[kernel] r15856 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Jun 12 00:04:27 UTC 2010
Author: dannf
Date: Sat Jun 12 00:04:17 2010
New Revision: 15856
Log:
nsfd: fix vm overcommit crash (CVE-2010-1643)
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash-2.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/23
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Fri Jun 11 11:10:52 2010 (r15855)
+++ dists/lenny/linux-2.6/debian/changelog Sat Jun 12 00:04:17 2010 (r15856)
@@ -5,6 +5,7 @@
* sunxvr500: Ignore secondary output PCI devices (Closes: #580422)
* sctp: fix append error cause to ERROR chunk correctly
(a further fix for CVE-2010-1173)
+ * nsfd: fix vm overcommit crash (CVE-2010-1643)
[ Ben Hutchings ]
* [sparc64] Fix definition of VMEMMAP_SIZE (Closes: #509202)
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash-2.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash-2.patch Sat Jun 12 00:04:17 2010 (r15856)
@@ -0,0 +1,52 @@
+commit 2b39434721764735e9ed0475deab8eec7915a5b2
+Author: Junjiro R. Okajima <hooanon05 at yahoo.co.jp>
+Date: Tue Dec 2 10:31:46 2008 -0800
+
+ nfsd: fix vm overcommit crash fix #2
+
+ The previous patch from Alan Cox ("nfsd: fix vm overcommit crash",
+ commit 731572d39fcd3498702eda4600db4c43d51e0b26) fixed the problem where
+ knfsd crashes on exported shmemfs objects and strict overcommit is set.
+
+ But the patch forgot supporting the case when CONFIG_SECURITY is
+ disabled.
+
+ This patch copies a part of his fix which is mainly for detecting a bug
+ earlier.
+
+ Acked-by: James Morris <jmorris at namei.org>
+ Signed-off-by: Alan Cox <alan at redhat.com>
+ Signed-off-by: Junjiro R. Okajima <hooanon05 at yahoo.co.jp>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 1f08b32..f8e57e9 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -1845,17 +1845,21 @@ static inline int security_settime(struct timespec *ts, struct timezone *tz)
+
+ static inline int security_vm_enough_memory(long pages)
+ {
++ WARN_ON(current->mm == NULL);
+ return cap_vm_enough_memory(current->mm, pages);
+ }
+
+-static inline int security_vm_enough_memory_kern(long pages)
++static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
+ {
+- return cap_vm_enough_memory(current->mm, pages);
++ WARN_ON(mm == NULL);
++ return cap_vm_enough_memory(mm, pages);
+ }
+
+-static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
++static inline int security_vm_enough_memory_kern(long pages)
+ {
+- return cap_vm_enough_memory(mm, pages);
++ /* If current->mm is a kernel thread then we will pass NULL,
++ for this specific case that is fine */
++ return cap_vm_enough_memory(current->mm, pages);
+ }
+
+ static inline int security_bprm_alloc(struct linux_binprm *bprm)
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash.patch Sat Jun 12 00:04:17 2010 (r15856)
@@ -0,0 +1,134 @@
+commit db22afc93d861bbe1cdac00ef4c4b02b07b7a953
+Author: Alan Cox <alan at redhat.com>
+Date: Wed Oct 29 14:01:20 2008 -0700
+
+ nfsd: fix vm overcommit crash
+
+ Junjiro R. Okajima reported a problem where knfsd crashes if you are
+ using it to export shmemfs objects and run strict overcommit. In this
+ situation the current->mm based modifier to the overcommit goes through a
+ NULL pointer.
+
+ We could simply check for NULL and skip the modifier but we've caught
+ other real bugs in the past from mm being NULL here - cases where we did
+ need a valid mm set up (eg the exec bug about a year ago).
+
+ To preserve the checks and get the logic we want shuffle the checking
+ around and add a new helper to the vm_ security wrappers
+
+ Also fix a current->mm reference in nommu that should use the passed mm
+
+ [akpm at linux-foundation.org: coding-style fixes]
+ [akpm at linux-foundation.org: fix build]
+ Reported-by: Junjiro R. Okajima <hooanon05 at yahoo.co.jp>
+ Acked-by: James Morris <jmorris at namei.org>
+ Signed-off-by: Alan Cox <alan at redhat.com>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 50b0a67..1f08b32 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -1617,6 +1617,7 @@ int security_syslog(int type);
+ int security_settime(struct timespec *ts, struct timezone *tz);
+ int security_vm_enough_memory(long pages);
+ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
++int security_vm_enough_memory_kern(long pages);
+ int security_bprm_alloc(struct linux_binprm *bprm);
+ void security_bprm_free(struct linux_binprm *bprm);
+ void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
+@@ -1847,6 +1848,11 @@ static inline int security_vm_enough_memory(long pages)
+ return cap_vm_enough_memory(current->mm, pages);
+ }
+
++static inline int security_vm_enough_memory_kern(long pages)
++{
++ return cap_vm_enough_memory(current->mm, pages);
++}
++
+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
+ {
+ return cap_vm_enough_memory(mm, pages);
+diff --git a/mm/mmap.c b/mm/mmap.c
+index d2befc5..be95d3b 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -171,7 +171,8 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+
+ /* Don't let a single process grow too big:
+ leave 3% of the size of this process for other processes */
+- allowed -= mm->total_vm / 32;
++ if (mm)
++ allowed -= mm->total_vm / 32;
+
+ /*
+ * cast `allowed' as a signed long because vm_committed_space
+diff --git a/mm/nommu.c b/mm/nommu.c
+index 6e26b33..9fd9748 100644
+--- a/mm/nommu.c
++++ b/mm/nommu.c
+@@ -1411,7 +1411,8 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+
+ /* Don't let a single process grow too big:
+ leave 3% of the size of this process for other processes */
+- allowed -= current->mm->total_vm / 32;
++ if (mm)
++ allowed -= mm->total_vm / 32;
+
+ /*
+ * cast `allowed' as a signed long because vm_committed_space
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 8f8412b..5d6aa38 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -163,8 +163,8 @@ static inline struct shmem_sb_info *SHMEM_SB(struct super_block *sb)
+ */
+ static inline int shmem_acct_size(unsigned long flags, loff_t size)
+ {
+- return (flags & VM_ACCOUNT)?
+- security_vm_enough_memory(VM_ACCT(size)): 0;
++ return (flags & VM_ACCOUNT) ?
++ security_vm_enough_memory_kern(VM_ACCT(size)) : 0;
+ }
+
+ static inline void shmem_unacct_size(unsigned long flags, loff_t size)
+@@ -181,8 +181,8 @@ static inline void shmem_unacct_size(unsigned long flags, loff_t size)
+ */
+ static inline int shmem_acct_block(unsigned long flags)
+ {
+- return (flags & VM_ACCOUNT)?
+- 0: security_vm_enough_memory(VM_ACCT(PAGE_CACHE_SIZE));
++ return (flags & VM_ACCOUNT) ?
++ 0 : security_vm_enough_memory_kern(VM_ACCT(PAGE_CACHE_SIZE));
+ }
+
+ static inline void shmem_unacct_blocks(unsigned long flags, long pages)
+diff --git a/security/security.c b/security/security.c
+index 17b1f0e..64debb4 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -224,14 +224,23 @@ int security_settime(struct timespec *ts, struct timezone *tz)
+
+ int security_vm_enough_memory(long pages)
+ {
++ WARN_ON(current->mm == NULL);
+ return security_ops->vm_enough_memory(current->mm, pages);
+ }
+
+ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
+ {
++ WARN_ON(mm == NULL);
+ return security_ops->vm_enough_memory(mm, pages);
+ }
+
++int security_vm_enough_memory_kern(long pages)
++{
++ /* If current->mm is a kernel thread then we will pass NULL,
++ for this specific case that is fine */
++ return security_ops->vm_enough_memory(current->mm, pages);
++}
++
+ int security_bprm_alloc(struct linux_binprm *bprm)
+ {
+ return security_ops->bprm_alloc_security(bprm);
Modified: dists/lenny/linux-2.6/debian/patches/series/23
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/23 Fri Jun 11 11:10:52 2010 (r15855)
+++ dists/lenny/linux-2.6/debian/patches/series/23 Sat Jun 12 00:04:17 2010 (r15856)
@@ -13,3 +13,5 @@
+ bugfix/x86/x86-completely-disable-NOPL-on-32-bits.patch
+ bugfix/all/virtio_blk-dont-bounce-highmem-requests.patch
+ bugfix/all/sctp-fix-append-error-cause-to-ERROR-chunk-correctly.patch
++ bugfix/all/nfsd-fix-vm-overcommit-crash.patch
++ bugfix/all/nfsd-fix-vm-overcommit-crash-2.patch
More information about the Kernel-svn-changes
mailing list