[kernel] r16136 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat Aug 14 00:49:16 UTC 2010 

Author: dannf
Date: Sat Aug 14 00:49:14 2010
New Revision: 16136

Log:
mm: keep a guard page below a grow-down stack segment

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sat Aug 14 00:48:51 2010	(r16135)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sat Aug 14 00:49:14 2010	(r16136)
@@ -11,6 +11,7 @@
     regression due to fix for CVE-2010-0307)
   * can: add limit for nframes and clean up signed/unsigned variables
     (CVE-REQUESTED)
+  * mm: keep a guard page below a grow-down stack segment
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Jun 2010 00:32:02 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch	Sat Aug 14 00:49:14 2010	(r16136)
@@ -0,0 +1,68 @@
+commit 43040e916a16cc8bc82722732c156cbf64991025
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Thu Aug 12 17:54:33 2010 -0700
+
+    mm: keep a guard page below a grow-down stack segment
+    
+    [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    This is a rather minimally invasive patch to solve the problem of the
+    user stack growing into a memory mapped area below it.  Whenever we fill
+    the first page of the stack segment, expand the segment down by one
+    page.
+    
+    Now, admittedly some odd application might _want_ the stack to grow down
+    into the preceding memory mapping, and so we may at some point need to
+    make this a process tunable (some people might also want to have more
+    than a single page of guarding), but let's try the minimal approach
+    first.
+    
+    Tested with trivial application that maps a single page just below the
+    stack, and then starts recursing.  Without this, we will get a SIGSEGV
+    _after_ the stack has smashed the mapping.  With this patch, we'll get a
+    nice SIGBUS just as the stack touches the page just above the mapping.
+    
+    Requested-by: Keith Packard <keithp at keithp.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/memory.c b/mm/memory.c
+index 0755c52..a1a8e45 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2277,6 +2277,26 @@ out_nomap:
+ }
+ 
+ /*
++ * This is like a special single-page "expand_downwards()",
++ * except we must first make sure that 'address-PAGE_SIZE'
++ * doesn't hit another vma.
++ *
++ * The "find_vma()" will do the right thing even if we wrap
++ */
++static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
++{
++	address &= PAGE_MASK;
++	if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
++		address -= PAGE_SIZE;
++		if (find_vma(vma->vm_mm, address) != vma)
++			return -ENOMEM;
++
++		expand_stack(vma, address);
++	}
++	return 0;
++}
++
++/*
+  * We enter with non-exclusive mmap_sem (to exclude vma changes,
+  * but allow concurrent faults), and pte mapped but not yet locked.
+  * We return with mmap_sem still held, but pte unmapped and unlocked.
+@@ -2289,6 +2309,9 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+ 	spinlock_t *ptl;
+ 	pte_t entry;
+ 
++	if (check_stack_guard_page(vma, address) < 0)
++		return VM_FAULT_SIGBUS;
++
+ 	/* Allocate our own private page. */
+ 	pte_unmap(page_table);
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Sat Aug 14 00:48:51 2010	(r16135)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Sat Aug 14 00:49:14 2010	(r16136)
@@ -7,3 +7,4 @@
 + bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
 + bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
 + bugfix/all/can-add-limit-for-nframes-and-clean-up-signed-variables.patch
++ bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch

More information about the Kernel-svn-changes mailing list