r2379 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Andres Salomon dilinger-guest@costa.debian.org
Sun, 23 Jan 2005 22:06:31 +0100 

Author: dilinger-guest
Date: 2005-01-23 22:06:30 +0100 (Sun, 23 Jan 2005)
New Revision: 2379

Added:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/expand_stack_reorg.dpatch
Modified:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13
Log:
  * expand_stack_reorg.dpatch
    Clean up mm/mmap.c's expand_stack() function, backported from
    2.6.11-rcX.  Needed for future security patches (Andres Salomon).



Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-01-23 18:39:36 UTC (rev 2378)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-01-23 21:06:30 UTC (rev 2379)
@@ -10,6 +10,10 @@
     that actually works.  Thanks to S?ren Hansen <sh@warma.dk> for finding
     and submitting it. (Christoph Hellwig) (closes: #283241).
 
+  * expand_stack_reorg.dpatch
+    Clean up mm/mmap.c's expand_stack() function, backported from
+    2.6.11-rcX.  Needed for future security patches (Andres Salomon).
+
   * [SECURITY] 034-stack_resize_exploit.dpatch
     Fix exploitable race condition on SMP and HT systems where two
     threads attempt to expand the stack at the same time.  This is

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/expand_stack_reorg.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/expand_stack_reorg.dpatch	2005-01-23 18:39:36 UTC (rev 2378)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/expand_stack_reorg.dpatch	2005-01-23 21:06:30 UTC (rev 2379)
@@ -0,0 +1,172 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Clean up stack growth checks and move them into a common function.
+## DP: Patch author: torvalds@ppc970.osdl.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2005/01/10 11:23:42-08:00 torvalds@ppc970.osdl.org 
+#   Clean up stack growth checks and move them into a common function.
+#   
+#   The grows-up and grows-down cases had all the same issues, but
+#   differered in the details. Additionlly, historical evolution of
+#   the tests had caused the result to be pretty unreadable with some
+#   rather long and complex conditionals.
+#   
+#   Fix it all up in a more readable helper function.
+#   
+#   This also adds the missing RLIMIT_MEMLOCK test.
+# 
+# mm/mmap.c
+#   2005/01/10 11:23:35-08:00 torvalds@ppc970.osdl.org +61 -44
+#   Clean up stack growth checks and move them into a common function.
+#   
+#   The grows-up and grows-down cases had all the same issues, but
+#   differered in the details. Additionlly, historical evolution of
+#   the tests had caused the result to be pretty unreadable with some
+#   rather long and complex conditionals.
+#   
+#   Fix it all up in a more readable helper function.
+#   
+#   This also adds the missing RLIMIT_MEMLOCK test.
+# 
+#Note: since 2.6.8 doesn't use RLIMIT_MEMLOCK for non-privileged
+#processes, this doesn't include the RLIMIT_MEMLOCK test.  Now 
+#it's just the stack expansion reorganization.  Backported by
+#Andres Salomon <dilinger@voxel.net>.
+diff -Nru a/mm/mmap.c b/mm/mmap.c
+--- a/mm/mmap.c	2005-01-12 20:21:10 -08:00
++++ b/mm/mmap.c	2005-01-12 20:21:10 -08:00
+@@ -1335,13 +1335,46 @@
+ 	return prev ? prev->vm_next : vma;
+ }
+ 
++/*
++ * Verify that the stack growth is acceptable and
++ * update accounting. This is shared with both the
++ * grow-up and grow-down cases.
++ */
++static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, unsigned long grow)
++{
++	struct mm_struct *mm = vma->vm_mm;
++	struct rlimit *rlim = current->rlim;
++
++	/* address space limit tests */
++	if (mm->total_vm + grow > rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT)
++		return -ENOMEM;
++
++	/* Stack limit test */
++	if (size > rlim[RLIMIT_STACK].rlim_cur)
++		return -ENOMEM;
++
++	/*
++	 * Overcommit..  This must be the final test, as it will
++	 * update security statistics.
++	 */
++	if (security_vm_enough_memory(grow))
++		return -ENOMEM;
++
++	/* Ok, everything looks good - let it rip */
++	mm->total_vm += grow;
++	if (vma->vm_flags & VM_LOCKED)
++		mm->locked_vm += grow;
++	return 0;
++}
++
+ #ifdef CONFIG_STACK_GROWSUP
+ /*
+  * vma is the first one with address > vma->vm_end.  Have to extend vma.
+  */
+ int expand_stack(struct vm_area_struct * vma, unsigned long address)
+ {
+-	unsigned long grow;
++	int error;
++	unsigned long size, grow;
+ 
+ 	if (!(vma->vm_flags & VM_GROWSUP))
+ 		return -EFAULT;
+@@ -1361,27 +1394,14 @@
+ 	 */
+ 	address += 4 + PAGE_SIZE - 1;
+ 	address &= PAGE_MASK;
++	size = address - vma->vm_start;
+ 	grow = (address - vma->vm_end) >> PAGE_SHIFT;
+ 
+-	/* Overcommit.. */
+-	if (security_vm_enough_memory(grow)) {
+-		anon_vma_unlock(vma);
+-		return -ENOMEM;
+-	}
+-	
+-	if (address - vma->vm_start > current->rlim[RLIMIT_STACK].rlim_cur ||
+-			((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
+-			current->rlim[RLIMIT_AS].rlim_cur) {
+-		anon_vma_unlock(vma);
+-		vm_unacct_memory(grow);
+-		return -ENOMEM;
+-	}
+-	vma->vm_end = address;
+-	vma->vm_mm->total_vm += grow;
+-	if (vma->vm_flags & VM_LOCKED)
+-		vma->vm_mm->locked_vm += grow;
++	error = acct_stack_growth(vma, size, grow);
++	if (!error)
++		vma->vm_end = address;
+ 	anon_vma_unlock(vma);
+-	return 0;
++	return error;
+ }
+ 
+ struct vm_area_struct *
+@@ -1409,7 +1429,8 @@
+  */
+ int expand_stack(struct vm_area_struct *vma, unsigned long address)
+ {
+-	unsigned long grow;
++	int error;
++	unsigned long size, grow;
+ 
+ 	/*
+ 	 * We must make sure the anon_vma is allocated
+@@ -1425,28 +1446,16 @@
+ 	 * anon_vma lock to serialize against concurrent expand_stacks.
+ 	 */
+ 	address &= PAGE_MASK;
++	size = vma->vm_end - address;
+ 	grow = (vma->vm_start - address) >> PAGE_SHIFT;
+ 
+-	/* Overcommit.. */
+-	if (security_vm_enough_memory(grow)) {
+-		anon_vma_unlock(vma);
+-		return -ENOMEM;
+-	}
+-	
+-	if (vma->vm_end - address > current->rlim[RLIMIT_STACK].rlim_cur ||
+-			((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
+-			current->rlim[RLIMIT_AS].rlim_cur) {
+-		anon_vma_unlock(vma);
+-		vm_unacct_memory(grow);
+-		return -ENOMEM;
++	error = acct_stack_growth(vma, size, grow);
++	if (!error) {
++		vma->vm_start = address;
++		vma->vm_pgoff -= grow;
+ 	}
+-	vma->vm_start = address;
+-	vma->vm_pgoff -= grow;
+-	vma->vm_mm->total_vm += grow;
+-	if (vma->vm_flags & VM_LOCKED)
+-		vma->vm_mm->locked_vm += grow;
+ 	anon_vma_unlock(vma);
+-	return 0;
++	return error;
+ }
+ 
+ struct vm_area_struct *

Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13	2005-01-23 18:39:36 UTC (rev 2378)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13	2005-01-23 21:06:30 UTC (rev 2379)
@@ -1,6 +1,7 @@
 + scsi-blacklist-2.dpatch
 - smbfs-overflow-fixes.dpatch
 + smbfs-overflow-fixes-2.dpatch
++ expand_stack_reorg.dpatch
 + 034-stack_resize_exploit.dpatch
 + 035-do_brk_security_fixes-2.dpatch
 + cmsg-compat-signedness-fix-fix.dpatch