[kernel] r10535 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Wed Feb 13 22:19:21 UTC 2008

Author: dannf
Date: Wed Feb 13 22:19:19 2008
New Revision: 10535

Log:
* hugetlb-prio_tree-unit-fix.dpatch
  [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree
  which could be used to trigger a BUG_ON() call in exit_mmap.
  See CVE-2007-4133

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hugetlb-prio_tree-unit-fix.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================

--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Wed Feb 13 22:19:19 2008
@@ -48,8 +48,12 @@
   * bugfix/cifs-honor-umask.dpatch
     [SECURITY] Make CIFS honor a process' umask
     See CVE-2007-3740
+  * hugetlb-prio_tree-unit-fix.dpatch
+    [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree
+    which could be used to trigger a BUG_ON() call in exit_mmap.
+    See CVE-2007-4133
 
- -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 14:12:35 -0700
+ -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 15:18:17 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hugetlb-prio_tree-unit-fix.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hugetlb-prio_tree-unit-fix.dpatch	Wed Feb 13 22:19:19 2008
@@ -0,0 +1,88 @@
+From: Hugh Dickins <hugh at veritas.com>
+Date: Sat, 28 Oct 2006 17:38:43 +0000 (-0700)
+Subject: [PATCH] hugetlb: fix prio_tree unit
+X-Git-Tag: v2.6.19-rc4~50
+X-Git-Url: http://git.kernel.org/gitweb.cgi?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=856fc29505556cf263f3dcda2533cf3766c14ab6
+
+[PATCH] hugetlb: fix prio_tree unit
+
+hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in
+units of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas
+its radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be
+absurdly sparse).
+
+At first I thought the error benign, just calling __unmap_hugepage_range on
+more vmas than necessary; but on 32-bit machines, when the prio_tree is
+searched correctly, it happens to ensure the v_offset calculation won't
+overflow.  As it stood, when truncating at or beyond 4GB, it was liable to
+discard pages COWed from lower offsets; or even to clear pmd entries of
+preceding vmas, triggering exit_mmap's BUG_ON(nr_ptes).
+
+Signed-off-by: Hugh Dickins <hugh at veritas.com>
+Cc: Adam Litke <agl at us.ibm.com>
+Cc: David Gibson <david at gibson.dropbear.id.au>
+Cc: "Chen, Kenneth W" <kenneth.w.chen at intel.com>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at hp.com>
+
+diff -urpN kernel-source-2.6.8.orig/fs/hugetlbfs/inode.c kernel-source-2.6.8/fs/hugetlbfs/inode.c
+--- kernel-source-2.6.8.orig/fs/hugetlbfs/inode.c	2004-08-13 23:37:40.000000000 -0600
++++ kernel-source-2.6.8/fs/hugetlbfs/inode.c	2008-02-13 14:54:51.000000000 -0700
+@@ -265,28 +265,26 @@ static void hugetlbfs_drop_inode(struct 
+ 		hugetlbfs_forget_inode(inode);
+ }
+ 
+-/*
+- * h_pgoff is in HPAGE_SIZE units.
+- * vma->vm_pgoff is in PAGE_SIZE units.
+- */
+ static inline void
+-hugetlb_vmtruncate_list(struct prio_tree_root *root, unsigned long h_pgoff)
++hugetlb_vmtruncate_list(struct prio_tree_root *root, pgoff_t pgoff)
+ {
+ 	struct vm_area_struct *vma = NULL;
+ 	struct prio_tree_iter iter;
+ 
+ 	while ((vma = vma_prio_tree_next(vma, root, &iter,
+-					h_pgoff, ULONG_MAX)) != NULL) {
+-		unsigned long h_vm_pgoff;
++					pgoff, ULONG_MAX)) != NULL) {
+ 		unsigned long v_length;
+ 		unsigned long v_offset;
+ 
+-		h_vm_pgoff = vma->vm_pgoff >> (HPAGE_SHIFT - PAGE_SHIFT);
+-		v_offset = (h_pgoff - h_vm_pgoff) << HPAGE_SHIFT;
+ 		/*
+-		 * Is this VMA fully outside the truncation point?
++		 * Can the expression below overflow on 32-bit arches?
++		 * No, because the prio_tree returns us only those vmas
++		 * which overlap the truncated area starting at pgoff,
++		 * and no vma on a 32-bit arch can span beyond the 4GB.
+ 		 */
+-		if (h_vm_pgoff >= h_pgoff)
++		if (vma->vm_pgoff < pgoff)
++			v_offset = (pgoff - vma->vm_pgoff) << PAGE_SHIFT;
++		else
+ 			v_offset = 0;
+ 
+ 		v_length = vma->vm_end - vma->vm_start;
+@@ -302,14 +300,14 @@ hugetlb_vmtruncate_list(struct prio_tree
+  */
+ static int hugetlb_vmtruncate(struct inode *inode, loff_t offset)
+ {
+-	unsigned long pgoff;
++	pgoff_t pgoff;
+ 	struct address_space *mapping = inode->i_mapping;
+ 
+ 	if (offset > inode->i_size)
+ 		return -EINVAL;
+ 
+ 	BUG_ON(offset & ~HPAGE_MASK);
+-	pgoff = offset >> HPAGE_SHIFT;
++	pgoff = offset >> PAGE_SHIFT;
+ 
+ 	inode->i_size = offset;
+ 	spin_lock(&mapping->i_mmap_lock);

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Wed Feb 13 22:19:19 2008
@@ -13,3 +13,4 @@
 + isdn-net-overflow.dpatch
 + prevent-stack-growth-into-hugetlb-region.dpatch
 + cifs-honor-umask.dpatch
++ hugetlb-prio_tree-unit-fix.dpatch

