[kernel] r17982 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Aug 21 21:57:57 UTC 2011
Author: dannf
Date: Sun Aug 21 21:57:56 2011
New Revision: 17982
Log:
vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
- copied unchanged from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
- copied unchanged from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Aug 21 21:51:11 2011 (r17981)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Aug 21 21:57:56 2011 (r17982)
@@ -5,6 +5,7 @@
* taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
* NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
* proc: restrict access to /proc/PID/io (CVE-2011-2495)
+ * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
[ Moritz Muehlenhoff ]
* ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch Sun Aug 21 21:57:56 2011 (r17982)
@@ -0,0 +1,43 @@
+commit 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Thu Apr 7 07:35:50 2011 -0700
+
+ mm: avoid wrapping vm_pgoff in mremap()
+
+ The normal mmap paths all avoid creating a mapping where the pgoff
+ inside the mapping could wrap around due to overflow. However, an
+ expanding mremap() can take such a non-wrapping mapping and make it
+ bigger and cause a wrapping condition.
+
+ Noticed by Robert Swiecki when running a system call fuzzer, where it
+ caused a BUG_ON() due to terminally confusing the vma_prio_tree code. A
+ vma dumping patch by Hugh then pinpointed the crazy wrapped case.
+
+ Reported-and-tested-by: Robert Swiecki <robert at swiecki.net>
+ Acked-by: Hugh Dickins <hughd at google.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/mremap.c b/mm/mremap.c
+index 1de98d4..a7c1f9f 100644
+--- a/mm/mremap.c
++++ b/mm/mremap.c
+@@ -277,9 +277,16 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
+ if (old_len > vma->vm_end - addr)
+ goto Efault;
+
+- if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) {
+- if (new_len > old_len)
++ /* Need to be careful about a growing mapping */
++ if (new_len > old_len) {
++ unsigned long pgoff;
++
++ if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP))
+ goto Efault;
++ pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
++ pgoff += vma->vm_pgoff;
++ if (pgoff + (new_len >> PAGE_SHIFT) < pgoff)
++ goto Einval;
+ }
+
+ if (vma->vm_flags & VM_LOCKED) {
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch (from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch Sun Aug 21 21:57:56 2011 (r17982, copy of r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch)
@@ -0,0 +1,43 @@
+commit a626ca6a656450e9f4df91d0dda238fff23285f4
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed Apr 13 08:07:28 2011 -0700
+
+ vm: fix vm_pgoff wrap in stack expansion
+
+ Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
+ the case of a expanding mapping causing vm_pgoff wrapping when you used
+ mremap. But there was another case where we expand mappings hiding in
+ plain sight: the automatic stack expansion.
+
+ This fixes that case too.
+
+ This one also found by Robert Święcki, using his nasty system call
+ fuzzer tool. Good job.
+
+ Reported-and-tested-by: Robert Święcki <robert at swiecki.net>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 292afec..537b365 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1680,10 +1680,13 @@ static int expand_downwards(struct vm_area_struct *vma,
+ size = vma->vm_end - address;
+ grow = (vma->vm_start - address) >> PAGE_SHIFT;
+
+- error = acct_stack_growth(vma, size, grow);
+- if (!error) {
+- vma->vm_start = address;
+- vma->vm_pgoff -= grow;
++ error = -ENOMEM;
++ if (grow <= vma->vm_pgoff) {
++ error = acct_stack_growth(vma, size, grow);
++ if (!error) {
++ vma->vm_start = address;
++ vma->vm_pgoff -= grow;
++ }
+ }
+ }
+ anon_vma_unlock(vma);
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch (from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch Sun Aug 21 21:57:56 2011 (r17982, copy of r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch)
@@ -0,0 +1,40 @@
+commit 42c36f63ac1366ab0ecc2d5717821362c259f517
+Author: Hugh Dickins <hughd at google.com>
+Date: Mon May 9 17:44:42 2011 -0700
+
+ vm: fix vm_pgoff wrap in upward expansion
+
+ Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
+ the case of an expanding mapping causing vm_pgoff wrapping when you had
+ downward stack expansion. But there was another case where IA64 and
+ PA-RISC expand mappings: upward expansion.
+
+ This fixes that case too.
+
+ Signed-off-by: Hugh Dickins <hughd at google.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 537b365..515e3cb 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1636,9 +1636,14 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ size = address - vma->vm_start;
+ grow = (address - vma->vm_end) >> PAGE_SHIFT;
+
+- error = acct_stack_growth(vma, size, grow);
+- if (!error)
+- vma->vm_end = address;
++ error = -ENOMEM;
++ if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
++ error = acct_stack_growth(vma, size, grow);
++ if (!error) {
++ vma->vm_end = address;
++ perf_event_mmap(vma);
++ }
++ }
+ }
+ anon_vma_unlock(vma);
+ return error;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Sun Aug 21 21:51:11 2011 (r17981)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Sun Aug 21 21:57:56 2011 (r17982)
@@ -7,3 +7,6 @@
+ bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
+ debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
+ bugfix/all/proc-restrict-access-to-proc-pid-io.patch
++ bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
More information about the Kernel-svn-changes
mailing list