[kernel] r17913 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Fri Aug 12 01:30:20 UTC 2011 

Author: dannf
Date: Fri Aug 12 01:30:18 2011
New Revision: 17913

Log:
vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Fri Aug 12 00:52:55 2011	(r17912)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Fri Aug 12 01:30:18 2011	(r17913)
@@ -7,6 +7,7 @@
   * NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
   * Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
   * proc: restrict access to /proc/PID/io (CVE-2011-2495)
+  * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
 
   [ Moritz Muehlenhoff ]
   * si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch	Fri Aug 12 01:30:18 2011	(r17913)
@@ -0,0 +1,42 @@
+commit a626ca6a656450e9f4df91d0dda238fff23285f4
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Wed Apr 13 08:07:28 2011 -0700
+
+    vm: fix vm_pgoff wrap in stack expansion
+    
+    Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
+    the case of a expanding mapping causing vm_pgoff wrapping when you used
+    mremap.  But there was another case where we expand mappings hiding in
+    plain sight: the automatic stack expansion.
+    
+    This fixes that case too.
+    
+    This one also found by Robert Święcki, using his nasty system call
+    fuzzer tool.  Good job.
+    
+    Reported-and-tested-by: Robert Święcki <robert at swiecki.net>
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 292afec..537b365 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1680,10 +1680,13 @@ static int expand_downwards(struct vm_area_struct *vma,
+ 		size = vma->vm_end - address;
+ 		grow = (vma->vm_start - address) >> PAGE_SHIFT;
+ 
+-		error = acct_stack_growth(vma, size, grow);
+-		if (!error) {
+-			vma->vm_start = address;
+-			vma->vm_pgoff -= grow;
++		error = -ENOMEM;
++		if (grow <= vma->vm_pgoff) {
++			error = acct_stack_growth(vma, size, grow);
++			if (!error) {
++				vma->vm_start = address;
++				vma->vm_pgoff -= grow;
++			}
+ 		}
+ 	}
+ 	anon_vma_unlock(vma);

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch	Fri Aug 12 01:30:18 2011	(r17913)
@@ -0,0 +1,39 @@
+commit 42c36f63ac1366ab0ecc2d5717821362c259f517
+Author: Hugh Dickins <hughd at google.com>
+Date:   Mon May 9 17:44:42 2011 -0700
+
+    vm: fix vm_pgoff wrap in upward expansion
+    
+    Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
+    the case of an expanding mapping causing vm_pgoff wrapping when you had
+    downward stack expansion.  But there was another case where IA64 and
+    PA-RISC expand mappings: upward expansion.
+    
+    This fixes that case too.
+    
+    Signed-off-by: Hugh Dickins <hughd at google.com>
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 537b365..515e3cb 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1636,9 +1636,14 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ 		size = address - vma->vm_start;
+ 		grow = (address - vma->vm_end) >> PAGE_SHIFT;
+ 
+-		error = acct_stack_growth(vma, size, grow);
+-		if (!error)
+-			vma->vm_end = address;
++		error = -ENOMEM;
++		if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
++			error = acct_stack_growth(vma, size, grow);
++			if (!error) {
++				vma->vm_end = address;
++				perf_event_mmap(vma);
++			}
++		}
+ 	}
+ 	anon_vma_unlock(vma);
+ 	return error;

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Fri Aug 12 00:52:55 2011	(r17912)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Fri Aug 12 01:30:18 2011	(r17913)
@@ -6,3 +6,5 @@
 + bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
 + bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
 + bugfix/all/proc-restrict-access-to-proc-pid-io.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch

More information about the Kernel-svn-changes mailing list