[kernel] r16614 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Dec 2 13:33:59 UTC 2010
Author: dannf
Date: Thu Dec 2 13:33:48 2010
New Revision: 16614
Log:
bio: take care not overflow page count when mapping/copying user data (CVE-2010-4162)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Dec 2 13:33:31 2010 (r16613)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Dec 2 13:33:48 2010 (r16614)
@@ -1,6 +1,8 @@
linux-2.6 (2.6.26-26lenny2) UNRELEASED; urgency=high
* filter: make sure filters dont read uninitialized memory (CVE-2010-4158)
+ * bio: take care not overflow page count when mapping/copying user data
+ (CVE-2010-4162)
-- dann frazier <dannf at debian.org> Wed, 01 Dec 2010 20:32:11 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch Thu Dec 2 13:33:48 2010 (r16614)
@@ -0,0 +1,55 @@
+commit d00622b90e24782726fbb4d6f647c8cdbf51cacc
+Author: Jens Axboe <jaxboe at fusionio.com>
+Date: Wed Nov 10 14:36:25 2010 +0100
+
+ bio: take care not overflow page count when mapping/copying user data
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
+ to overflow, we could end up attempting to map a huge number of
+ pages. Check for this invalid input type.
+
+ Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+
+diff --git a/fs/bio.c b/fs/bio.c
+index 7db618c..3df12b1 100644
+--- a/fs/bio.c
++++ b/fs/bio.c
+@@ -588,6 +588,12 @@ struct bio *bio_copy_user_iov(struct request_queue *q, struct sg_iovec *iov,
+ end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ start = uaddr >> PAGE_SHIFT;
+
++ /*
++ * Overflow, abort
++ */
++ if (end < start)
++ return ERR_PTR(-EINVAL);
++
+ nr_pages += end - start;
+ len += iov[i].iov_len;
+ }
+@@ -686,6 +692,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
+ unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ unsigned long start = uaddr >> PAGE_SHIFT;
+
++ /*
++ * Overflow, abort
++ */
++ if (end < start)
++ return ERR_PTR(-EINVAL);
++
+ nr_pages += end - start;
+ /*
+ * buffer must be aligned to at least hardsector size for now
+@@ -713,7 +725,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
+ unsigned long start = uaddr >> PAGE_SHIFT;
+ const int local_nr_pages = end - start;
+ const int page_limit = cur_page + local_nr_pages;
+-
++
+ down_read(¤t->mm->mmap_sem);
+ ret = get_user_pages(current, current->mm, uaddr,
+ local_nr_pages,
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Thu Dec 2 13:33:31 2010 (r16613)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Thu Dec 2 13:33:48 2010 (r16614)
@@ -1 +1,2 @@
+ bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
++ bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
More information about the Kernel-svn-changes
mailing list