[kernel] r19849 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/x86 patches/series

Dann Frazier dannf at alioth.debian.org
Sun Feb 24 20:56:03 UTC 2013 

Author: dannf
Date: Sun Feb 24 20:56:03 2013
New Revision: 19849

Log:
mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP
(CVE-2013-0309)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/mm-thp-fix-pmd_present-for-split_huge_page-and-PROT_NONE-with-THP.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Sun Feb 24 20:45:06 2013	(r19848)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Feb 24 20:56:03 2013	(r19849)
@@ -3,6 +3,8 @@
   * ptrace: Fix race condition allowing kernel stack corruption (CVE-2013-0871)
   * xen: pciback: rate limit error message from pciback_enable_msi()
     (CVE-2013-0231)
+  * mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP
+    (CVE-2013-0309)
 
  -- dann frazier <dannf at dannf.org>  Mon, 18 Feb 2013 16:14:40 -0700
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/mm-thp-fix-pmd_present-for-split_huge_page-and-PROT_NONE-with-THP.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/mm-thp-fix-pmd_present-for-split_huge_page-and-PROT_NONE-with-THP.patch	Sun Feb 24 20:56:03 2013	(r19849)
@@ -0,0 +1,67 @@
+commit 027ef6c87853b0a9df53175063028edb4950d476
+Author: Andrea Arcangeli <aarcange at redhat.com>
+Date:   Mon Oct 8 16:33:27 2012 -0700
+
+    mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP
+    
+    In many places !pmd_present has been converted to pmd_none.  For pmds
+    that's equivalent and pmd_none is quicker so using pmd_none is better.
+    
+    However (unless we delete pmd_present) we should provide an accurate
+    pmd_present too.  This will avoid the risk of code thinking the pmd is non
+    present because it's under __split_huge_page_map, see the pmd_mknotpresent
+    there and the comment above it.
+    
+    If the page has been mprotected as PROT_NONE, it would also lead to a
+    pmd_present false negative in the same way as the race with
+    split_huge_page.
+    
+    Because the PSE bit stays on at all times (both during split_huge_page and
+    when the _PAGE_PROTNONE bit get set), we could only check for the PSE bit,
+    but checking the PROTNONE bit too is still good to remember pmd_present
+    must always keep PROT_NONE into account.
+    
+    This explains a not reproducible BUG_ON that was seldom reported on the
+    lists.
+    
+    The same issue is in pmd_large, it would go wrong with both PROT_NONE and
+    if it races with split_huge_page.
+    
+    Signed-off-by: Andrea Arcangeli <aarcange at redhat.com>
+    Acked-by: Rik van Riel <riel at redhat.com>
+    Cc: Johannes Weiner <jweiner at redhat.com>
+    Cc: Hugh Dickins <hughd at google.com>
+    Cc: Mel Gorman <mgorman at suse.de>
+    Cc: <stable at vger.kernel.org>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
+index fc99484..a1f780d 100644
+--- a/arch/x86/include/asm/pgtable.h
++++ b/arch/x86/include/asm/pgtable.h
+@@ -146,8 +146,7 @@ static inline unsigned long pmd_pfn(pmd_t pmd)
+ 
+ static inline int pmd_large(pmd_t pte)
+ {
+-	return (pmd_flags(pte) & (_PAGE_PSE | _PAGE_PRESENT)) ==
+-		(_PAGE_PSE | _PAGE_PRESENT);
++	return pmd_flags(pte) & _PAGE_PSE;
+ }
+ 
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+@@ -415,7 +414,13 @@ static inline int pte_hidden(pte_t pte)
+ 
+ static inline int pmd_present(pmd_t pmd)
+ {
+-	return pmd_flags(pmd) & _PAGE_PRESENT;
++	/*
++	 * Checking for _PAGE_PSE is needed too because
++	 * split_huge_page will temporarily clear the present bit (but
++	 * the _PAGE_PSE flag will remain set at all times while the
++	 * _PAGE_PRESENT bit is clear).
++	 */
++	return pmd_flags(pmd) & (_PAGE_PRESENT | _PAGE_PROTNONE | _PAGE_PSE);
+ }
+ 
+ static inline int pmd_none(pmd_t pmd)

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze1	Sun Feb 24 20:45:06 2013	(r19848)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze1	Sun Feb 24 20:56:03 2013	(r19849)
@@ -2,3 +2,4 @@
 + bugfix/all/ptrace-introduce-signal_wake_up_state-and-ptrace_signal_wake_up.patch
 + bugfix/all/ptrace-ensure-arch_ptrace-ptrace_request-can-never-race-with-SIGKILL.patch
 + bugfix/all/wake_up_process-should-be-never-used-to-wakeup-a-TASK_STOPPED-TRACED-task.patch
++ bugfix/x86/mm-thp-fix-pmd_present-for-split_huge_page-and-PROT_NONE-with-THP.patch

More information about the Kernel-svn-changes mailing list