[kernel] r16614 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Thu Dec  2 13:33:48 2010
New Revision: 16614

Log:
bio: take care not overflow page count when mapping/copying user data (CVE-2010-4162)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Dec  2 13:33:31 2010	(r16613)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Dec  2 13:33:48 2010	(r16614)
@@ -1,6 +1,8 @@
 linux-2.6 (2.6.26-26lenny2) UNRELEASED; urgency=high
 
   * filter: make sure filters dont read uninitialized memory (CVE-2010-4158)
+  * bio: take care not overflow page count when mapping/copying user data
+    (CVE-2010-4162)
 
  -- dann frazier <dannf at debian.org>  Wed, 01 Dec 2010 20:32:11 -0700
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch	Thu Dec  2 13:33:48 2010	(r16614)
@@ -0,0 +1,55 @@
+commit d00622b90e24782726fbb4d6f647c8cdbf51cacc
+Author: Jens Axboe <jaxboe at fusionio.com>
+Date:   Wed Nov 10 14:36:25 2010 +0100
+
+    bio: take care not overflow page count when mapping/copying user data
+    
+    [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
+    to overflow, we could end up attempting to map a huge number of
+    pages. Check for this invalid input type.
+    
+    Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Cc: stable at kernel.org
+    Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+
+diff --git a/fs/bio.c b/fs/bio.c
+index 7db618c..3df12b1 100644
+--- a/fs/bio.c
++++ b/fs/bio.c
+@@ -588,6 +588,12 @@ struct bio *bio_copy_user_iov(struct request_queue *q, struct sg_iovec *iov,
+ 		end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ 		start = uaddr >> PAGE_SHIFT;
+ 
++		/*
++		 * Overflow, abort
++		 */
++		if (end < start)
++			return ERR_PTR(-EINVAL);
++
+ 		nr_pages += end - start;
+ 		len += iov[i].iov_len;
+ 	}
+@@ -686,6 +692,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
+ 		unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ 		unsigned long start = uaddr >> PAGE_SHIFT;
+ 
++		/*
++		 * Overflow, abort
++		 */
++		if (end < start)
++			return ERR_PTR(-EINVAL);
++
+ 		nr_pages += end - start;
+ 		/*
+ 		 * buffer must be aligned to at least hardsector size for now
+@@ -713,7 +725,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
+ 		unsigned long start = uaddr >> PAGE_SHIFT;
+ 		const int local_nr_pages = end - start;
+ 		const int page_limit = cur_page + local_nr_pages;
+-		
++
+ 		down_read(&current->mm->mmap_sem);
+ 		ret = get_user_pages(current, current->mm, uaddr,
+ 				     local_nr_pages,

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Thu Dec  2 13:33:31 2010	(r16613)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Thu Dec  2 13:33:48 2010	(r16614)
@@ -1 +1,2 @@
 + bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch
++ bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch