[kernel] r16218 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Aug 29 20:09:50 UTC 2010
Author: dannf
Date: Sun Aug 29 20:09:43 2010
New Revision: 16218
Log:
Add guard page for stacks that grow up, an additional fix for CVE-2010-2240
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/guard-page-for-stacks-that-grow-upwards.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/25
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Sun Aug 29 18:55:22 2010 (r16217)
+++ dists/lenny/linux-2.6/debian/changelog Sun Aug 29 20:09:43 2010 (r16218)
@@ -10,6 +10,10 @@
[ Moritz Muehlenhoff ]
* parport: quickfix the proc registration bug (Closes: #588672)
+ [ dann frazier ]
+ * Add guard page for stacks that grow up, an additional fix for
+ CVE-2010-2240
+
-- Ben Hutchings <ben at decadent.org.uk> Fri, 02 Jul 2010 01:36:02 +0100
linux-2.6 (2.6.26-24lenny1) stable-security; urgency=high
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/guard-page-for-stacks-that-grow-upwards.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/guard-page-for-stacks-that-grow-upwards.patch Sun Aug 29 20:09:43 2010 (r16218)
@@ -0,0 +1,92 @@
+commit 24cea8c85d4aa60c287d8522338df369b4f86819
+Author: Luck, Tony <tony.luck at intel.com>
+Date: Tue Aug 24 11:44:18 2010 -0700
+
+ guard page for stacks that grow upwards
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ pa-risc and ia64 have stacks that grow upwards. Check that
+ they do not run into other mappings. By making VM_GROWSUP
+ 0x0 on architectures that do not ever use it, we can avoid
+ some unpleasant #ifdefs in check_stack_guard_page().
+
+ Signed-off-by: Tony Luck <tony.luck at intel.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index abda131..8fc5d38 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -82,7 +82,11 @@ extern unsigned int kobjsize(const void *objp);
+ #define VM_MAYSHARE 0x00000080
+
+ #define VM_GROWSDOWN 0x00000100 /* general info on the segment */
++#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
+ #define VM_GROWSUP 0x00000200
++#else
++#define VM_GROWSUP 0x00000000
++#endif
+ #define VM_PFNMAP 0x00000400 /* Page-ranges managed without "struct page", just pure PFN */
+ #define VM_DENYWRITE 0x00000800 /* ETXTBSY on write attempts.. */
+
+@@ -1133,8 +1137,10 @@ unsigned long max_sane_readahead(unsigned long nr);
+
+ /* Do stack extension */
+ extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
+-#ifdef CONFIG_IA64
++#if VM_GROWSUP
+ extern int expand_upwards(struct vm_area_struct *vma, unsigned long address);
++#else
++ #define expand_upwards(vma, address) do { } while (0)
+ #endif
+ extern int expand_stack_downwards(struct vm_area_struct *vma,
+ unsigned long address);
+diff --git a/mm/memory.c b/mm/memory.c
+index 2b1ad91..b169936 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2277,11 +2277,9 @@ out_nomap:
+ }
+
+ /*
+- * This is like a special single-page "expand_downwards()",
+- * except we must first make sure that 'address-PAGE_SIZE'
++ * This is like a special single-page "expand_{down|up}wards()",
++ * except we must first make sure that 'address{-|+}PAGE_SIZE'
+ * doesn't hit another vma.
+- *
+- * The "find_vma()" will do the right thing even if we wrap
+ */
+ static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
+ {
+@@ -2298,6 +2296,15 @@ static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned lo
+
+ expand_stack(vma, address);
+ }
++ if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
++ struct vm_area_struct *next = vma->vm_next;
++
++ /* As VM_GROWSDOWN but s/below/above/ */
++ if (next && next->vm_start == address + PAGE_SIZE)
++ return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
++
++ expand_upwards(vma, address + PAGE_SIZE);
++ }
+ return 0;
+ }
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 497c9ed..2ffd74c 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1579,9 +1579,6 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
+ * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
+ * vma is the last one with address > vma->vm_end. Have to extend vma.
+ */
+-#ifndef CONFIG_IA64
+-static inline
+-#endif
+ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ {
+ int error;
Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25 Sun Aug 29 18:55:22 2010 (r16217)
+++ dists/lenny/linux-2.6/debian/patches/series/25 Sun Aug 29 20:09:43 2010 (r16218)
@@ -4,3 +4,4 @@
+ features/all/e1000e/e1000e-add-support-for-82583-device-id.patch
+ features/all/e1000e/e1000e-add-support-for-the-82567LM-4-device.patch
+ features/all/e1000e/e1000e-add-support-for-82567LM-3-and-82567LF-3-ICH10.patch
++ bugfix/all/guard-page-for-stacks-that-grow-upwards.patch
More information about the Kernel-svn-changes
mailing list