[kernel] r18211 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Tue Nov 1 14:47:12 UTC 2011
Author: benh
Date: Tue Nov 1 14:47:10 2011
New Revision: 18211
Log:
oom: fix integer overflow of points in oom_badness (CVE-2011-4097)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/6
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Tue Nov 1 14:35:06 2011 (r18210)
+++ dists/sid/linux-2.6/debian/changelog Tue Nov 1 14:47:10 2011 (r18211)
@@ -32,6 +32,7 @@
* Add empty files to trigger generation of kernel-image udebs
* aufs: Update to aufs3.0-20111031 (Closes: #644687)
* xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)
+ * oom: fix integer overflow of points in oom_badness (CVE-2011-4097)
-- Uwe Kleine-König <u.kleine-koenig at pengutronix.de> Fri, 07 Oct 2011 15:48:22 +0200
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch Tue Nov 1 14:47:10 2011 (r18211)
@@ -0,0 +1,54 @@
+From: Frantisek Hrbata <fhrbata at redhat.com>
+Subject: [PATCH v2] oom: fix integer overflow of points in oom_badness
+Date: Mon, 31 Oct 2011 16:56:09 +0100
+
+An integer overflow will happen on 64bit archs if task's sum of rss, swapents
+and nr_ptes exceeds (2^31)/1000 value. This was introduced by commit
+
+f755a04 oom: use pte pages in OOM score
+
+where the oom score computation was divided into several steps and it's no
+longer computed as one expression in unsigned long(rss, swapents, nr_pte are
+unsigned long), where the result value assigned to points(int) is in
+range(1..1000). So there could be an int overflow while computing
+
+176 points *= 1000;
+
+and points may have negative value. Meaning the oom score for a mem hog task
+will be one.
+
+196 if (points <= 0)
+197 return 1;
+For example:
+[ 3366] 0 3366 35390480 24303939 5 0 0 oom01
+Out of memory: Kill process 3366 (oom01) score 1 or sacrifice child
+
+Here the oom1 process consumes more than 24303939(rss)*4096~=92GB physical
+memory, but it's oom score is one.
+
+In this situation the mem hog task is skipped and oom killer kills another and
+most probably innocent task with oom score greater than one.
+
+The points variable should be of type long instead of int to prevent the int
+overflow.
+
+Signed-off-by: Frantisek Hrbata <fhrbata at redhat.com>
+---
+ mm/oom_kill.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+diff --git a/mm/oom_kill.c b/mm/oom_kill.c
+index 626303b..e9a1785 100644
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -162,7 +162,7 @@ static bool oom_unkillable_task(struct task_struct *p,
+ unsigned int oom_badness(struct task_struct *p, struct mem_cgroup *mem,
+ const nodemask_t *nodemask, unsigned long totalpages)
+ {
+- int points;
++ long points;
+
+ if (oom_unkillable_task(p, mem, nodemask))
+ return 0;
+--
+1.7.6.4
+
Modified: dists/sid/linux-2.6/debian/patches/series/6
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/6 Tue Nov 1 14:35:06 2011 (r18210)
+++ dists/sid/linux-2.6/debian/patches/series/6 Tue Nov 1 14:47:10 2011 (r18211)
@@ -14,3 +14,4 @@
+ features/all/aufs2/mark-as-staging.patch
+ bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink.patch
+ bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink-2.patch
++ bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch
More information about the Kernel-svn-changes
mailing list