[kernel] r16534 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Mon Nov  8 04:53:23 2010
New Revision: 16534

Log:
setup_arg_pages: diagnose excessive argument size (CVE-2010-3858)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Nov  7 21:01:22 2010	(r16533)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Nov  8 04:53:23 2010	(r16534)
@@ -10,6 +10,7 @@
   * ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
   * thinkpad-acpi: lock down video output state access (CVE-2010-3448)
   * sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() (CVE-2010-3705)
+  * setup_arg_pages: diagnose excessive argument size (CVE-2010-3858)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch	Mon Nov  8 04:53:23 2010	(r16534)
@@ -0,0 +1,39 @@
+commit b7a3ef62ad1c65562e9f84cd5812887c4fe6eedb
+Author: Roland McGrath <roland at redhat.com>
+Date:   Tue Sep 7 19:35:49 2010 -0700
+
+    setup_arg_pages: diagnose excessive argument size
+    
+    The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not
+    check the size of the argument/environment area on the stack.
+    When it is unworkably large, shift_arg_pages() hits its BUG_ON.
+    This is exploitable with a very large RLIMIT_STACK limit, to
+    create a crash pretty easily.
+    
+    Check that the initial stack is not too large to make it possible
+    to map in any executable.  We're not checking that the actual
+    executable (or intepreter, for binfmt_elf) will fit.  So those
+    mappings might clobber part of the initial stack mapping.  But
+    that is just userland lossage that userland made happen, not a
+    kernel problem.
+    
+    Signed-off-by: Roland McGrath <roland at redhat.com>
+    Reviewed-by: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 164ac13..d490980 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -599,6 +599,11 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ #else
+ 	stack_top = arch_align_stack(stack_top);
+ 	stack_top = PAGE_ALIGN(stack_top);
++
++	if (unlikely(stack_top < mmap_min_addr) ||
++	    unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
++		return -ENOMEM;
++
+ 	stack_shift = vma->vm_end - stack_top;
+ 
+ 	bprm->p -= stack_shift;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sun Nov  7 21:01:22 2010	(r16533)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Nov  8 04:53:23 2010	(r16534)
@@ -8,3 +8,4 @@
 + bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
 + bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch
 + bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
++ bugfix/all/setup_arg_pages-diagnose-excessive-argument-size.patch