[kernel] r16162 - in dists/lenny-security/linux-2.6/debian/patches: bugfix/all series

Dann Frazier dannf at alioth.debian.org
Wed Aug 18 23:19:27 UTC 2010 

Author: dannf
Date: Wed Aug 18 23:19:22 2010
New Revision: 16162

Log:
additional fixes for CVE-2010-2240

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
Modified:
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch	Wed Aug 18 23:19:22 2010	(r16162)
@@ -0,0 +1,78 @@
+From f863718750a155259bcccbf10b12d8282a0f538f Mon Sep 17 00:00:00 2001
+From: dann frazier <dannf at hp.com>
+Date: Wed, 18 Aug 2010 17:04:23 -0600
+Subject: [PATCH 2/2] From: Linus Torvalds <torvalds at linux-foundation.org>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+commit d7824370e26325c881b665350ce64fb0a4fde24a upstream.
+
+This commit makes the stack guard page somewhat less visible to user
+space. It does this by:
+
+ - not showing the guard page in /proc/<pid>/maps
+
+   It looks like lvm-tools will actually read /proc/self/maps to figure
+   out where all its mappings are, and effectively do a specialized
+   "mlockall()" in user space.  By not showing the guard page as part of
+   the mapping (by just adding PAGE_SIZE to the start for grows-up
+   pages), lvm-tools ends up not being aware of it.
+
+ - by also teaching the _real_ mlock() functionality not to try to lock
+   the guard page.
+
+   That would just expand the mapping down to create a new guard page,
+   so there really is no point in trying to lock it in place.
+
+It would perhaps be nice to show the guard page specially in
+/proc/<pid>/maps (or at least mark grow-down segments some way), but
+let's not open ourselves up to more breakage by user space from programs
+that depends on the exact deails of the 'maps' file.
+
+Special thanks to Henrique de Moraes Holschuh for diving into lvm-tools
+source code to see what was going on with the whole new warning.
+
+[Note, for .27, only the /proc change is done, mlock is not modified
+here. - gregkh]
+
+Reported-and-tested-by: François Valenduc <francois.valenduc at tvcablenet.be
+Reported-by: Henrique de Moraes Holschuh <hmh at hmh.eng.br>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ fs/proc/task_mmu.c |    8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 0b2d836..1c0abfa 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -205,6 +205,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+ 	struct file *file = vma->vm_file;
+ 	int flags = vma->vm_flags;
+ 	unsigned long ino = 0;
++	unsigned long start;
+ 	dev_t dev = 0;
+ 	int len;
+ 
+@@ -214,8 +215,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+ 		ino = inode->i_ino;
+ 	}
+ 
++	/* We don't show the stack guard page in /proc/maps */
++	start = vma->vm_start;
++	if (vma->vm_flags & VM_GROWSDOWN)
++		start += PAGE_SIZE;
++
+ 	seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
+-			vma->vm_start,
++			start,
+ 			vma->vm_end,
+ 			flags & VM_READ ? 'r' : '-',
+ 			flags & VM_WRITE ? 'w' : '-',
+-- 
+1.7.1
+

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch	Wed Aug 18 23:19:22 2010	(r16162)
@@ -0,0 +1,127 @@
+commit ef3481c525adee77cb5f338ff23644a4fb71c427
+Author: dann frazier <dannf at hp.com>
+Date:   Wed Aug 18 17:02:08 2010 -0600
+
+    [ backport of 7c88db0cb589df980acfb2f73c3595a0653004ec to 2.7.27.3 by Joe
+    Korty <joe.korty at ccur.com ]
+    
+    [ backported to Debian's 2.6.26 by dann frazier <dannf at debian.org> ]
+    
+    proc: fix vma display mismatch between /proc/pid/{maps,smaps}
+    
+    Commit 4752c369789250eafcd7813e11c8fb689235b0d2 aka
+    "maps4: simplify interdependence of maps and smaps" broke /proc/pid/smaps,
+    causing it to display some vmas twice and other vmas not at all.  For example:
+    
+        grep .- /proc/1/smaps >/tmp/smaps; diff /proc/1/maps /tmp/smaps
+    
+        1  25d24
+        2  < 7fd7e23aa000-7fd7e23ac000 rw-p 7fd7e23aa000 00:00 0
+        3  28a28
+        4  > ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0  [vsyscall]
+    
+    The bug has something to do with setting m->version before all the
+    seq_printf's have been performed.  show_map was doing this correctly,
+    but show_smap was doing this in the middle of its seq_printf sequence.
+    This patch arranges things so that the setting of m->version in show_smap
+    is also done at the end of its seq_printf sequence.
+    
+    Testing: in addition to the above grep test, for each process I summed
+    up the 'Rss' fields of /proc/pid/smaps and compared that to the 'VmRSS'
+    field of /proc/pid/status.  All matched except for Xorg (which has a
+    /dev/mem mapping which Rss accounts for but VmRSS does not).  This result
+    gives us some confidence that neither /proc/pid/maps nor /proc/pid/smaps
+    are any longer skipping or double-counting vmas.
+    
+    Signed-off-by: Joe Korty <joe.korty at ccur.com>
+    Cc: Matt Mackall <mpm at selenic.com>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Alexey Dobriyan <adobriyan at gmail.com>
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 2819fcb..91ecd40 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -199,11 +199,8 @@ static int do_maps_open(struct inode *inode, struct file *file,
+ 	return ret;
+ }
+ 
+-static int show_map(struct seq_file *m, void *v)
++static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+ {
+-	struct proc_maps_private *priv = m->private;
+-	struct task_struct *task = priv->task;
+-	struct vm_area_struct *vma = v;
+ 	struct mm_struct *mm = vma->vm_mm;
+ 	struct file *file = vma->vm_file;
+ 	int flags = vma->vm_flags;
+@@ -211,9 +208,6 @@ static int show_map(struct seq_file *m, void *v)
+ 	dev_t dev = 0;
+ 	int len;
+ 
+-	if (maps_protect && !ptrace_may_attach(task))
+-		return -EACCES;
+-
+ 	if (file) {
+ 		struct inode *inode = vma->vm_file->f_path.dentry->d_inode;
+ 		dev = inode->i_sb->s_dev;
+@@ -258,6 +252,18 @@ static int show_map(struct seq_file *m, void *v)
+ 		}
+ 	}
+ 	seq_putc(m, '\n');
++}
++
++static int show_map(struct seq_file *m, void *v)
++{
++	struct vm_area_struct *vma = v;
++	struct proc_maps_private *priv = m->private;
++	struct task_struct *task = priv->task;
++
++	if (maps_protect && !ptrace_may_attach(task))
++		return -EACCES;
++
++	show_map_vma(m, vma);
+ 
+ 	if (m->count < m->size)  /* vma is copied successfully */
+ 		m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
+@@ -368,23 +374,25 @@ static int smaps_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
+ 
+ static int show_smap(struct seq_file *m, void *v)
+ {
++	struct proc_maps_private *priv = m->private;
++	struct task_struct *task = priv->task;
+ 	struct vm_area_struct *vma = v;
+ 	struct mem_size_stats mss;
+-	int ret;
+ 	struct mm_walk smaps_walk = {
+ 		.pmd_entry = smaps_pte_range,
+ 		.mm = vma->vm_mm,
+ 		.private = &mss,
+ 	};
+ 
++	if (maps_protect && !ptrace_may_attach(task))
++		return -EACCES;
++
+ 	memset(&mss, 0, sizeof mss);
+ 	mss.vma = vma;
+ 	if (vma->vm_mm && !is_vm_hugetlb_page(vma))
+ 		walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
+ 
+-	ret = show_map(m, v);
+-	if (ret)
+-		return ret;
++	show_map_vma(m, vma);
+ 
+ 	seq_printf(m,
+ 		   "Size:           %8lu kB\n"
+@@ -406,7 +414,9 @@ static int show_smap(struct seq_file *m, void *v)
+ 		   mss.referenced >> 10,
+ 		   mss.swap >> 10);
+ 
+-	return ret;
++	if (m->count < m->size)  /* vma is copied successfully */
++		m->version = (vma != get_gate_vma(task)) ? vma->vm_start : 0;
++	return 0;
+ }
+ 
+ static const struct seq_operations proc_pid_smaps_op = {

Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Aug 18 18:39:13 2010	(r16161)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Aug 18 23:19:22 2010	(r16162)
@@ -10,3 +10,5 @@
 + bugfix/x86/dont-send-SIGBUS-for-kernel-page-faults.patch
 + bugfix/all/mm-pass-correct-mm-when-growing-stack.patch
 + bugfix/all/mm-fix-page-table-unmap-for-stack-guard-page-properly.patch
++ bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
++ bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch

More information about the Kernel-svn-changes mailing list