[kernel] r15856 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Sat Jun 12 00:04:27 UTC 2010

Author: dannf
Date: Sat Jun 12 00:04:17 2010
New Revision: 15856

Log:
nsfd: fix vm overcommit crash (CVE-2010-1643)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash-2.patch
   dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/23

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny/linux-2.6/debian/changelog	Fri Jun 11 11:10:52 2010	(r15855)
+++ dists/lenny/linux-2.6/debian/changelog	Sat Jun 12 00:04:17 2010	(r15856)
@@ -5,6 +5,7 @@
   * sunxvr500: Ignore secondary output PCI devices (Closes: #580422)
   * sctp: fix append error cause to ERROR chunk correctly
     (a further fix for CVE-2010-1173)
+  * nsfd: fix vm overcommit crash (CVE-2010-1643)
 
   [ Ben Hutchings ]
   * [sparc64] Fix definition of VMEMMAP_SIZE (Closes: #509202)

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash-2.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash-2.patch	Sat Jun 12 00:04:17 2010	(r15856)
@@ -0,0 +1,52 @@
+commit 2b39434721764735e9ed0475deab8eec7915a5b2
+Author: Junjiro R. Okajima <hooanon05 at yahoo.co.jp>
+Date:   Tue Dec 2 10:31:46 2008 -0800
+
+    nfsd: fix vm overcommit crash fix #2
+    
+    The previous patch from Alan Cox ("nfsd: fix vm overcommit crash",
+    commit 731572d39fcd3498702eda4600db4c43d51e0b26) fixed the problem where
+    knfsd crashes on exported shmemfs objects and strict overcommit is set.
+    
+    But the patch forgot supporting the case when CONFIG_SECURITY is
+    disabled.
+    
+    This patch copies a part of his fix which is mainly for detecting a bug
+    earlier.
+    
+    Acked-by: James Morris <jmorris at namei.org>
+    Signed-off-by: Alan Cox <alan at redhat.com>
+    Signed-off-by: Junjiro R. Okajima <hooanon05 at yahoo.co.jp>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 1f08b32..f8e57e9 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -1845,17 +1845,21 @@ static inline int security_settime(struct timespec *ts, struct timezone *tz)
+ 
+ static inline int security_vm_enough_memory(long pages)
+ {
++	WARN_ON(current->mm == NULL);
+ 	return cap_vm_enough_memory(current->mm, pages);
+ }
+ 
+-static inline int security_vm_enough_memory_kern(long pages)
++static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
+ {
+-	return cap_vm_enough_memory(current->mm, pages);
++	WARN_ON(mm == NULL);
++	return cap_vm_enough_memory(mm, pages);
+ }
+ 
+-static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
++static inline int security_vm_enough_memory_kern(long pages)
+ {
+-	return cap_vm_enough_memory(mm, pages);
++	/* If current->mm is a kernel thread then we will pass NULL,
++	   for this specific case that is fine */
++	return cap_vm_enough_memory(current->mm, pages);
+ }
+ 
+ static inline int security_bprm_alloc(struct linux_binprm *bprm)

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-fix-vm-overcommit-crash.patch	Sat Jun 12 00:04:17 2010	(r15856)
@@ -0,0 +1,134 @@
+commit db22afc93d861bbe1cdac00ef4c4b02b07b7a953
+Author: Alan Cox <alan at redhat.com>
+Date:   Wed Oct 29 14:01:20 2008 -0700
+
+    nfsd: fix vm overcommit crash
+    
+    Junjiro R.  Okajima reported a problem where knfsd crashes if you are
+    using it to export shmemfs objects and run strict overcommit.  In this
+    situation the current->mm based modifier to the overcommit goes through a
+    NULL pointer.
+    
+    We could simply check for NULL and skip the modifier but we've caught
+    other real bugs in the past from mm being NULL here - cases where we did
+    need a valid mm set up (eg the exec bug about a year ago).
+    
+    To preserve the checks and get the logic we want shuffle the checking
+    around and add a new helper to the vm_ security wrappers
+    
+    Also fix a current->mm reference in nommu that should use the passed mm
+    
+    [akpm at linux-foundation.org: coding-style fixes]
+    [akpm at linux-foundation.org: fix build]
+    Reported-by: Junjiro R. Okajima <hooanon05 at yahoo.co.jp>
+    Acked-by: James Morris <jmorris at namei.org>
+    Signed-off-by: Alan Cox <alan at redhat.com>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 50b0a67..1f08b32 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -1617,6 +1617,7 @@ int security_syslog(int type);
+ int security_settime(struct timespec *ts, struct timezone *tz);
+ int security_vm_enough_memory(long pages);
+ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
++int security_vm_enough_memory_kern(long pages);
+ int security_bprm_alloc(struct linux_binprm *bprm);
+ void security_bprm_free(struct linux_binprm *bprm);
+ void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
+@@ -1847,6 +1848,11 @@ static inline int security_vm_enough_memory(long pages)
+ 	return cap_vm_enough_memory(current->mm, pages);
+ }
+ 
++static inline int security_vm_enough_memory_kern(long pages)
++{
++	return cap_vm_enough_memory(current->mm, pages);
++}
++
+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
+ {
+ 	return cap_vm_enough_memory(mm, pages);
+diff --git a/mm/mmap.c b/mm/mmap.c
+index d2befc5..be95d3b 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -171,7 +171,8 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ 
+ 	/* Don't let a single process grow too big:
+ 	   leave 3% of the size of this process for other processes */
+-	allowed -= mm->total_vm / 32;
++	if (mm)
++		allowed -= mm->total_vm / 32;
+ 
+ 	/*
+ 	 * cast `allowed' as a signed long because vm_committed_space
+diff --git a/mm/nommu.c b/mm/nommu.c
+index 6e26b33..9fd9748 100644
+--- a/mm/nommu.c
++++ b/mm/nommu.c
+@@ -1411,7 +1411,8 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ 
+ 	/* Don't let a single process grow too big:
+ 	   leave 3% of the size of this process for other processes */
+-	allowed -= current->mm->total_vm / 32;
++	if (mm)
++		allowed -= mm->total_vm / 32;
+ 
+ 	/*
+ 	 * cast `allowed' as a signed long because vm_committed_space
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 8f8412b..5d6aa38 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -163,8 +163,8 @@ static inline struct shmem_sb_info *SHMEM_SB(struct super_block *sb)
+  */
+ static inline int shmem_acct_size(unsigned long flags, loff_t size)
+ {
+-	return (flags & VM_ACCOUNT)?
+-		security_vm_enough_memory(VM_ACCT(size)): 0;
++	return (flags & VM_ACCOUNT) ?
++		security_vm_enough_memory_kern(VM_ACCT(size)) : 0;
+ }
+ 
+ static inline void shmem_unacct_size(unsigned long flags, loff_t size)
+@@ -181,8 +181,8 @@ static inline void shmem_unacct_size(unsigned long flags, loff_t size)
+  */
+ static inline int shmem_acct_block(unsigned long flags)
+ {
+-	return (flags & VM_ACCOUNT)?
+-		0: security_vm_enough_memory(VM_ACCT(PAGE_CACHE_SIZE));
++	return (flags & VM_ACCOUNT) ?
++		0 : security_vm_enough_memory_kern(VM_ACCT(PAGE_CACHE_SIZE));
+ }
+ 
+ static inline void shmem_unacct_blocks(unsigned long flags, long pages)
+diff --git a/security/security.c b/security/security.c
+index 17b1f0e..64debb4 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -224,14 +224,23 @@ int security_settime(struct timespec *ts, struct timezone *tz)
+ 
+ int security_vm_enough_memory(long pages)
+ {
++	WARN_ON(current->mm == NULL);
+ 	return security_ops->vm_enough_memory(current->mm, pages);
+ }
+ 
+ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
+ {
++	WARN_ON(mm == NULL);
+ 	return security_ops->vm_enough_memory(mm, pages);
+ }
+ 
++int security_vm_enough_memory_kern(long pages)
++{
++	/* If current->mm is a kernel thread then we will pass NULL,
++	   for this specific case that is fine */
++	return security_ops->vm_enough_memory(current->mm, pages);
++}
++
+ int security_bprm_alloc(struct linux_binprm *bprm)
+ {
+ 	return security_ops->bprm_alloc_security(bprm);

Modified: dists/lenny/linux-2.6/debian/patches/series/23
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/23	Fri Jun 11 11:10:52 2010	(r15855)
+++ dists/lenny/linux-2.6/debian/patches/series/23	Sat Jun 12 00:04:17 2010	(r15856)
@@ -13,3 +13,5 @@
 + bugfix/x86/x86-completely-disable-NOPL-on-32-bits.patch
 + bugfix/all/virtio_blk-dont-bounce-highmem-requests.patch
 + bugfix/all/sctp-fix-append-error-cause-to-ERROR-chunk-correctly.patch
++ bugfix/all/nfsd-fix-vm-overcommit-crash.patch
++ bugfix/all/nfsd-fix-vm-overcommit-crash-2.patch

