[kernel] r17913 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Aug 12 01:30:20 UTC 2011
Author: dannf
Date: Fri Aug 12 01:30:18 2011
New Revision: 17913
Log:
vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Fri Aug 12 00:52:55 2011 (r17912)
+++ dists/squeeze-security/linux-2.6/debian/changelog Fri Aug 12 01:30:18 2011 (r17913)
@@ -7,6 +7,7 @@
* NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
* Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
* proc: restrict access to /proc/PID/io (CVE-2011-2495)
+ * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
[ Moritz Muehlenhoff ]
* si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch Fri Aug 12 01:30:18 2011 (r17913)
@@ -0,0 +1,42 @@
+commit a626ca6a656450e9f4df91d0dda238fff23285f4
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed Apr 13 08:07:28 2011 -0700
+
+ vm: fix vm_pgoff wrap in stack expansion
+
+ Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
+ the case of a expanding mapping causing vm_pgoff wrapping when you used
+ mremap. But there was another case where we expand mappings hiding in
+ plain sight: the automatic stack expansion.
+
+ This fixes that case too.
+
+ This one also found by Robert Święcki, using his nasty system call
+ fuzzer tool. Good job.
+
+ Reported-and-tested-by: Robert Święcki <robert at swiecki.net>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 292afec..537b365 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1680,10 +1680,13 @@ static int expand_downwards(struct vm_area_struct *vma,
+ size = vma->vm_end - address;
+ grow = (vma->vm_start - address) >> PAGE_SHIFT;
+
+- error = acct_stack_growth(vma, size, grow);
+- if (!error) {
+- vma->vm_start = address;
+- vma->vm_pgoff -= grow;
++ error = -ENOMEM;
++ if (grow <= vma->vm_pgoff) {
++ error = acct_stack_growth(vma, size, grow);
++ if (!error) {
++ vma->vm_start = address;
++ vma->vm_pgoff -= grow;
++ }
+ }
+ }
+ anon_vma_unlock(vma);
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch Fri Aug 12 01:30:18 2011 (r17913)
@@ -0,0 +1,39 @@
+commit 42c36f63ac1366ab0ecc2d5717821362c259f517
+Author: Hugh Dickins <hughd at google.com>
+Date: Mon May 9 17:44:42 2011 -0700
+
+ vm: fix vm_pgoff wrap in upward expansion
+
+ Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
+ the case of an expanding mapping causing vm_pgoff wrapping when you had
+ downward stack expansion. But there was another case where IA64 and
+ PA-RISC expand mappings: upward expansion.
+
+ This fixes that case too.
+
+ Signed-off-by: Hugh Dickins <hughd at google.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 537b365..515e3cb 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1636,9 +1636,14 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ size = address - vma->vm_start;
+ grow = (address - vma->vm_end) >> PAGE_SHIFT;
+
+- error = acct_stack_growth(vma, size, grow);
+- if (!error)
+- vma->vm_end = address;
++ error = -ENOMEM;
++ if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
++ error = acct_stack_growth(vma, size, grow);
++ if (!error) {
++ vma->vm_end = address;
++ perf_event_mmap(vma);
++ }
++ }
+ }
+ anon_vma_unlock(vma);
+ return error;
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Fri Aug 12 00:52:55 2011 (r17912)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Fri Aug 12 01:30:18 2011 (r17913)
@@ -6,3 +6,5 @@
+ bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
+ bugfix/all/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
+ bugfix/all/proc-restrict-access-to-proc-pid-io.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
More information about the Kernel-svn-changes
mailing list