
-+	/* address space limit tests */
-+	rlim = current->rlim;
-+	if (mm->total_vm + grow > rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT)
-+		return -ENOMEM;
-+
-+	/* Stack limit test */
-+	if (size > rlim[RLIMIT_STACK].rlim_cur)
-+		return -ENOMEM;
-+
-+	/* mlock limit tests */
-+	if (vma->vm_flags & VM_LOCKED) {
-+		unsigned long locked;
-+		unsigned long limit;
-+		locked = mm->locked_vm + grow;
-+		limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
-+		if (locked > limit)
-+			return -ENOMEM;
-+	}
-+
-+	/*
-+	 * Overcommit..  This must be the final test, as it will
-+	 * update security statistics.
-+	 */
-+	if (security_vm_enough_memory(grow))
-+		return -ENOMEM;
-+
-+	/* Ok, everything looks good - let it rip */
-+	mm->total_vm += grow;
-+	if (vma->vm_flags & VM_LOCKED)
-+		mm->locked_vm += grow;
-+	return 0;
-+}
-+
- #ifdef CONFIG_STACK_GROWSUP
- /*
-  * vma is the first one with address > vma->vm_end.  Have to extend vma.
-  */
- int expand_stack(struct vm_area_struct * vma, unsigned long address)
- {
--	unsigned long grow;
-+	int error;
-+	unsigned long size, grow;
- 
- 	if (!(vma->vm_flags & VM_GROWSUP))
- 		return -EFAULT;
-@@ -1361,27 +1405,14 @@
- 	 */
- 	address += 4 + PAGE_SIZE - 1;
- 	address &= PAGE_MASK;
-+	size = address - vma->vm_start;
- 	grow = (address - vma->vm_end) >> PAGE_SHIFT;
- 
--	/* Overcommit.. */
--	if (security_vm_enough_memory(grow)) {
--		anon_vma_unlock(vma);
--		return -ENOMEM;
--	}
--	
--	if (address - vma->vm_start > current->rlim[RLIMIT_STACK].rlim_cur ||
--			((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
--			current->rlim[RLIMIT_AS].rlim_cur) {
--		anon_vma_unlock(vma);
--		vm_unacct_memory(grow);
--		return -ENOMEM;
--	}
--	vma->vm_end = address;
--	vma->vm_mm->total_vm += grow;
--	if (vma->vm_flags & VM_LOCKED)
--		vma->vm_mm->locked_vm += grow;
-+	error = acct_stack_growth(vma, size, grow);
-+	if (!error)
-+		vma->vm_end = address;
- 	anon_vma_unlock(vma);
--	return 0;
-+	return error;
- }
- 
- struct vm_area_struct *
-@@ -1409,7 +1440,8 @@
-  */
- int expand_stack(struct vm_area_struct *vma, unsigned long address)
- {
--	unsigned long grow;
-+	int error;
-+	unsigned long size, grow;
- 
- 	/*
- 	 * We must make sure the anon_vma is allocated
-@@ -1425,28 +1457,16 @@
- 	 * anon_vma lock to serialize against concurrent expand_stacks.
- 	 */
- 	address &= PAGE_MASK;
-+	size = vma->vm_end - address;
- 	grow = (vma->vm_start - address) >> PAGE_SHIFT;
- 
--	/* Overcommit.. */
--	if (security_vm_enough_memory(grow)) {
--		anon_vma_unlock(vma);
--		return -ENOMEM;
--	}
--	
--	if (vma->vm_end - address > current->rlim[RLIMIT_STACK].rlim_cur ||
--			((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
--			current->rlim[RLIMIT_AS].rlim_cur) {
--		anon_vma_unlock(vma);
--		vm_unacct_memory(grow);
--		return -ENOMEM;
-+	error = acct_stack_growth(vma, size, grow);
-+	if (!error) {
-+		vma->vm_start = address;
-+		vma->vm_pgoff -= grow;
- 	}
--	vma->vm_start = address;
--	vma->vm_pgoff -= grow;
--	vma->vm_mm->total_vm += grow;
--	if (vma->vm_flags & VM_LOCKED)
--		vma->vm_mm->locked_vm += grow;
- 	anon_vma_unlock(vma);
--	return 0;
-+	return error;
- }
- 
- struct vm_area_struct *

Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13	2005-01-13 10:00:48 UTC (rev 2290)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13	2005-01-13 16:06:08 UTC (rev 2291)
@@ -1,7 +1,6 @@
 + scsi-blacklist-2.dpatch
 - smbfs-overflow-fixes.dpatch
 + smbfs-overflow-fixes-2.dpatch
-+ 033-rlimit_memlock_check.dpatch
 + 034-stack_resize_exploit.dpatch
 + 035-do_brk_security_fixes-2.dpatch
 + cmsg-compat-signedness-fix-fix.dpatch