[kernel] r9542 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Tue Sep 25 04:33:53 UTC 2007 

Author: dannf
Date: Tue Sep 25 04:33:52 2007
New Revision: 9542

Log:
* bugfix/prevent-stack-growth-into-hugetlb-region.patch
  [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
  into address space reserved for hugetlb pages.
  See CVE-2007-3739

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/prevent-stack-growth-into-hugetlb-region.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch3

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Tue Sep 25 04:33:52 2007
@@ -5,8 +5,12 @@
     [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
     during ptrace single-step operations that can be used to trigger a
     NULL-pointer dereference causing an Oops.
+  * bugfix/prevent-stack-growth-into-hugetlb-region.patch
+    [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
+    into address space reserved for hugetlb pages.
+    See CVE-2007-3739
 
- -- dann frazier <dannf at debian.org>  Thu, 20 Sep 2007 08:24:55 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 21 Sep 2007 10:36:12 -0600
 
 linux-2.6 (2.6.18.dfsg.1-13etch2) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/prevent-stack-growth-into-hugetlb-region.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/prevent-stack-growth-into-hugetlb-region.patch	Tue Sep 25 04:33:52 2007
@@ -0,0 +1,47 @@
+From: Adam Litke <agl at us.ibm.com>
+Date: Tue, 30 Jan 2007 22:35:39 +0000 (-0800)
+Subject: [PATCH] Don't allow the stack to grow into hugetlb reserved regions
+X-Git-Tag: v2.6.20-rc7~10
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0d59a01bc461bbab4017ff449b8401151ef44cf6
+
+[PATCH] Don't allow the stack to grow into hugetlb reserved regions
+
+When expanding the stack, we don't currently check if the VMA will cross
+into an area of the address space that is reserved for hugetlb pages.
+Subsequent faults on the expanded portion of such a VMA will confuse the
+low-level MMU code, resulting in an OOPS.  Check for this.
+
+Signed-off-by: Adam Litke <agl at us.ibm.com>
+Cc: David Gibson <david at gibson.dropbear.id.au>
+Cc: William Lee Irwin III <wli at holomorphy.com>
+Cc: Hugh Dickins <hugh at veritas.com>
+Cc: <stable at kernel.org>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 9717337..cc3a208 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1477,6 +1477,7 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
+ {
+ 	struct mm_struct *mm = vma->vm_mm;
+ 	struct rlimit *rlim = current->signal->rlim;
++	unsigned long new_start;
+ 
+ 	/* address space limit tests */
+ 	if (!may_expand_vm(mm, grow))
+@@ -1496,6 +1497,12 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
+ 			return -ENOMEM;
+ 	}
+ 
++	/* Check to ensure the stack will not grow into a hugetlb-only region */
++	new_start = (vma->vm_flags & VM_GROWSUP) ? vma->vm_start :
++			vma->vm_end - size;
++	if (is_hugepage_only_range(vma->vm_mm, new_start, size))
++		return -EFAULT;
++
+ 	/*
+ 	 * Overcommit..  This must be the final test, as it will
+ 	 * update security statistics.

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch3	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch3	Tue Sep 25 04:33:52 2007
@@ -1,2 +1,3 @@
 + bugfix/ptrace-handle-bogus-selector.patch
 + bugfix/fixup-trace_irq-breakage.patch
++ bugfix/prevent-stack-growth-into-hugetlb-region.patch

More information about the Kernel-svn-changes mailing list