[kernel] r10532 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Wed Feb 13 21:02:37 UTC 2008 

Author: dannf
Date: Wed Feb 13 21:02:36 2008
New Revision: 10532

Log:
* [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
  into address space reserved for hugetlb pages.
  See CVE-2007-3739

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/prevent-stack-growth-into-hugetlb-region.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Wed Feb 13 21:02:36 2008
@@ -41,8 +41,11 @@
   * isdn-net-overflow.dpatch
     [SECURITY] Fix potential overflows in the ISDN subsystem
     See CVE-2007-6063
+  * [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
+    into address space reserved for hugetlb pages.
+    See CVE-2007-3739
 
- -- dann frazier <dannf at debian.org>  Fri, 08 Feb 2008 17:28:08 -0700
+ -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 14:01:28 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/prevent-stack-growth-into-hugetlb-region.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/prevent-stack-growth-into-hugetlb-region.dpatch	Wed Feb 13 21:02:36 2008
@@ -0,0 +1,48 @@
+From: Adam Litke <agl at us.ibm.com>
+Date: Tue, 30 Jan 2007 22:35:39 +0000 (-0800)
+Subject: [PATCH] Don't allow the stack to grow into hugetlb reserved regions
+X-Git-Tag: v2.6.20-rc7~10
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0d59a01bc461bbab4017ff449b8401151ef44cf6
+
+[PATCH] Don't allow the stack to grow into hugetlb reserved regions
+
+When expanding the stack, we don't currently check if the VMA will cross
+into an area of the address space that is reserved for hugetlb pages.
+Subsequent faults on the expanded portion of such a VMA will confuse the
+low-level MMU code, resulting in an OOPS.  Check for this.
+
+Signed-off-by: Adam Litke <agl at us.ibm.com>
+Cc: David Gibson <david at gibson.dropbear.id.au>
+Cc: William Lee Irwin III <wli at holomorphy.com>
+Cc: Hugh Dickins <hugh at veritas.com>
+Cc: <stable at kernel.org>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at hp.com>
+
+diff -urpN kernel-source-2.6.8.orig/mm/mmap.c kernel-source-2.6.8/mm/mmap.c
+--- kernel-source-2.6.8.orig/mm/mmap.c	2007-05-26 02:54:40.000000000 -0600
++++ kernel-source-2.6.8/mm/mmap.c	2008-02-13 13:57:29.000000000 -0700
+@@ -1203,6 +1203,7 @@ static int acct_stack_growth(struct vm_a
+ {
+ 	struct mm_struct *mm = vma->vm_mm;
+ 	struct rlimit *rlim = current->rlim;
++	unsigned long new_start;
+ 
+ 	/* address space limit tests */
+ 	if (mm->total_vm + grow > rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT)
+@@ -1212,6 +1213,12 @@ static int acct_stack_growth(struct vm_a
+ 	if (size > rlim[RLIMIT_STACK].rlim_cur)
+ 		return -ENOMEM;
+ 
++	/* Check to ensure the stack will not grow into a hugetlb-only region */
++	new_start = (vma->vm_flags & VM_GROWSUP) ? vma->vm_start :
++			vma->vm_end - size;
++	if (is_hugepage_only_range(vma->vm_mm, new_start, size))
++		return -EFAULT;
++
+ 	/*
+ 	 * Overcommit..  This must be the final test, as it will
+ 	 * update security statistics.

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Wed Feb 13 21:02:36 2008
@@ -11,3 +11,4 @@
 + ext2-skip-pages-past-num-blocks.dpatch
 + minixfs-printk-hang.dpatch
 + isdn-net-overflow.dpatch
++ prevent-stack-growth-into-hugetlb-region.dpatch

More information about the Kernel-svn-changes mailing list