[kernel] r17982 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Aug 21 21:57:57 UTC 2011 

Author: dannf
Date: Sun Aug 21 21:57:56 2011
New Revision: 17982

Log:
vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
      - copied unchanged from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
      - copied unchanged from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny4

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Aug 21 21:51:11 2011	(r17981)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Aug 21 21:57:56 2011	(r17982)
@@ -5,6 +5,7 @@
   * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
   * NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
   * proc: restrict access to /proc/PID/io (CVE-2011-2495)
+  * vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
 
   [ Moritz Muehlenhoff ]
   * ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch	Sun Aug 21 21:57:56 2011	(r17982)
@@ -0,0 +1,43 @@
+commit 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Thu Apr 7 07:35:50 2011 -0700
+
+    mm: avoid wrapping vm_pgoff in mremap()
+    
+    The normal mmap paths all avoid creating a mapping where the pgoff
+    inside the mapping could wrap around due to overflow.  However, an
+    expanding mremap() can take such a non-wrapping mapping and make it
+    bigger and cause a wrapping condition.
+    
+    Noticed by Robert Swiecki when running a system call fuzzer, where it
+    caused a BUG_ON() due to terminally confusing the vma_prio_tree code.  A
+    vma dumping patch by Hugh then pinpointed the crazy wrapped case.
+    
+    Reported-and-tested-by: Robert Swiecki <robert at swiecki.net>
+    Acked-by: Hugh Dickins <hughd at google.com>
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/mm/mremap.c b/mm/mremap.c
+index 1de98d4..a7c1f9f 100644
+--- a/mm/mremap.c
++++ b/mm/mremap.c
+@@ -277,9 +277,16 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
+ 	if (old_len > vma->vm_end - addr)
+ 		goto Efault;
+ 
+-	if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP)) {
+-		if (new_len > old_len)
++	/* Need to be careful about a growing mapping */
++	if (new_len > old_len) {
++		unsigned long pgoff;
++
++		if (vma->vm_flags & (VM_DONTEXPAND | VM_PFNMAP))
+ 			goto Efault;
++		pgoff = (addr - vma->vm_start) >> PAGE_SHIFT;
++		pgoff += vma->vm_pgoff;
++		if (pgoff + (new_len >> PAGE_SHIFT) < pgoff)
++			goto Einval;
+ 	}
+ 
+ 	if (vma->vm_flags & VM_LOCKED) {

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch (from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch	Sun Aug 21 21:57:56 2011	(r17982, copy of r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch)
@@ -0,0 +1,43 @@
+commit a626ca6a656450e9f4df91d0dda238fff23285f4
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Wed Apr 13 08:07:28 2011 -0700
+
+    vm: fix vm_pgoff wrap in stack expansion
+    
+    Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
+    the case of a expanding mapping causing vm_pgoff wrapping when you used
+    mremap.  But there was another case where we expand mappings hiding in
+    plain sight: the automatic stack expansion.
+    
+    This fixes that case too.
+    
+    This one also found by Robert Święcki, using his nasty system call
+    fuzzer tool.  Good job.
+    
+    Reported-and-tested-by: Robert Święcki <robert at swiecki.net>
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 292afec..537b365 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1680,10 +1680,13 @@ static int expand_downwards(struct vm_area_struct *vma,
+ 		size = vma->vm_end - address;
+ 		grow = (vma->vm_start - address) >> PAGE_SHIFT;
+ 
+-		error = acct_stack_growth(vma, size, grow);
+-		if (!error) {
+-			vma->vm_start = address;
+-			vma->vm_pgoff -= grow;
++		error = -ENOMEM;
++		if (grow <= vma->vm_pgoff) {
++			error = acct_stack_growth(vma, size, grow);
++			if (!error) {
++				vma->vm_start = address;
++				vma->vm_pgoff -= grow;
++			}
+ 		}
+ 	}
+ 	anon_vma_unlock(vma);

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch (from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch	Sun Aug 21 21:57:56 2011	(r17982, copy of r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch)
@@ -0,0 +1,40 @@
+commit 42c36f63ac1366ab0ecc2d5717821362c259f517
+Author: Hugh Dickins <hughd at google.com>
+Date:   Mon May 9 17:44:42 2011 -0700
+
+    vm: fix vm_pgoff wrap in upward expansion
+    
+    Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
+    the case of an expanding mapping causing vm_pgoff wrapping when you had
+    downward stack expansion.  But there was another case where IA64 and
+    PA-RISC expand mappings: upward expansion.
+    
+    This fixes that case too.
+    
+    Signed-off-by: Hugh Dickins <hughd at google.com>
+    Cc: stable at kernel.org
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 537b365..515e3cb 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1636,9 +1636,14 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ 		size = address - vma->vm_start;
+ 		grow = (address - vma->vm_end) >> PAGE_SHIFT;
+ 
+-		error = acct_stack_growth(vma, size, grow);
+-		if (!error)
+-			vma->vm_end = address;
++		error = -ENOMEM;
++		if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
++			error = acct_stack_growth(vma, size, grow);
++			if (!error) {
++				vma->vm_end = address;
++				perf_event_mmap(vma);
++			}
++		}
+ 	}
+ 	anon_vma_unlock(vma);
+ 	return error;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4	Sun Aug 21 21:51:11 2011	(r17981)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4	Sun Aug 21 21:57:56 2011	(r17982)
@@ -7,3 +7,6 @@
 + bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
 + debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
 + bugfix/all/proc-restrict-access-to-proc-pid-io.patch
++ bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
++ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch

More information about the Kernel-svn-changes mailing list