[kernel] r16228 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Mon Aug 30 06:16:57 UTC 2010

Author: dannf
Date: Mon Aug 30 06:16:53 2010
New Revision: 16228

Log:
mm: make stack guard page logic use vm_prev pointer, an additional fix for CVE-2010-2240

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked-no-abi-change.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/25

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny/linux-2.6/debian/changelog	Mon Aug 30 06:16:32 2010	(r16227)
+++ dists/lenny/linux-2.6/debian/changelog	Mon Aug 30 06:16:53 2010	(r16228)
@@ -14,6 +14,8 @@
   [ dann frazier ]
   * Add guard page for stacks that grow up, an additional fix for
     CVE-2010-2240
+  * mm: make stack guard page logic use vm_prev pointer, an additional
+    fix for CVE-2010-2240
   * net sched: fix some kernel memory leaks (CVE-2010-2942)
   * jfs: don't allow os2 xattr namespace overlap with others (CVE-2010-2946)
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch	Mon Aug 30 06:16:53 2010	(r16228)
@@ -0,0 +1,45 @@
+commit 15c90686999deb38db2309a13740f2a52cb306f0
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Fri Aug 20 16:49:40 2010 -0700
+
+    mm: make stack guard page logic use vm_prev pointer
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    Like the mlock() change previously, this makes the stack guard check
+    code use vma->vm_prev to see what the mapping below the current stack
+    is, rather than have to look it up with find_vma().
+    
+    Also, accept an abutting stack segment, since that happens naturally if
+    you split the stack with mlock or mprotect.
+    
+    Tested-by: Ian Campbell <ijc at hellion.org.uk>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/memory.c b/mm/memory.c
+index b169936..a92aca7 100644
+--- a/mm/memory.c	2010-08-29 23:49:51.000000000 -0600
++++ b/mm/memory.c	2010-08-29 23:46:34.000000000 -0600
+@@ -2285,11 +2285,18 @@ static inline int check_stack_guard_page
+ {
+ 	address &= PAGE_MASK;
+ 	if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
+-		address -= PAGE_SIZE;
+-		if (find_vma(vma->vm_mm, address) != vma)
+-			return -ENOMEM;
++		struct vm_area_struct *prev = vma->vm_prev;
+ 
+-		expand_stack(vma, address);
++		/*
++		 * Is there a mapping abutting this one below?
++		 *
++		 * That's only ok if it's the same stack mapping
++		 * that has gotten split..
++		 */
++		if (prev && prev->vm_end == address)
++			return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
++
++		expand_stack(vma, address - PAGE_SIZE);
+ 	}
+ 	if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
+ 		struct vm_area_struct *next = vma->vm_next;

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked-no-abi-change.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked-no-abi-change.patch	Mon Aug 30 06:16:53 2010	(r16228)
@@ -0,0 +1,29 @@
+commit 0550d4ec87bca8e87c3569fb4cb0ee482b64b3f9
+Author: dann frazier <dannf at hp.com>
+Date:   Sun Aug 29 20:19:26 2010 -0600
+
+    Avoid ABI change
+
+diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
+index dc9c951..55afcc5 100644
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -109,7 +109,7 @@ struct vm_area_struct {
+ 					   within vm_mm. */
+ 
+ 	/* linked list of VM areas per task, sorted by address */
+-	struct vm_area_struct *vm_next, *vm_prev;
++	struct vm_area_struct *vm_next;
+ 
+ 	pgprot_t vm_page_prot;		/* Access permissions of this VMA. */
+ 	unsigned long vm_flags;		/* Flags, listed below. */
+@@ -157,6 +157,9 @@ struct vm_area_struct {
+ #ifdef CONFIG_NUMA
+ 	struct mempolicy *vm_policy;	/* NUMA policy for the VMA */
+ #endif
++#ifndef __GENKSYMS__
++	struct vm_area_struct *vm_prev;
++#endif
+ };
+ 
+ struct mm_struct {

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/mm-make-the-vma-list-be-doubly-linked.patch	Mon Aug 30 06:16:53 2010	(r16228)
@@ -0,0 +1,130 @@
+commit f0e00e64d73d2e575fa76f059c02e15459c826f9
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Fri Aug 20 16:24:55 2010 -0700
+
+    mm: make the vma list be doubly linked
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org]
+    [Note: nommu.c changes ignored, no Debian ports use it]
+    
+    It's a really simple list, and several of the users want to go backwards
+    in it to find the previous vma.  So rather than have to look up the
+    previous entry with 'find_vma_prev()' or something similar, just make it
+    doubly linked instead.
+    
+    Tested-by: Ian Campbell <ijc at hellion.org.uk>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
+index 02a27ae..dc9c951 100644
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -109,7 +109,7 @@ struct vm_area_struct {
+ 					   within vm_mm. */
+ 
+ 	/* linked list of VM areas per task, sorted by address */
+-	struct vm_area_struct *vm_next;
++	struct vm_area_struct *vm_next, *vm_prev;
+ 
+ 	pgprot_t vm_page_prot;		/* Access permissions of this VMA. */
+ 	unsigned long vm_flags;		/* Flags, listed below. */
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 7260a05..4b3963a 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -234,7 +234,7 @@ out:
+ #ifdef CONFIG_MMU
+ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+ {
+-	struct vm_area_struct *mpnt, *tmp, **pprev;
++	struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
+ 	struct rb_node **rb_link, *rb_parent;
+ 	int retval;
+ 	unsigned long charge;
+@@ -259,6 +259,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+ 	rb_parent = NULL;
+ 	pprev = &mm->mmap;
+ 
++	prev = NULL;
+ 	for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
+ 		struct file *file;
+ 
+@@ -287,7 +288,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+ 		vma_set_policy(tmp, pol);
+ 		tmp->vm_flags &= ~VM_LOCKED;
+ 		tmp->vm_mm = mm;
+-		tmp->vm_next = NULL;
++		tmp->vm_next = tmp->vm_prev = NULL;
+ 		anon_vma_link(tmp);
+ 		file = tmp->vm_file;
+ 		if (file) {
+@@ -310,6 +311,8 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
+ 		 */
+ 		*pprev = tmp;
+ 		pprev = &tmp->vm_next;
++		tmp->vm_prev = prev;
++		prev = tmp;
+ 
+ 		__vma_link_rb(mm, tmp, rb_link, rb_parent);
+ 		rb_link = &tmp->vm_rb.rb_right;
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 2ffd74c..0c137e5 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -387,17 +387,23 @@ static inline void
+ __vma_link_list(struct mm_struct *mm, struct vm_area_struct *vma,
+ 		struct vm_area_struct *prev, struct rb_node *rb_parent)
+ {
++	struct vm_area_struct *next;
++
++	vma->vm_prev = prev;
+ 	if (prev) {
+-		vma->vm_next = prev->vm_next;
++		next = prev->vm_next;
+ 		prev->vm_next = vma;
+ 	} else {
+ 		mm->mmap = vma;
+ 		if (rb_parent)
+-			vma->vm_next = rb_entry(rb_parent,
++			next = rb_entry(rb_parent,
+ 					struct vm_area_struct, vm_rb);
+ 		else
+-			vma->vm_next = NULL;
++			next = NULL;
+ 	}
++	vma->vm_next = next;
++	if (next)
++		next->vm_prev = vma;
+ }
+ 
+ void __vma_link_rb(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -486,7 +492,11 @@ static inline void
+ __vma_unlink(struct mm_struct *mm, struct vm_area_struct *vma,
+ 		struct vm_area_struct *prev)
+ {
+-	prev->vm_next = vma->vm_next;
++	struct vm_area_struct *next = vma->vm_next;
++
++	prev->vm_next = next;
++	if (next)
++		next->vm_prev = prev;
+ 	rb_erase(&vma->vm_rb, &mm->mm_rb);
+ 	if (mm->mmap_cache == vma)
+ 		mm->mmap_cache = prev;
+@@ -1782,6 +1792,7 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+ 	unsigned long addr;
+ 
+ 	insertion_point = (prev ? &prev->vm_next : &mm->mmap);
++	vma->vm_prev = NULL;
+ 	do {
+ 		rb_erase(&vma->vm_rb, &mm->mm_rb);
+ 		mm->map_count--;
+@@ -1789,6 +1800,8 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+ 		vma = vma->vm_next;
+ 	} while (vma && vma->vm_start < end);
+ 	*insertion_point = vma;
++	if (vma)
++		vma->vm_prev = prev;
+ 	tail_vma->vm_next = NULL;
+ 	if (mm->unmap_area == arch_unmap_area)
+ 		addr = prev ? prev->vm_end : mm->mmap_base;

Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25	Mon Aug 30 06:16:32 2010	(r16227)
+++ dists/lenny/linux-2.6/debian/patches/series/25	Mon Aug 30 06:16:53 2010	(r16228)
@@ -8,3 +8,6 @@
 + bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch
 + bugfix/all/jfs-dont-allow-os2-xattr-namespace-overlap-with-others.patch
 + bugfix/all/parport-quickfix-proc-registration-no-abi-change.patch
++ bugfix/all/mm-make-the-vma-list-be-doubly-linked.patch
++ bugfix/all/mm-make-the-vma-list-be-doubly-linked-no-abi-change.patch
++ bugfix/all/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch

