[kernel] r16218 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Aug 29 20:09:50 UTC 2010 

Author: dannf
Date: Sun Aug 29 20:09:43 2010
New Revision: 16218

Log:
Add guard page for stacks that grow up, an additional fix for CVE-2010-2240

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/guard-page-for-stacks-that-grow-upwards.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/25

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Sun Aug 29 18:55:22 2010	(r16217)
+++ dists/lenny/linux-2.6/debian/changelog	Sun Aug 29 20:09:43 2010	(r16218)
@@ -10,6 +10,10 @@
   [ Moritz Muehlenhoff ]
   * parport: quickfix the proc registration bug (Closes: #588672)
 
+  [ dann frazier ]
+  * Add guard page for stacks that grow up, an additional fix for
+    CVE-2010-2240
+
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 02 Jul 2010 01:36:02 +0100
 
 linux-2.6 (2.6.26-24lenny1) stable-security; urgency=high

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/guard-page-for-stacks-that-grow-upwards.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/guard-page-for-stacks-that-grow-upwards.patch	Sun Aug 29 20:09:43 2010	(r16218)
@@ -0,0 +1,92 @@
+commit 24cea8c85d4aa60c287d8522338df369b4f86819
+Author: Luck, Tony <tony.luck at intel.com>
+Date:   Tue Aug 24 11:44:18 2010 -0700
+
+    guard page for stacks that grow upwards
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    pa-risc and ia64 have stacks that grow upwards. Check that
+    they do not run into other mappings. By making VM_GROWSUP
+    0x0 on architectures that do not ever use it, we can avoid
+    some unpleasant #ifdefs in check_stack_guard_page().
+    
+    Signed-off-by: Tony Luck <tony.luck at intel.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index abda131..8fc5d38 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -82,7 +82,11 @@ extern unsigned int kobjsize(const void *objp);
+ #define VM_MAYSHARE	0x00000080
+ 
+ #define VM_GROWSDOWN	0x00000100	/* general info on the segment */
++#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
+ #define VM_GROWSUP	0x00000200
++#else
++#define VM_GROWSUP	0x00000000
++#endif
+ #define VM_PFNMAP	0x00000400	/* Page-ranges managed without "struct page", just pure PFN */
+ #define VM_DENYWRITE	0x00000800	/* ETXTBSY on write attempts.. */
+ 
+@@ -1133,8 +1137,10 @@ unsigned long max_sane_readahead(unsigned long nr);
+ 
+ /* Do stack extension */
+ extern int expand_stack(struct vm_area_struct *vma, unsigned long address);
+-#ifdef CONFIG_IA64
++#if VM_GROWSUP
+ extern int expand_upwards(struct vm_area_struct *vma, unsigned long address);
++#else
++  #define expand_upwards(vma, address) do { } while (0)
+ #endif
+ extern int expand_stack_downwards(struct vm_area_struct *vma,
+ 				  unsigned long address);
+diff --git a/mm/memory.c b/mm/memory.c
+index 2b1ad91..b169936 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2277,11 +2277,9 @@ out_nomap:
+ }
+ 
+ /*
+- * This is like a special single-page "expand_downwards()",
+- * except we must first make sure that 'address-PAGE_SIZE'
++ * This is like a special single-page "expand_{down|up}wards()",
++ * except we must first make sure that 'address{-|+}PAGE_SIZE'
+  * doesn't hit another vma.
+- *
+- * The "find_vma()" will do the right thing even if we wrap
+  */
+ static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
+ {
+@@ -2298,6 +2296,15 @@ static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned lo
+ 
+ 		expand_stack(vma, address);
+ 	}
++	if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
++		struct vm_area_struct *next = vma->vm_next;
++
++		/* As VM_GROWSDOWN but s/below/above/ */
++		if (next && next->vm_start == address + PAGE_SIZE)
++			return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
++
++		expand_upwards(vma, address + PAGE_SIZE);
++	}
+ 	return 0;
+ }
+ 
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 497c9ed..2ffd74c 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1579,9 +1579,6 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
+  * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
+  * vma is the last one with address > vma->vm_end.  Have to extend vma.
+  */
+-#ifndef CONFIG_IA64
+-static inline
+-#endif
+ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ {
+ 	int error;

Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25	Sun Aug 29 18:55:22 2010	(r16217)
+++ dists/lenny/linux-2.6/debian/patches/series/25	Sun Aug 29 20:09:43 2010	(r16218)
@@ -4,3 +4,4 @@
 + features/all/e1000e/e1000e-add-support-for-82583-device-id.patch
 + features/all/e1000e/e1000e-add-support-for-the-82567LM-4-device.patch
 + features/all/e1000e/e1000e-add-support-for-82567LM-3-and-82567LF-3-ICH10.patch
++ bugfix/all/guard-page-for-stacks-that-grow-upwards.patch

More information about the Kernel-svn-changes mailing list