[kernel] r9983 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

[Maximilian Attems]

Author: maks
Date: Wed Dec 19 17:23:18 2007
New Revision: 9983

Log:
security: protect from stack expantion into low vm addresses

not yet cve assigned it seems..


Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/security-expand_stack.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/2

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	(original)
+++ dists/sid/linux-2.6/debian/changelog	Wed Dec 19 17:23:18 2007
@@ -85,6 +85,7 @@
   * Add stable release 2.6.23.12:
     - Revert "PNP: increase the maximum number of resources"
   * VM/Security: add security hook to do_brk (CVE-2007-6434)
+  * security: protect from stack expantion into low vm addresses
   * [hppa]: Disable OCFS2, due build trouble.
 
   [ Martin Michlmayr ]
@@ -97,7 +98,7 @@
     platform.
   * Add em28xx-dv100.patch to add support for Pinnacle Dazzle DVC 100.
 
- -- maximilian attems <maks at debian.org>  Wed, 19 Dec 2007 14:07:18 +0100
+ -- maximilian attems <maks at debian.org>  Wed, 19 Dec 2007 18:20:24 +0100
 
 linux-2.6 (2.6.23-1) unstable; urgency=low
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/security-expand_stack.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/security-expand_stack.patch	Wed Dec 19 17:23:18 2007
@@ -0,0 +1,38 @@
+commit 8869477a49c3e99def1fcdadd6bbc407fea14b45
+Author: Eric Paris <eparis at redhat.com>
+Date:   Mon Nov 26 18:47:26 2007 -0500
+
+    security: protect from stack expantion into low vm addresses
+    
+    Add security checks to make sure we are not attempting to expand the
+    stack into memory protected by mmap_min_addr
+    
+    Signed-off-by: Eric Paris <eparis at redhat.com>
+    Signed-off-by: James Morris <jmorris at namei.org>
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index facc1a7..938313c 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1615,6 +1615,12 @@ static inline int expand_downwards(struct vm_area_struct *vma,
+ 	 */
+ 	if (unlikely(anon_vma_prepare(vma)))
+ 		return -ENOMEM;
++
++	address &= PAGE_MASK;
++	error = security_file_mmap(0, 0, 0, 0, address, 1);
++	if (error)
++		return error;
++
+ 	anon_vma_lock(vma);
+ 
+ 	/*
+@@ -1622,8 +1628,6 @@ static inline int expand_downwards(struct vm_area_struct *vma,
+ 	 * is required to hold the mmap_sem in read mode.  We need the
+ 	 * anon_vma lock to serialize against concurrent expand_stacks.
+ 	 */
+-	address &= PAGE_MASK;
+-	error = 0;
+ 
+ 	/* Somebody else might have raced and expanded it already */
+ 	if (address < vma->vm_start) {

Modified: dists/sid/linux-2.6/debian/patches/series/2
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/2	(original)
+++ dists/sid/linux-2.6/debian/patches/series/2	Wed Dec 19 17:23:18 2007
@@ -7,3 +7,4 @@
 + features/all/em28xx-dv100.patch
 + bugfix/all/2.6.23.12
 + bugfix/all/security-do_brk.patch
++ bugfix/all/security-expand_stack.patch