[kernel] r16162 - in dists/lenny-security/linux-2.6/debian/patches: bugfix/all series
Dann Frazier
dannf at alioth.debian.org
Wed Aug 18 23:19:27 UTC 2010
Author: dannf
Date: Wed Aug 18 23:19:22 2010
New Revision: 16162
Log:
additional fixes for CVE-2010-2240
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
Modified:
dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch Wed Aug 18 23:19:22 2010 (r16162)
@@ -0,0 +1,78 @@
+From f863718750a155259bcccbf10b12d8282a0f538f Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Wed, 18 Aug 2010 17:04:23 -0600
+Subject: [PATCH 2/2] From: Linus Torvalds <torvalds at linux-foundation.org>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+commit d7824370e26325c881b665350ce64fb0a4fde24a upstream.
+
+This commit makes the stack guard page somewhat less visible to user
+space. It does this by:
+
+ - not showing the guard page in /proc/<pid>/maps
+
+ It looks like lvm-tools will actually read /proc/self/maps to figure
+ out where all its mappings are, and effectively do a specialized
+ "mlockall()" in user space. By not showing the guard page as part of
+ the mapping (by just adding PAGE_SIZE to the start for grows-up
+ pages), lvm-tools ends up not being aware of it.
+
+ - by also teaching the _real_ mlock() functionality not to try to lock
+ the guard page.
+
+ That would just expand the mapping down to create a new guard page,
+ so there really is no point in trying to lock it in place.
+
+It would perhaps be nice to show the guard page specially in
+/proc/<pid>/maps (or at least mark grow-down segments some way), but
+let's not open ourselves up to more breakage by user space from programs
+that depends on the exact deails of the 'maps' file.
+
+Special thanks to Henrique de Moraes Holschuh for diving into lvm-tools
+source code to see what was going on with the whole new warning.
+
+[Note, for .27, only the /proc change is done, mlock is not modified
+here. - gregkh]
+
+Reported-and-tested-by: François Valenduc <francois.valenduc at tvcablenet.be
+Reported-by: Henrique de Moraes Holschuh <hmh at hmh.eng.br>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ fs/proc/task_mmu.c | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 0b2d836..1c0abfa 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -205,6 +205,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+ struct file *file = vma->vm_file;
+ int flags = vma->vm_flags;
+ unsigned long ino = 0;
++ unsigned long start;
+ dev_t dev = 0;
+ int len;
+
+@@ -214,8 +215,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+ ino = inode->i_ino;
+ }
+
++ /* We don't show the stack guard page in /proc/maps */
++ start = vma->vm_start;
++ if (vma->vm_flags & VM_GROWSDOWN)
++ start += PAGE_SIZE;
++
+ seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
+- vma->vm_start,
++ start,
+ vma->vm_end,
+ flags & VM_READ ? 'r' : '-',
+ flags & VM_WRITE ? 'w' : '-',
+--
+1.7.1
+
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch Wed Aug 18 23:19:22 2010 (r16162)
@@ -0,0 +1,127 @@
+commit ef3481c525adee77cb5f338ff23644a4fb71c427
+Author: dann frazier <dannf at hp.com>
+Date: Wed Aug 18 17:02:08 2010 -0600
+
+ [ backport of 7c88db0cb589df980acfb2f73c3595a0653004ec to 2.7.27.3 by Joe
+ Korty <joe.korty at ccur.com ]
+
+ [ backported to Debian's 2.6.26 by dann frazier <dannf at debian.org> ]
+
+ proc: fix vma display mismatch between /proc/pid/{maps,smaps}
+
+ Commit 4752c369789250eafcd7813e11c8fb689235b0d2 aka
+ "maps4: simplify interdependence of maps and smaps" broke /proc/pid/smaps,
+ causing it to display some vmas twice and other vmas not at all. For example:
+
+ grep .- /proc/1/smaps >/tmp/smaps; diff /proc/1/maps /tmp/smaps
+
+ 1 25d24
+ 2 < 7fd7e23aa000-7fd7e23ac000 rw-p 7fd7e23aa000 00:00 0
+ 3 28a28
+ 4 > ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
+
+ The bug has something to do with setting m->version before all the
+ seq_printf's have been performed. show_map was doing this correctly,
+ but show_smap was doing this in the middle of its seq_printf sequence.
+ This patch arranges things so that the setting of m->version in show_smap
+ is also done at the end of its seq_printf sequence.
+
+ Testing: in addition to the above grep test, for each process I summed
+ up the 'Rss' fields of /proc/pid/smaps and compared that to the 'VmRSS'
+ field of /proc/pid/status. All matched except for Xorg (which has a
+ /dev/mem mapping which Rss accounts for but VmRSS does not). This result
+ gives us some confidence that neither /proc/pid/maps nor /proc/pid/smaps
+ are any longer skipping or double-counting vmas.
+
+ Signed-off-by: Joe Korty <joe.korty at ccur.com>
+ Cc: Matt Mackall <mpm at selenic.com>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 2819fcb..91ecd40 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -199,11 +199,8 @@ static int do_maps_open(struct inode *inode, struct file *file,
+ return ret;
+ }
+
+-static int show_map(struct seq_file *m, void *v)
++static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+ {
+- struct proc_maps_private *priv = m->private;
+- struct task_struct *task = priv->task;
+- struct vm_area_struct *vma = v;
+ struct mm_struct *mm = vma->vm_mm;
+ struct file *file = vma->vm_file;
+ int flags = vma->vm_flags;
+@@ -211,9 +208,6 @@ static int show_map(struct seq_file *m, void *v)
+ dev_t dev = 0;
+ int len;
+
+- if (maps_protect && !ptrace_may_attach(task))
+- return -EACCES;
+-
+ if (file) {
+ struct inode *inode = vma->vm_file->f_path.dentry->d_inode;
+ dev = inode->i_sb->s_dev;
+@@ -258,6 +252,18 @@ static int show_map(struct seq_file *m, void *v)
+ }
+ }
+ seq_putc(m, '\n');
++}
++
++static int show_map(struct seq_file *m, void *v)
++{
++ struct vm_area_struct *vma = v;
++ struct proc_maps_private *priv = m->private;
++ struct task_struct *task = priv->task;
++
++ if (maps_protect && !ptrace_may_attach(task))
++ return -EACCES;
++
++ show_map_vma(m, vma);
+
+ if (m->count < m->size) /* vma is copied successfully */
+ m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
+@@ -368,23 +374,25 @@ static int smaps_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
+
+ static int show_smap(struct seq_file *m, void *v)
+ {
++ struct proc_maps_private *priv = m->private;
++ struct task_struct *task = priv->task;
+ struct vm_area_struct *vma = v;
+ struct mem_size_stats mss;
+- int ret;
+ struct mm_walk smaps_walk = {
+ .pmd_entry = smaps_pte_range,
+ .mm = vma->vm_mm,
+ .private = &mss,
+ };
+
++ if (maps_protect && !ptrace_may_attach(task))
++ return -EACCES;
++
+ memset(&mss, 0, sizeof mss);
+ mss.vma = vma;
+ if (vma->vm_mm && !is_vm_hugetlb_page(vma))
+ walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
+
+- ret = show_map(m, v);
+- if (ret)
+- return ret;
++ show_map_vma(m, vma);
+
+ seq_printf(m,
+ "Size: %8lu kB\n"
+@@ -406,7 +414,9 @@ static int show_smap(struct seq_file *m, void *v)
+ mss.referenced >> 10,
+ mss.swap >> 10);
+
+- return ret;
++ if (m->count < m->size) /* vma is copied successfully */
++ m->version = (vma != get_gate_vma(task)) ? vma->vm_start : 0;
++ return 0;
+ }
+
+ static const struct seq_operations proc_pid_smaps_op = {
Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Wed Aug 18 18:39:13 2010 (r16161)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Wed Aug 18 23:19:22 2010 (r16162)
@@ -10,3 +10,5 @@
+ bugfix/x86/dont-send-SIGBUS-for-kernel-page-faults.patch
+ bugfix/all/mm-pass-correct-mm-when-growing-stack.patch
+ bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch
++ bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
++ bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
More information about the Kernel-svn-changes
mailing list