[kernel] r16228 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Aug 30 06:16:57 UTC 2010
Author: dannf
Date: Mon Aug 30 06:16:53 2010
New Revision: 16228
Log:
mm: make stack guard page logic use vm_prev pointer, an additional fix for CVE-2010-2240
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked-no-abi-change.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/25
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Mon Aug 30 06:16:32 2010 (r16227)
+++ dists/lenny/linux-2.6/debian/changelog Mon Aug 30 06:16:53 2010 (r16228)
@@ -14,6 +14,8 @@
[ dann frazier ]
* Add guard page for stacks that grow up, an additional fix for
CVE-2010-2240
+ * mm: make stack guard page logic use vm_prev pointer, an additional
+ fix for CVE-2010-2240
* net sched: fix some kernel memory leaks (CVE-2010-2942)
* jfs: don't allow os2 xattr namespace overlap with others (CVE-2010-2946)
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch Mon Aug 30 06:16:53 2010 (r16228)
@@ -0,0 +1,45 @@
+commit 15c90686999deb38db2309a13740f2a52cb306f0
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri Aug 20 16:49:40 2010 -0700
+
+ mm: make stack guard page logic use vm_prev pointer
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ Like the mlock() change previously, this makes the stack guard check
+ code use vma->vm_prev to see what the mapping below the current stack
+ is, rather than have to look it up with find_vma().
+
+ Also, accept an abutting stack segment, since that happens naturally if
+ you split the stack with mlock or mprotect.
+
+ Tested-by: Ian Campbell <ijc at hellion.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/memory.c b/mm/memory.c
+index b169936..a92aca7 100644
+--- a/mm/memory.c 2010-08-29 23:49:51.000000000 -0600
++++ b/mm/memory.c 2010-08-29 23:46:34.000000000 -0600
+@@ -2285,11 +2285,18 @@ static inline int check_stack_guard_page
+ {
+ address &= PAGE_MASK;
+ if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
+- address -= PAGE_SIZE;
+- if (find_vma(vma->vm_mm, address) != vma)
+- return -ENOMEM;
++ struct vm_area_struct *prev = vma->vm_prev;
+
+- expand_stack(vma, address);
++ /*
++ * Is there a mapping abutting this one below?
++ *
++ * That's only ok if it's the same stack mapping
++ * that has gotten split..
++ */
++ if (prev && prev->vm_end == address)
++ return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
++
++ expand_stack(vma, address - PAGE_SIZE);
+ }
+ if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
+ struct vm_area_struct *next = vma->vm_next;
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked-no-abi-change.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked-no-abi-change.patch Mon Aug 30 06:16:53 2010 (r16228)
@@ -0,0 +1,29 @@
+commit 0550d4ec87bca8e87c3569fb4cb0ee482b64b3f9
+Author: dann frazier <dannf at hp.com>
+Date: Sun Aug 29 20:19:26 2010 -0600
+
+ Avoid ABI change
+
+diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
+index dc9c951..55afcc5 100644
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -109,7 +109,7 @@ struct vm_area_struct {
+ within vm_mm. */
+
+ /* linked list of VM areas per task, sorted by address */
+- struct vm_area_struct *vm_next, *vm_prev;
++ struct vm_area_struct *vm_next;
+
+ pgprot_t vm_page_prot; /* Access permissions of this VMA. */
+ unsigned long vm_flags; /* Flags, listed below. */
+@@ -157,6 +157,9 @@ struct vm_area_struct {
+ #ifdef CONFIG_NUMA
+ struct mempolicy *vm_policy; /* NUMA policy for the VMA */
+ #endif
++#ifndef __GENKSYMS__
++ struct vm_area_struct *vm_prev;
++#endif
+ };
+
+ struct mm_struct {
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked.patch Mon Aug 30 06:16:53 2010 (r16228)
@@ -0,0 +1,130 @@
+commit f0e00e64d73d2e575fa76f059c02e15459c826f9
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri Aug 20 16:24:55 2010 -0700
+
+ mm: make the vma list be doubly linked
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org]
+ [Note: nommu.c changes ignored, no Debian ports use it]
+
+ It's a really simple list, and several of the users want to go backwards
+ in it to find the previous vma. So rather than have to look up the
+ previous entry with 'find_vma_prev()' or something similar, just make it
+ doubly linked instead.
+
+ Tested-by: Ian Campbell <ijc at hellion.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
+index 02a27ae..dc9c951 100644
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -109,7 +109,7 @@ struct vm_area_struct {
+ within vm_mm. */
+
+ /* linked list of VM areas per task, sorted by address */
+- struct vm_area_struct *vm_next;
++ struct vm_area_struct *vm_next, *vm_prev;
+
+ pgprot_t vm_page_prot; /* Access permissions of this VMA. */
+ unsigned long vm_flags; /* Flags, listed below. */
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 7260a05..4b3963a 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -234,7 +234,7 @@ out:
+ #ifdef CONFIG_MMU
+ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+ {
+- struct vm_area_struct *mpnt, *tmp, **pprev;
++ struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
+ struct rb_node **rb_link, *rb_parent;
+ int retval;
+ unsigned long charge;
+@@ -259,6 +259,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+ rb_parent = NULL;
+ pprev = &mm->mmap;
+
++ prev = NULL;
+ for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
+ struct file *file;
+
+@@ -287,7 +288,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+ vma_set_policy(tmp, pol);
+ tmp->vm_flags &= ~VM_LOCKED;
+ tmp->vm_mm = mm;
+- tmp->vm_next = NULL;
++ tmp->vm_next = tmp->vm_prev = NULL;
+ anon_vma_link(tmp);
+ file = tmp->vm_file;
+ if (file) {
+@@ -310,6 +311,8 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+ */
+ *pprev = tmp;
+ pprev = &tmp->vm_next;
++ tmp->vm_prev = prev;
++ prev = tmp;
+
+ __vma_link_rb(mm, tmp, rb_link, rb_parent);
+ rb_link = &tmp->vm_rb.rb_right;
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 2ffd74c..0c137e5 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -387,17 +387,23 @@ static inline void
+ __vma_link_list(struct mm_struct *mm, struct vm_area_struct *vma,
+ struct vm_area_struct *prev, struct rb_node *rb_parent)
+ {
++ struct vm_area_struct *next;
++
++ vma->vm_prev = prev;
+ if (prev) {
+- vma->vm_next = prev->vm_next;
++ next = prev->vm_next;
+ prev->vm_next = vma;
+ } else {
+ mm->mmap = vma;
+ if (rb_parent)
+- vma->vm_next = rb_entry(rb_parent,
++ next = rb_entry(rb_parent,
+ struct vm_area_struct, vm_rb);
+ else
+- vma->vm_next = NULL;
++ next = NULL;
+ }
++ vma->vm_next = next;
++ if (next)
++ next->vm_prev = vma;
+ }
+
+ void __vma_link_rb(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -486,7 +492,11 @@ static inline void
+ __vma_unlink(struct mm_struct *mm, struct vm_area_struct *vma,
+ struct vm_area_struct *prev)
+ {
+- prev->vm_next = vma->vm_next;
++ struct vm_area_struct *next = vma->vm_next;
++
++ prev->vm_next = next;
++ if (next)
++ next->vm_prev = prev;
+ rb_erase(&vma->vm_rb, &mm->mm_rb);
+ if (mm->mmap_cache == vma)
+ mm->mmap_cache = prev;
+@@ -1782,6 +1792,7 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+ unsigned long addr;
+
+ insertion_point = (prev ? &prev->vm_next : &mm->mmap);
++ vma->vm_prev = NULL;
+ do {
+ rb_erase(&vma->vm_rb, &mm->mm_rb);
+ mm->map_count--;
+@@ -1789,6 +1800,8 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+ vma = vma->vm_next;
+ } while (vma && vma->vm_start < end);
+ *insertion_point = vma;
++ if (vma)
++ vma->vm_prev = prev;
+ tail_vma->vm_next = NULL;
+ if (mm->unmap_area == arch_unmap_area)
+ addr = prev ? prev->vm_end : mm->mmap_base;
Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25 Mon Aug 30 06:16:32 2010 (r16227)
+++ dists/lenny/linux-2.6/debian/patches/series/25 Mon Aug 30 06:16:53 2010 (r16228)
@@ -8,3 +8,6 @@
+ bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch
+ bugfix/all/jfs-dont-allow-os2-xattr-namespace-overlap-with-others.patch
+ bugfix/all/parport-quickfix-proc-registration-no-abi-change.patch
++ bugfix/all/mm-make-the-vma-list-be-doubly-linked.patch
++ bugfix/all/mm-make-the-vma-list-be-doubly-linked-no-abi-change.patch
++ bugfix/all/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch
More information about the Kernel-svn-changes
mailing list