r2379 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Andres Salomon
dilinger-guest@costa.debian.org
Sun, 23 Jan 2005 22:06:31 +0100
Author: dilinger-guest
Date: 2005-01-23 22:06:30 +0100 (Sun, 23 Jan 2005)
New Revision: 2379
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/expand_stack_reorg.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13
Log:
* expand_stack_reorg.dpatch
Clean up mm/mmap.c's expand_stack() function, backported from
2.6.11-rcX. Needed for future security patches (Andres Salomon).
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-01-23 18:39:36 UTC (rev 2378)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-01-23 21:06:30 UTC (rev 2379)
@@ -10,6 +10,10 @@
that actually works. Thanks to S?ren Hansen <sh@warma.dk> for finding
and submitting it. (Christoph Hellwig) (closes: #283241).
+ * expand_stack_reorg.dpatch
+ Clean up mm/mmap.c's expand_stack() function, backported from
+ 2.6.11-rcX. Needed for future security patches (Andres Salomon).
+
* [SECURITY] 034-stack_resize_exploit.dpatch
Fix exploitable race condition on SMP and HT systems where two
threads attempt to expand the stack at the same time. This is
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/expand_stack_reorg.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/expand_stack_reorg.dpatch 2005-01-23 18:39:36 UTC (rev 2378)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/expand_stack_reorg.dpatch 2005-01-23 21:06:30 UTC (rev 2379)
@@ -0,0 +1,172 @@
+#! /bin/sh -e
+## <PATCHNAME>.dpatch by <PATCH_AUTHOR@EMAI>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Clean up stack growth checks and move them into a common function.
+## DP: Patch author: torvalds@ppc970.osdl.org
+## DP: Upstream status: backported
+
+. $(dirname $0)/DPATCH
+
+@DPATCH@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/01/10 11:23:42-08:00 torvalds@ppc970.osdl.org
+# Clean up stack growth checks and move them into a common function.
+#
+# The grows-up and grows-down cases had all the same issues, but
+# differered in the details. Additionlly, historical evolution of
+# the tests had caused the result to be pretty unreadable with some
+# rather long and complex conditionals.
+#
+# Fix it all up in a more readable helper function.
+#
+# This also adds the missing RLIMIT_MEMLOCK test.
+#
+# mm/mmap.c
+# 2005/01/10 11:23:35-08:00 torvalds@ppc970.osdl.org +61 -44
+# Clean up stack growth checks and move them into a common function.
+#
+# The grows-up and grows-down cases had all the same issues, but
+# differered in the details. Additionlly, historical evolution of
+# the tests had caused the result to be pretty unreadable with some
+# rather long and complex conditionals.
+#
+# Fix it all up in a more readable helper function.
+#
+# This also adds the missing RLIMIT_MEMLOCK test.
+#
+#Note: since 2.6.8 doesn't use RLIMIT_MEMLOCK for non-privileged
+#processes, this doesn't include the RLIMIT_MEMLOCK test. Now
+#it's just the stack expansion reorganization. Backported by
+#Andres Salomon <dilinger@voxel.net>.
+diff -Nru a/mm/mmap.c b/mm/mmap.c
+--- a/mm/mmap.c 2005-01-12 20:21:10 -08:00
++++ b/mm/mmap.c 2005-01-12 20:21:10 -08:00
+@@ -1335,13 +1335,46 @@
+ return prev ? prev->vm_next : vma;
+ }
+
++/*
++ * Verify that the stack growth is acceptable and
++ * update accounting. This is shared with both the
++ * grow-up and grow-down cases.
++ */
++static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, unsigned long grow)
++{
++ struct mm_struct *mm = vma->vm_mm;
++ struct rlimit *rlim = current->rlim;
++
++ /* address space limit tests */
++ if (mm->total_vm + grow > rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT)
++ return -ENOMEM;
++
++ /* Stack limit test */
++ if (size > rlim[RLIMIT_STACK].rlim_cur)
++ return -ENOMEM;
++
++ /*
++ * Overcommit.. This must be the final test, as it will
++ * update security statistics.
++ */
++ if (security_vm_enough_memory(grow))
++ return -ENOMEM;
++
++ /* Ok, everything looks good - let it rip */
++ mm->total_vm += grow;
++ if (vma->vm_flags & VM_LOCKED)
++ mm->locked_vm += grow;
++ return 0;
++}
++
+ #ifdef CONFIG_STACK_GROWSUP
+ /*
+ * vma is the first one with address > vma->vm_end. Have to extend vma.
+ */
+ int expand_stack(struct vm_area_struct * vma, unsigned long address)
+ {
+- unsigned long grow;
++ int error;
++ unsigned long size, grow;
+
+ if (!(vma->vm_flags & VM_GROWSUP))
+ return -EFAULT;
+@@ -1361,27 +1394,14 @@
+ */
+ address += 4 + PAGE_SIZE - 1;
+ address &= PAGE_MASK;
++ size = address - vma->vm_start;
+ grow = (address - vma->vm_end) >> PAGE_SHIFT;
+
+- /* Overcommit.. */
+- if (security_vm_enough_memory(grow)) {
+- anon_vma_unlock(vma);
+- return -ENOMEM;
+- }
+-
+- if (address - vma->vm_start > current->rlim[RLIMIT_STACK].rlim_cur ||
+- ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
+- current->rlim[RLIMIT_AS].rlim_cur) {
+- anon_vma_unlock(vma);
+- vm_unacct_memory(grow);
+- return -ENOMEM;
+- }
+- vma->vm_end = address;
+- vma->vm_mm->total_vm += grow;
+- if (vma->vm_flags & VM_LOCKED)
+- vma->vm_mm->locked_vm += grow;
++ error = acct_stack_growth(vma, size, grow);
++ if (!error)
++ vma->vm_end = address;
+ anon_vma_unlock(vma);
+- return 0;
++ return error;
+ }
+
+ struct vm_area_struct *
+@@ -1409,7 +1429,8 @@
+ */
+ int expand_stack(struct vm_area_struct *vma, unsigned long address)
+ {
+- unsigned long grow;
++ int error;
++ unsigned long size, grow;
+
+ /*
+ * We must make sure the anon_vma is allocated
+@@ -1425,28 +1446,16 @@
+ * anon_vma lock to serialize against concurrent expand_stacks.
+ */
+ address &= PAGE_MASK;
++ size = vma->vm_end - address;
+ grow = (vma->vm_start - address) >> PAGE_SHIFT;
+
+- /* Overcommit.. */
+- if (security_vm_enough_memory(grow)) {
+- anon_vma_unlock(vma);
+- return -ENOMEM;
+- }
+-
+- if (vma->vm_end - address > current->rlim[RLIMIT_STACK].rlim_cur ||
+- ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
+- current->rlim[RLIMIT_AS].rlim_cur) {
+- anon_vma_unlock(vma);
+- vm_unacct_memory(grow);
+- return -ENOMEM;
++ error = acct_stack_growth(vma, size, grow);
++ if (!error) {
++ vma->vm_start = address;
++ vma->vm_pgoff -= grow;
+ }
+- vma->vm_start = address;
+- vma->vm_pgoff -= grow;
+- vma->vm_mm->total_vm += grow;
+- if (vma->vm_flags & VM_LOCKED)
+- vma->vm_mm->locked_vm += grow;
+ anon_vma_unlock(vma);
+- return 0;
++ return error;
+ }
+
+ struct vm_area_struct *
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13 2005-01-23 18:39:36 UTC (rev 2378)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-13 2005-01-23 21:06:30 UTC (rev 2379)
@@ -1,6 +1,7 @@
+ scsi-blacklist-2.dpatch
- smbfs-overflow-fixes.dpatch
+ smbfs-overflow-fixes-2.dpatch
++ expand_stack_reorg.dpatch
+ 034-stack_resize_exploit.dpatch
+ 035-do_brk_security_fixes-2.dpatch
+ cmsg-compat-signedness-fix-fix.dpatch