[kernel] r12370 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/features/all/vserver patches/features/all/xen patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Nov 5 06:52:26 UTC 2008
Author: dannf
Date: Wed Nov 5 06:52:21 2008
New Revision: 12370
Log:
CVE-2008-3527
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/add-install_special_mapping.patch
dists/etch-security/linux-2.6/debian/patches/bugfix/i386-vdso-use_install_special_mapping.patch
dists/etch-security/linux-2.6/debian/patches/bugfix/x86_64-ia32-vDSO-use-install_special_mapping.patch
dists/etch-security/linux-2.6/debian/patches/features/all/xen/vdso-use_install_special_mapping.patch
dists/etch-security/linux-2.6/debian/patches/series/23etch1
dists/etch-security/linux-2.6/debian/patches/series/23etch1-extra
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch
dists/etch-security/linux-2.6/debian/patches/features/all/xen/fedora-2.6.18-36186.patch
dists/etch-security/linux-2.6/debian/patches/features/all/xen/vserver-update.patch
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Wed Nov 5 06:52:21 2008
@@ -1,3 +1,19 @@
+linux-2.6 (2.6.18.dfsg.1-23etch1) stable-security; urgency=high
+
+ * Fix missing boundary checks in syscall/syscall32_nopage():
+ - bugfix/add-install_special_mapping.patch
+ - bugfix/i386-vdso-use_install_special_mapping.patch
+ - bugfix/x86_64-ia32-vDSO-use-install_special_mapping.patch
+ - features/all/xen/vdso-use_install_special_mapping.patch
+ See CVE-2008-3527
+ * Modify feature patches to apply on top of the fixes for
+ CVE-2008-3527:
+ - features/all/vserver/vs2.0.2.2-rc9.patch
+ - features/all/xen/fedora-2.6.18-36186.patch
+ - features/all/xen/vserver-update.patch
+
+ -- dann frazier <dannf at debian.org> Tue, 04 Nov 2008 01:55:40 -0700
+
linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
[ Ian Campbell ]
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/add-install_special_mapping.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/add-install_special_mapping.patch Wed Nov 5 06:52:21 2008
@@ -0,0 +1,113 @@
+commit fa5dc22f8586cc3742413dd05f5cd9e039dfab9e
+Author: Roland McGrath <roland at redhat.com>
+Date: Thu Feb 8 14:20:41 2007 -0800
+
+ [PATCH] Add install_special_mapping
+
+ This patch adds a utility function install_special_mapping, for creating a
+ special vma using a fixed set of preallocated pages as backing, such as for a
+ vDSO. This consolidates some nearly identical code used for vDSO mapping
+ reimplemented for different architectures.
+
+ Signed-off-by: Roland McGrath <roland at redhat.com>
+ Cc: Ingo Molnar <mingo at elte.hu>
+ Cc: Paul Mackerras <paulus at samba.org>
+ Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+ Cc: Andi Kleen <ak at suse.de>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/include/linux/mm.h linux-source-2.6.18/include/linux/mm.h
+--- linux-source-2.6.18.orig/include/linux/mm.h 2008-10-13 09:28:32.000000000 -0600
++++ linux-source-2.6.18/include/linux/mm.h 2008-11-03 14:29:19.000000000 -0700
+@@ -929,6 +929,9 @@ extern struct vm_area_struct *copy_vma(s
+ unsigned long addr, unsigned long len, pgoff_t pgoff);
+ extern void exit_mmap(struct mm_struct *);
+ extern int may_expand_vm(struct mm_struct *mm, unsigned long npages);
++extern int install_special_mapping(struct mm_struct *mm,
++ unsigned long addr, unsigned long len,
++ unsigned long flags, struct page **pages);
+
+ extern unsigned long get_unmapped_area(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);
+
+diff -urpN linux-source-2.6.18.orig/mm/mmap.c linux-source-2.6.18/mm/mmap.c
+--- linux-source-2.6.18.orig/mm/mmap.c 2008-10-13 09:28:33.000000000 -0600
++++ linux-source-2.6.18/mm/mmap.c 2008-11-03 14:29:19.000000000 -0700
+@@ -2094,3 +2094,75 @@ int may_expand_vm(struct mm_struct *mm,
+ return 0;
+ return 1;
+ }
++
++
++static struct page *special_mapping_nopage(struct vm_area_struct *vma,
++ unsigned long address, int *type)
++{
++ struct page **pages;
++
++ BUG_ON(address < vma->vm_start || address >= vma->vm_end);
++
++ address -= vma->vm_start;
++ for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
++ address -= PAGE_SIZE;
++
++ if (*pages) {
++ struct page *page = *pages;
++ get_page(page);
++ return page;
++ }
++
++ return NOPAGE_SIGBUS;
++}
++
++/*
++ * Having a close hook prevents vma merging regardless of flags.
++ */
++static void special_mapping_close(struct vm_area_struct *vma)
++{
++}
++
++static struct vm_operations_struct special_mapping_vmops = {
++ .close = special_mapping_close,
++ .nopage = special_mapping_nopage,
++};
++
++/*
++ * Called with mm->mmap_sem held for writing.
++ * Insert a new vma covering the given region, with the given flags.
++ * Its pages are supplied by the given array of struct page *.
++ * The array can be shorter than len >> PAGE_SHIFT if it's null-terminated.
++ * The region past the last page supplied will always produce SIGBUS.
++ * The array pointer and the pages it points to are assumed to stay alive
++ * for as long as this mapping might exist.
++ */
++int install_special_mapping(struct mm_struct *mm,
++ unsigned long addr, unsigned long len,
++ unsigned long vm_flags, struct page **pages)
++{
++ struct vm_area_struct *vma;
++
++ vma = kmem_cache_zalloc(vm_area_cachep, SLAB_KERNEL);
++ if (unlikely(vma == NULL))
++ return -ENOMEM;
++
++ vma->vm_mm = mm;
++ vma->vm_start = addr;
++ vma->vm_end = addr + len;
++
++ vma->vm_flags = vm_flags | mm->def_flags;
++ vma->vm_page_prot = protection_map[vma->vm_flags & 7];
++
++ vma->vm_ops = &special_mapping_vmops;
++ vma->vm_private_data = pages;
++
++ if (unlikely(insert_vm_struct(mm, vma))) {
++ kmem_cache_free(vm_area_cachep, vma);
++ return -ENOMEM;
++ }
++
++ mm->total_vm += len >> PAGE_SHIFT;
++
++ return 0;
++}
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/i386-vdso-use_install_special_mapping.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/i386-vdso-use_install_special_mapping.patch Wed Nov 5 06:52:21 2008
@@ -0,0 +1,109 @@
+commit 7d91d531900bfa1165d445390b3b13a8013f98f7
+Author: Roland McGrath <roland at redhat.com>
+Date: Thu Feb 8 14:20:42 2007 -0800
+
+ [PATCH] i386 vDSO: use install_special_mapping
+
+ This patch uses install_special_mapping for the i386 vDSO setup, consolidating
+ duplicated code.
+
+ Signed-off-by: Roland McGrath <roland at redhat.com>
+ Cc: Ingo Molnar <mingo at elte.hu>
+ Cc: Paul Mackerras <paulus at samba.org>
+ Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+ Cc: Andi Kleen <ak at suse.de>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/sysenter.c linux-source-2.6.18/arch/i386/kernel/sysenter.c
+--- linux-source-2.6.18.orig/arch/i386/kernel/sysenter.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/i386/kernel/sysenter.c 2008-11-03 16:02:53.000000000 -0700
+@@ -66,11 +66,12 @@ void enable_sep_cpu(void)
+ */
+ extern const char vsyscall_int80_start, vsyscall_int80_end;
+ extern const char vsyscall_sysenter_start, vsyscall_sysenter_end;
+-static void *syscall_page;
++static struct page *syscall_pages[1];
+
+ int __init sysenter_setup(void)
+ {
+- syscall_page = (void *)get_zeroed_page(GFP_ATOMIC);
++ void *syscall_page = (void *)get_zeroed_page(GFP_ATOMIC);
++ syscall_pages[0] = virt_to_page(syscall_page);
+
+ #ifdef CONFIG_COMPAT_VDSO
+ __set_fixmap(FIX_VDSO, __pa(syscall_page), PAGE_READONLY);
+@@ -96,31 +97,12 @@ int __init sysenter_setup(void)
+ return 0;
+ }
+
+-static struct page *syscall_nopage(struct vm_area_struct *vma,
+- unsigned long adr, int *type)
+-{
+- struct page *p = virt_to_page(adr - vma->vm_start + syscall_page);
+- get_page(p);
+- return p;
+-}
+-
+-/* Prevent VMA merging */
+-static void syscall_vma_close(struct vm_area_struct *vma)
+-{
+-}
+-
+-static struct vm_operations_struct syscall_vm_ops = {
+- .close = syscall_vma_close,
+- .nopage = syscall_nopage,
+-};
+-
+ /* Defined in vsyscall-sysenter.S */
+ extern void SYSENTER_RETURN;
+
+ /* Setup a VMA at program startup for the vsyscall page */
+ int arch_setup_additional_pages(struct linux_binprm *bprm, int exstack)
+ {
+- struct vm_area_struct *vma;
+ struct mm_struct *mm = current->mm;
+ unsigned long addr;
+ int ret;
+@@ -132,31 +114,19 @@ int arch_setup_additional_pages(struct l
+ goto up_fail;
+ }
+
+- vma = kmem_cache_zalloc(vm_area_cachep, SLAB_KERNEL);
+- if (!vma) {
+- ret = -ENOMEM;
+- goto up_fail;
+- }
+-
+- vma->vm_start = addr;
+- vma->vm_end = addr + PAGE_SIZE;
+- /* MAYWRITE to allow gdb to COW and set breakpoints */
+- vma->vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYEXEC|VM_MAYWRITE;
+- vma->vm_flags |= mm->def_flags;
+- vma->vm_page_prot = protection_map[vma->vm_flags & 7];
+- vma->vm_ops = &syscall_vm_ops;
+- vma->vm_mm = mm;
+-
+- ret = insert_vm_struct(mm, vma);
+- if (unlikely(ret)) {
+- kmem_cache_free(vm_area_cachep, vma);
++ /*
++ * MAYWRITE to allow gdb to COW and set breakpoints
++ */
++ ret = install_special_mapping(mm, addr, PAGE_SIZE,
++ VM_READ|VM_EXEC|
++ VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
++ syscall_pages);
++ if (ret)
+ goto up_fail;
+- }
+
+ current->mm->context.vdso = (void *)addr;
+ current_thread_info()->sysenter_return =
+ (void *)VDSO_SYM(&SYSENTER_RETURN);
+- mm->total_vm++;
+ up_fail:
+ up_write(&mm->mmap_sem);
+ return ret;
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/x86_64-ia32-vDSO-use-install_special_mapping.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/x86_64-ia32-vDSO-use-install_special_mapping.patch Wed Nov 5 06:52:21 2008
@@ -0,0 +1,114 @@
+commit dc5882b20a69fb16219cc61ae3d21d73dd6360a7
+Author: Roland McGrath <roland at redhat.com>
+Date: Thu Feb 8 14:20:43 2007 -0800
+
+ [PATCH] x86_64 ia32 vDSO: use install_special_mapping
+
+ This patch uses install_special_mapping for the ia32 vDSO setup, consolidating
+ duplicated code.
+
+ Signed-off-by: Roland McGrath <roland at redhat.com>
+ Cc: Ingo Molnar <mingo at elte.hu>
+ Cc: Paul Mackerras <paulus at samba.org>
+ Cc: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+ Cc: Andi Kleen <ak at suse.de>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/arch/x86_64/ia32/syscall32.c linux-source-2.6.18/arch/x86_64/ia32/syscall32.c
+--- linux-source-2.6.18.orig/arch/x86_64/ia32/syscall32.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/x86_64/ia32/syscall32.c 2008-11-03 16:28:06.000000000 -0700
+@@ -18,68 +18,36 @@ extern unsigned char syscall32_syscall[]
+ extern unsigned char syscall32_sysenter[], syscall32_sysenter_end[];
+ extern int sysctl_vsyscall32;
+
+-char *syscall32_page;
++static struct page *syscall32_pages[1];
+ static int use_sysenter = -1;
+
+-static struct page *
+-syscall32_nopage(struct vm_area_struct *vma, unsigned long adr, int *type)
+-{
+- struct page *p = virt_to_page(adr - vma->vm_start + syscall32_page);
+- get_page(p);
+- return p;
+-}
+-
+-/* Prevent VMA merging */
+-static void syscall32_vma_close(struct vm_area_struct *vma)
+-{
+-}
+-
+-static struct vm_operations_struct syscall32_vm_ops = {
+- .close = syscall32_vma_close,
+- .nopage = syscall32_nopage,
+-};
+-
+ struct linux_binprm;
+
+ /* Setup a VMA at program startup for the vsyscall page */
+ int syscall32_setup_pages(struct linux_binprm *bprm, int exstack)
+ {
+- int npages = (VSYSCALL32_END - VSYSCALL32_BASE) >> PAGE_SHIFT;
+- struct vm_area_struct *vma;
+ struct mm_struct *mm = current->mm;
+ int ret;
+
+- vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
+- if (!vma)
+- return -ENOMEM;
+-
+- memset(vma, 0, sizeof(struct vm_area_struct));
+- /* Could randomize here */
+- vma->vm_start = VSYSCALL32_BASE;
+- vma->vm_end = VSYSCALL32_END;
+- /* MAYWRITE to allow gdb to COW and set breakpoints */
+- vma->vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYEXEC|VM_MAYWRITE;
+- vma->vm_flags |= mm->def_flags;
+- vma->vm_page_prot = protection_map[vma->vm_flags & 7];
+- vma->vm_ops = &syscall32_vm_ops;
+- vma->vm_mm = mm;
+-
+ down_write(&mm->mmap_sem);
+- if ((ret = insert_vm_struct(mm, vma))) {
+- up_write(&mm->mmap_sem);
+- kmem_cache_free(vm_area_cachep, vma);
+- return ret;
+- }
+- mm->total_vm += npages;
++ /*
++ * MAYWRITE to allow gdb to COW and set breakpoints
++ */
++ /* Could randomize here */
++ ret = install_special_mapping(mm, VSYSCALL32_BASE, PAGE_SIZE,
++ VM_READ|VM_EXEC|
++ VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
++ syscall32_pages);
+ up_write(&mm->mmap_sem);
+- return 0;
++ return ret;
+ }
+
+ static int __init init_syscall32(void)
+ {
+- syscall32_page = (void *)get_zeroed_page(GFP_KERNEL);
++ char *syscall32_page = (void *)get_zeroed_page(GFP_KERNEL);
+ if (!syscall32_page)
+ panic("Cannot allocate syscall32 page");
++ syscall32_pages[0] = virt_to_page(syscall32_page);
+ if (use_sysenter > 0) {
+ memcpy(syscall32_page, syscall32_sysenter,
+ syscall32_sysenter_end - syscall32_sysenter);
+diff -urpN linux-source-2.6.18.orig/include/asm-x86_64/proto.h linux-source-2.6.18/include/asm-x86_64/proto.h
+--- linux-source-2.6.18.orig/include/asm-x86_64/proto.h 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/include/asm-x86_64/proto.h 2008-11-03 16:24:42.000000000 -0700
+@@ -86,7 +86,6 @@ extern void swap_low_mappings(void);
+ extern void __show_regs(struct pt_regs * regs);
+ extern void show_regs(struct pt_regs * regs);
+
+-extern char *syscall32_page;
+ extern void syscall32_cpu_init(void);
+
+ extern void setup_node_bootmem(int nodeid, unsigned long start, unsigned long end);
Modified: dists/etch-security/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch (original)
+++ dists/etch-security/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch Wed Nov 5 06:52:21 2008
@@ -378,25 +378,6 @@
.long sys_mbind
.long sys_get_mempolicy
.long sys_set_mempolicy
---- linux-2.6.18.5/arch/i386/kernel/sysenter.c 2006-09-20 16:57:58 +0200
-+++ linux-2.6.18.5-vs2.0.2.2-rc9/arch/i386/kernel/sysenter.c 2006-09-20 21:46:26 +0200
-@@ -17,6 +17,7 @@
- #include <linux/elf.h>
- #include <linux/mm.h>
- #include <linux/module.h>
-+#include <linux/vs_memory.h>
-
- #include <asm/cpufeature.h>
- #include <asm/msr.h>
-@@ -156,7 +157,7 @@ int arch_setup_additional_pages(struct l
- current->mm->context.vdso = (void *)addr;
- current_thread_info()->sysenter_return =
- (void *)VDSO_SYM(&SYSENTER_RETURN);
-- mm->total_vm++;
-+ vx_vmpages_inc(mm);
- up_fail:
- up_write(&mm->mmap_sem);
- return ret;
--- linux-2.6.18.5/arch/i386/kernel/traps.c 2006-09-20 16:57:58 +0200
+++ linux-2.6.18.5-vs2.0.2.2-rc9/arch/i386/kernel/traps.c 2006-09-20 20:10:14 +0200
@@ -53,6 +53,7 @@
@@ -1633,25 +1614,6 @@
up_read(&uts_sem);
if (personality(current->personality) == PER_LINUX32)
err |= copy_to_user(&name->machine, "i686", 5);
---- linux-2.6.18.5/arch/x86_64/ia32/syscall32.c 2005-10-28 20:49:18 +0200
-+++ linux-2.6.18.5-vs2.0.2.2-rc9/arch/x86_64/ia32/syscall32.c 2006-09-20 17:01:44 +0200
-@@ -10,6 +10,7 @@
- #include <linux/init.h>
- #include <linux/stringify.h>
- #include <linux/security.h>
-+#include <linux/vs_memory.h>
- #include <asm/proto.h>
- #include <asm/tlbflush.h>
- #include <asm/ia32_unistd.h>
-@@ -70,7 +71,7 @@ int syscall32_setup_pages(struct linux_b
- kmem_cache_free(vm_area_cachep, vma);
- return ret;
- }
-- mm->total_vm += npages;
-+ vx_vmpages_add(mm, npages);
- up_write(&mm->mmap_sem);
- return 0;
- }
--- linux-2.6.18.5/arch/x86_64/kernel/sys_x86_64.c 2006-01-03 17:29:20 +0100
+++ linux-2.6.18.5-vs2.0.2.2-rc9/arch/x86_64/kernel/sys_x86_64.c 2006-09-20 17:01:44 +0200
@@ -16,6 +16,7 @@
@@ -20422,8 +20384,8 @@
if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
---- linux-2.6.18.5/mm/mmap.c 2006-09-20 16:58:45 +0200
-+++ linux-2.6.18.5-vs2.0.2.2-rc9/mm/mmap.c 2006-09-20 17:01:45 +0200
+--- linux-2.6.18.5/mm/mmap.c 2008-11-03 17:15:43.000000000 -0700
++++ linux-2.6.18.5-vs2.0.2.2-rc9/mm/mmap.c 2008-11-03 17:26:16.000000000 -0700
@@ -1137,10 +1137,10 @@ munmap_back:
kmem_cache_free(vm_area_cachep, vma);
}
@@ -20437,7 +20399,7 @@
make_pages_present(addr, addr + len);
}
if (flags & MAP_POPULATE) {
-@@ -1500,9 +1500,9 @@ static int acct_stack_growth(struct vm_a
+@@ -1507,9 +1507,9 @@ static int acct_stack_growth(struct vm_a
return -ENOMEM;
/* Ok, everything looks good - let it rip */
@@ -20449,7 +20411,7 @@
vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow);
return 0;
}
-@@ -1655,9 +1655,9 @@ static void remove_vma_list(struct mm_st
+@@ -1662,9 +1662,9 @@ static void remove_vma_list(struct mm_st
do {
long nrpages = vma_pages(vma);
@@ -20461,7 +20423,7 @@
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
vma = remove_vma(vma);
} while (vma);
-@@ -1893,6 +1893,8 @@ unsigned long do_brk(unsigned long addr,
+@@ -1900,6 +1900,8 @@ unsigned long do_brk(unsigned long addr,
lock_limit >>= PAGE_SHIFT;
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
return -EAGAIN;
@@ -20470,7 +20432,7 @@
}
/*
-@@ -1919,7 +1921,8 @@ unsigned long do_brk(unsigned long addr,
+@@ -1926,7 +1928,8 @@ unsigned long do_brk(unsigned long addr,
if (mm->map_count > sysctl_max_map_count)
return -ENOMEM;
@@ -20480,7 +20442,7 @@
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -1945,9 +1948,9 @@ unsigned long do_brk(unsigned long addr,
+@@ -1952,9 +1955,9 @@ unsigned long do_brk(unsigned long addr,
(VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
@@ -20492,7 +20454,7 @@
make_pages_present(addr, addr + len);
}
return addr;
-@@ -1973,6 +1976,11 @@ void exit_mmap(struct mm_struct *mm)
+@@ -1980,6 +1983,11 @@ void exit_mmap(struct mm_struct *mm)
free_pgtables(&tlb, vma, FIRST_USER_ADDRESS, 0);
tlb_finish_mmu(tlb, 0, end);
@@ -20504,7 +20466,7 @@
/*
* Walk the list again, actually closing and freeing it,
* with preemption enabled, without holding any MM locks.
-@@ -2012,7 +2020,8 @@ int insert_vm_struct(struct mm_struct *
+@@ -2019,7 +2027,8 @@ int insert_vm_struct(struct mm_struct *
if (__vma && __vma->vm_start < vma->vm_end)
return -ENOMEM;
if ((vma->vm_flags & VM_ACCOUNT) &&
@@ -20514,7 +20476,7 @@
return -ENOMEM;
vma_link(mm, vma, prev, rb_link, rb_parent);
return 0;
-@@ -2085,5 +2094,7 @@ int may_expand_vm(struct mm_struct *mm,
+@@ -2092,6 +2101,8 @@ int may_expand_vm(struct mm_struct *mm,
if (cur + npages > lim)
return 0;
@@ -20522,6 +20484,16 @@
+ return 0;
return 1;
}
+
+@@ -2162,7 +2173,7 @@ int install_special_mapping(struct mm_st
+ return -ENOMEM;
+ }
+
+- mm->total_vm += len >> PAGE_SHIFT;
++ vx_vmpages_add(mm, len >> PAGE_SHIFT);
+
+ return 0;
+ }
--- linux-2.6.18.5/mm/mremap.c 2006-09-20 16:58:45 +0200
+++ linux-2.6.18.5-vs2.0.2.2-rc9/mm/mremap.c 2006-09-20 17:01:45 +0200
@@ -18,6 +18,7 @@
Modified: dists/etch-security/linux-2.6/debian/patches/features/all/xen/fedora-2.6.18-36186.patch
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/features/all/xen/fedora-2.6.18-36186.patch (original)
+++ dists/etch-security/linux-2.6/debian/patches/features/all/xen/fedora-2.6.18-36186.patch Wed Nov 5 06:52:21 2008
@@ -13589,8 +13589,8 @@
+EXPORT_SYMBOL(swiotlb_dma_mapping_error);
+EXPORT_SYMBOL(swiotlb_dma_supported);
diff -urN -x .hg -x .hgtags linux-2.6.18.3/arch/i386/kernel/sysenter.c linux-2.6.18-xen/arch/i386/kernel/sysenter.c
---- linux-2.6.18.3/arch/i386/kernel/sysenter.c 2006-09-20 05:42:06.000000000 +0200
-+++ linux-2.6.18-xen/arch/i386/kernel/sysenter.c 2006-11-19 14:26:22.000000000 +0100
+--- linux-2.6.18.3/arch/i386/kernel/sysenter.c 2008-11-04 01:21:29.000000000 -0700
++++ linux-2.6.18-xen/arch/i386/kernel/sysenter.c 2008-11-04 01:23:08.000000000 -0700
@@ -23,6 +23,10 @@
#include <asm/pgtable.h>
#include <asm/unistd.h>
@@ -13618,9 +13618,9 @@
}
/*
-@@ -72,6 +78,18 @@
- {
- syscall_page = (void *)get_zeroed_page(GFP_ATOMIC);
+@@ -73,6 +79,18 @@
+ void *syscall_page = (void *)get_zeroed_page(GFP_ATOMIC);
+ syscall_pages[0] = virt_to_page(syscall_page);
+#ifdef CONFIG_XEN
+ if (boot_cpu_has(X86_FEATURE_SEP)) {
@@ -13637,7 +13637,7 @@
#ifdef CONFIG_COMPAT_VDSO
__set_fixmap(FIX_VDSO, __pa(syscall_page), PAGE_READONLY);
printk("Compat vDSO mapped to %08lx.\n", __fix_to_virt(FIX_VDSO));
-@@ -79,8 +97,12 @@
+@@ -80,8 +98,12 @@
/*
* In the non-compat case the ELF coredumping code needs the fixmap:
*/
Added: dists/etch-security/linux-2.6/debian/patches/features/all/xen/vdso-use_install_special_mapping.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/features/all/xen/vdso-use_install_special_mapping.patch Wed Nov 5 06:52:21 2008
@@ -0,0 +1,94 @@
+diff -urpN linux-source-2.6.18.orig/arch/x86_64/ia32/syscall32-xen.c linux-source-2.6.18/arch/x86_64/ia32/syscall32-xen.c
+--- linux-source-2.6.18.orig/arch/x86_64/ia32/syscall32-xen.c 2008-11-04 01:32:02.000000000 -0700
++++ linux-source-2.6.18/arch/x86_64/ia32/syscall32-xen.c 2008-11-04 01:47:52.000000000 -0700
+@@ -21,68 +21,35 @@ extern unsigned char syscall32_syscall[]
+ extern unsigned char syscall32_sysenter[], syscall32_sysenter_end[];
+ extern int sysctl_vsyscall32;
+
+-char *syscall32_page;
++static struct page *syscall32_pages[1];
+ #ifndef USE_INT80
+ static int use_sysenter = -1;
+ #endif
+
+-static struct page *
+-syscall32_nopage(struct vm_area_struct *vma, unsigned long adr, int *type)
+-{
+- struct page *p = virt_to_page(adr - vma->vm_start + syscall32_page);
+- get_page(p);
+- return p;
+-}
+-
+-/* Prevent VMA merging */
+-static void syscall32_vma_close(struct vm_area_struct *vma)
+-{
+-}
+-
+-static struct vm_operations_struct syscall32_vm_ops = {
+- .close = syscall32_vma_close,
+- .nopage = syscall32_nopage,
+-};
+-
+ struct linux_binprm;
+
+ /* Setup a VMA at program startup for the vsyscall page */
+ int syscall32_setup_pages(struct linux_binprm *bprm, int exstack)
+ {
+- int npages = (VSYSCALL32_END - VSYSCALL32_BASE) >> PAGE_SHIFT;
+- struct vm_area_struct *vma;
+ struct mm_struct *mm = current->mm;
+ int ret;
+
+- vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL);
+- if (!vma)
+- return -ENOMEM;
+-
+- memset(vma, 0, sizeof(struct vm_area_struct));
+- /* Could randomize here */
+- vma->vm_start = VSYSCALL32_BASE;
+- vma->vm_end = VSYSCALL32_END;
+- /* MAYWRITE to allow gdb to COW and set breakpoints */
+- vma->vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYEXEC|VM_MAYWRITE;
+- vma->vm_flags |= mm->def_flags;
+- vma->vm_page_prot = protection_map[vma->vm_flags & 7];
+- vma->vm_ops = &syscall32_vm_ops;
+- vma->vm_mm = mm;
+-
+ down_write(&mm->mmap_sem);
+- if ((ret = insert_vm_struct(mm, vma))) {
+- up_write(&mm->mmap_sem);
+- kmem_cache_free(vm_area_cachep, vma);
+- return ret;
+- }
+- mm->total_vm += npages;
++ /*
++ * MAYWRITE to allow gdb to COW and set breakpoints
++ */
++ ret = install_special_mapping(mm, VSYSCALL32_BASE, PAGE_SIZE,
++ VM_READ|VM_EXEC|
++ VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
++ syscall32_pages);
+ up_write(&mm->mmap_sem);
+- return 0;
++ return ret;
+ }
+
+ static int __init init_syscall32(void)
+ {
+- syscall32_page = (void *)get_zeroed_page(GFP_KERNEL);
++ void *syscall32_page = (void *)get_zeroed_page(GFP_KERNEL);
++ syscall32_pages[0] = virt_to_page(syscall32_page);
+ if (!syscall32_page)
+ panic("Cannot allocate syscall32 page");
+
+diff -urpN linux-source-2.6.18.orig/include/asm-x86_64/vsyscall32.h linux-source-2.6.18/include/asm-x86_64/vsyscall32.h
+--- linux-source-2.6.18.orig/include/asm-x86_64/vsyscall32.h 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/include/asm-x86_64/vsyscall32.h 2008-11-04 01:49:44.000000000 -0700
+@@ -8,7 +8,6 @@
+ #define VSYSCALL32_SYSEXIT (VSYSCALL32_BASE + 0x410)
+ #else
+ #define VSYSCALL32_BASE 0xffffe000UL
+-#define VSYSCALL32_END (VSYSCALL32_BASE + PAGE_SIZE)
+ #define VSYSCALL32_EHDR ((const struct elf32_hdr *) VSYSCALL32_BASE)
+
+ #define VSYSCALL32_VSYSCALL ((void *)VSYSCALL32_BASE + 0x400)
Modified: dists/etch-security/linux-2.6/debian/patches/features/all/xen/vserver-update.patch
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/features/all/xen/vserver-update.patch (original)
+++ dists/etch-security/linux-2.6/debian/patches/features/all/xen/vserver-update.patch Wed Nov 5 06:52:21 2008
@@ -64,26 +64,6 @@
.quad sys_mbind
.quad compat_sys_get_mempolicy /* 275 */
.quad sys_set_mempolicy
-diff -ur source-amd64-xen/arch/x86_64/ia32/syscall32-xen.c source-amd64-xen-vserver-patch/arch/x86_64/ia32/syscall32-xen.c
---- source-amd64-xen/arch/x86_64/ia32/syscall32-xen.c 2006-12-15 18:44:42.000000000 +0100
-+++ source-amd64-xen-vserver-patch/arch/x86_64/ia32/syscall32-xen.c 2006-12-15 18:45:43.000000000 +0100
-@@ -10,6 +10,7 @@
- #include <linux/init.h>
- #include <linux/stringify.h>
- #include <linux/security.h>
-+#include <linux/vs_memory.h>
- #include <asm/proto.h>
- #include <asm/tlbflush.h>
- #include <asm/ia32_unistd.h>
-@@ -75,7 +76,7 @@
- kmem_cache_free(vm_area_cachep, vma);
- return ret;
- }
-- mm->total_vm += npages;
-+ vx_vmpages_add(mm, npages);
- up_write(&mm->mmap_sem);
- return 0;
- }
diff -ur source-amd64-xen/arch/x86_64/kernel/traps-xen.c source-amd64-xen-vserver-patch/arch/x86_64/kernel/traps-xen.c
--- source-amd64-xen/arch/x86_64/kernel/traps-xen.c 2006-12-15 18:44:42.000000000 +0100
+++ source-amd64-xen-vserver-patch/arch/x86_64/kernel/traps-xen.c 2006-12-15 18:45:43.000000000 +0100
Added: dists/etch-security/linux-2.6/debian/patches/series/23etch1
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1 Wed Nov 5 06:52:21 2008
@@ -0,0 +1,3 @@
++ bugfix/add-install_special_mapping.patch
++ bugfix/i386-vdso-use_install_special_mapping.patch
++ bugfix/x86_64-ia32-vDSO-use-install_special_mapping.patch
Added: dists/etch-security/linux-2.6/debian/patches/series/23etch1-extra
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1-extra Wed Nov 5 06:52:21 2008
@@ -0,0 +1 @@
++ features/all/xen/vdso-use_install_special_mapping.patch *_xen *_xen-vserver
More information about the Kernel-svn-changes
mailing list