[kernel] r16136 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Aug 14 00:49:16 UTC 2010
Author: dannf
Date: Sat Aug 14 00:49:14 2010
New Revision: 16136
Log:
mm: keep a guard page below a grow-down stack segment
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sat Aug 14 00:48:51 2010 (r16135)
+++ dists/lenny-security/linux-2.6/debian/changelog Sat Aug 14 00:49:14 2010 (r16136)
@@ -11,6 +11,7 @@
regression due to fix for CVE-2010-0307)
* can: add limit for nframes and clean up signed/unsigned variables
(CVE-REQUESTED)
+ * mm: keep a guard page below a grow-down stack segment
-- dann frazier <dannf at debian.org> Wed, 30 Jun 2010 00:32:02 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch Sat Aug 14 00:49:14 2010 (r16136)
@@ -0,0 +1,68 @@
+commit 43040e916a16cc8bc82722732c156cbf64991025
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Thu Aug 12 17:54:33 2010 -0700
+
+ mm: keep a guard page below a grow-down stack segment
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ This is a rather minimally invasive patch to solve the problem of the
+ user stack growing into a memory mapped area below it. Whenever we fill
+ the first page of the stack segment, expand the segment down by one
+ page.
+
+ Now, admittedly some odd application might _want_ the stack to grow down
+ into the preceding memory mapping, and so we may at some point need to
+ make this a process tunable (some people might also want to have more
+ than a single page of guarding), but let's try the minimal approach
+ first.
+
+ Tested with trivial application that maps a single page just below the
+ stack, and then starts recursing. Without this, we will get a SIGSEGV
+ _after_ the stack has smashed the mapping. With this patch, we'll get a
+ nice SIGBUS just as the stack touches the page just above the mapping.
+
+ Requested-by: Keith Packard <keithp at keithp.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/memory.c b/mm/memory.c
+index 0755c52..a1a8e45 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2277,6 +2277,26 @@ out_nomap:
+ }
+
+ /*
++ * This is like a special single-page "expand_downwards()",
++ * except we must first make sure that 'address-PAGE_SIZE'
++ * doesn't hit another vma.
++ *
++ * The "find_vma()" will do the right thing even if we wrap
++ */
++static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
++{
++ address &= PAGE_MASK;
++ if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
++ address -= PAGE_SIZE;
++ if (find_vma(vma->vm_mm, address) != vma)
++ return -ENOMEM;
++
++ expand_stack(vma, address);
++ }
++ return 0;
++}
++
++/*
+ * We enter with non-exclusive mmap_sem (to exclude vma changes,
+ * but allow concurrent faults), and pte mapped but not yet locked.
+ * We return with mmap_sem still held, but pte unmapped and unlocked.
+@@ -2289,6 +2309,9 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+ spinlock_t *ptl;
+ pte_t entry;
+
++ if (check_stack_guard_page(vma, address) < 0)
++ return VM_FAULT_SIGBUS;
++
+ /* Allocate our own private page. */
+ pte_unmap(page_table);
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Sat Aug 14 00:48:51 2010 (r16135)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Sat Aug 14 00:49:14 2010 (r16136)
@@ -7,3 +7,4 @@
+ bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
+ bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
+ bugfix/all/can-add-limit-for-nframes-and-clean-up-signed-variables.patch
++ bugfix/all/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch
More information about the Kernel-svn-changes
mailing list