[kernel] r19262 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Jul 19 02:55:50 UTC 2012
Author: dannf
Date: Thu Jul 19 02:55:49 2012
New Revision: 19262
Log:
* hugetlb: fix resv_map leak in error path (CVE-2012-2390)
* mm: fix vma_resv_map() NULL pointer (CVE-2012-2390)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Mon Jul 16 11:51:07 2012 (r19261)
+++ dists/squeeze-security/linux-2.6/debian/changelog Thu Jul 19 02:55:49 2012 (r19262)
@@ -4,6 +4,8 @@
sock_alloc_send_pskb() (CVE-2012-2136)
* dl2k: Clean up rio_ioctl, add missing CAP_NET_ADMIN checks (CVE-2012-2313)
* hfsplus: Fix potential buffer overflows (CVE-2012-2319)
+ * hugetlb: fix resv_map leak in error path (CVE-2012-2390)
+ * mm: fix vma_resv_map() NULL pointer (CVE-2012-2390)
-- dann frazier <dannf at debian.org> Tue, 12 Jun 2012 16:56:29 -0600
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch Thu Jul 19 02:55:49 2012 (r19262)
@@ -0,0 +1,104 @@
+commit c50ac050811d6485616a193eb0f37bfbd191cc89
+Author: Dave Hansen <dave at linux.vnet.ibm.com>
+Date: Tue May 29 15:06:46 2012 -0700
+
+ hugetlb: fix resv_map leak in error path
+
+ When called for anonymous (non-shared) mappings, hugetlb_reserve_pages()
+ does a resv_map_alloc(). It depends on code in hugetlbfs's
+ vm_ops->close() to release that allocation.
+
+ However, in the mmap() failure path, we do a plain unmap_region() without
+ the remove_vma() which actually calls vm_ops->close().
+
+ This is a decent fix. This leak could get reintroduced if new code (say,
+ after hugetlb_reserve_pages() in hugetlbfs_file_mmap()) decides to return
+ an error. But, I think it would have to unroll the reservation anyway.
+
+ Christoph's test case:
+
+ http://marc.info/?l=linux-mm&m=133728900729735
+
+ This patch applies to 3.4 and later. A version for earlier kernels is at
+ https://lkml.org/lkml/2012/5/22/418.
+
+ Signed-off-by: Dave Hansen <dave at linux.vnet.ibm.com>
+ Acked-by: Mel Gorman <mel at csn.ul.ie>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+ Reported-by: Christoph Lameter <cl at linux.com>
+ Tested-by: Christoph Lameter <cl at linux.com>
+ Cc: Andrea Arcangeli <aarcange at redhat.com>
+ Cc: <stable at vger.kernel.org> [2.6.32+]
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 20f9240..3d61035 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -1772,6 +1772,15 @@ static void hugetlb_vm_op_open(struct vm_area_struct *vma)
+ kref_get(&reservations->refs);
+ }
+
++static void resv_map_put(struct vm_area_struct *vma)
++{
++ struct resv_map *reservations = vma_resv_map(vma);
++
++ if (!reservations)
++ return;
++ kref_put(&reservations->refs, resv_map_release);
++}
++
+ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
+ {
+ struct hstate *h = hstate_vma(vma);
+@@ -1788,7 +1797,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
+ reserve = (end - start) -
+ region_count(&reservations->regions, start, end);
+
+- kref_put(&reservations->refs, resv_map_release);
++ resv_map_put(vma);
+
+ if (reserve) {
+ hugetlb_acct_memory(h, -reserve);
+@@ -2472,12 +2481,16 @@ int hugetlb_reserve_pages(struct inode *inode,
+ set_vma_resv_flags(vma, HPAGE_RESV_OWNER);
+ }
+
+- if (chg < 0)
+- return chg;
++ if (chg < 0) {
++ ret = chg;
++ goto out_err;
++ }
+
+ /* There must be enough pages in the subpool for the mapping */
+- if (hugepage_subpool_get_pages(spool, chg))
+- return -ENOSPC;
++ if (hugepage_subpool_get_pages(spool, chg)) {
++ ret = -ENOSPC;
++ goto out_err;
++ }
+
+ /*
+ * Check enough hugepages are available for the reservation.
+@@ -2486,7 +2499,7 @@ int hugetlb_reserve_pages(struct inode *inode,
+ ret = hugetlb_acct_memory(h, chg);
+ if (ret < 0) {
+ hugepage_subpool_put_pages(spool, chg);
+- return ret;
++ goto out_err;
+ }
+
+ /*
+@@ -2503,6 +2516,9 @@ int hugetlb_reserve_pages(struct inode *inode,
+ if (!vma || vma->vm_flags & VM_MAYSHARE)
+ region_add(&inode->i_mapping->private_list, from, to);
+ return 0;
++out_err:
++ resv_map_put(vma);
++ return ret;
+ }
+
+ void hugetlb_unreserve_pages(struct inode *inode, long offset, long freed)
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch Thu Jul 19 02:55:49 2012 (r19262)
@@ -0,0 +1,64 @@
+commit 4523e1458566a0e8ecfaff90f380dd23acc44d27
+Author: Dave Hansen <dave at linux.vnet.ibm.com>
+Date: Wed May 30 07:51:07 2012 -0700
+
+ mm: fix vma_resv_map() NULL pointer
+
+ hugetlb_reserve_pages() can be used for either normal file-backed
+ hugetlbfs mappings, or MAP_HUGETLB. In the MAP_HUGETLB, semi-anonymous
+ mode, there is not a VMA around. The new call to resv_map_put() assumed
+ that there was, and resulted in a NULL pointer dereference:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+ IP: vma_resv_map+0x9/0x30
+ PGD 141453067 PUD 1421e1067 PMD 0
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Pid: 14006, comm: trinity-child6 Not tainted 3.4.0+ #36
+ RIP: vma_resv_map+0x9/0x30
+ ...
+ Process trinity-child6 (pid: 14006, threadinfo ffff8801414e0000, task ffff8801414f26b0)
+ Call Trace:
+ resv_map_put+0xe/0x40
+ hugetlb_reserve_pages+0xa6/0x1d0
+ hugetlb_file_setup+0x102/0x2c0
+ newseg+0x115/0x360
+ ipcget+0x1ce/0x310
+ sys_shmget+0x5a/0x60
+ system_call_fastpath+0x16/0x1b
+
+ This was reported by Dave Jones, but was reproducible with the
+ libhugetlbfs test cases, so shame on me for not running them in the
+ first place.
+
+ With this, the oops is gone, and the output of libhugetlbfs's
+ run_tests.py is identical to plain 3.4 again.
+
+ [ Marked for stable, since this was introduced by commit c50ac050811d
+ ("hugetlb: fix resv_map leak in error path") which was also marked for
+ stable ]
+
+ Reported-by: Dave Jones <davej at redhat.com>
+ Cc: Mel Gorman <mel at csn.ul.ie>
+ Cc: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+ Cc: Christoph Lameter <cl at linux.com>
+ Cc: Andrea Arcangeli <aarcange at redhat.com>
+ Cc: Andrew Morton <akpm at linux-foundation.org>
+ Cc: <stable at vger.kernel.org> [2.6.32+]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 3d61035..b435d1f 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2517,7 +2517,8 @@ int hugetlb_reserve_pages(struct inode *inode,
+ region_add(&inode->i_mapping->private_list, from, to);
+ return 0;
+ out_err:
+- resv_map_put(vma);
++ if (vma)
++ resv_map_put(vma);
+ return ret;
+ }
+
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1 Mon Jul 16 11:51:07 2012 (r19261)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1 Thu Jul 19 02:55:49 2012 (r19262)
@@ -2,3 +2,5 @@
+ bugfix/all/dl2k-use-standard-defines-from-mii.h.patch
+ bugfix/all/dl2k-Clean-up-rio_ioctl.patch
+ bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch
++ bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
++ bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
More information about the Kernel-svn-changes
mailing list