[kernel] r19849 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/x86 patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Feb 24 20:56:03 UTC 2013
Author: dannf
Date: Sun Feb 24 20:56:03 2013
New Revision: 19849
Log:
mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP
(CVE-2013-0309)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/mm-thp-fix-pmd_present-for-split_huge_page-and-PROT_NONE-with-THP.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Sun Feb 24 20:45:06 2013 (r19848)
+++ dists/squeeze-security/linux-2.6/debian/changelog Sun Feb 24 20:56:03 2013 (r19849)
@@ -3,6 +3,8 @@
* ptrace: Fix race condition allowing kernel stack corruption (CVE-2013-0871)
* xen: pciback: rate limit error message from pciback_enable_msi()
(CVE-2013-0231)
+ * mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP
+ (CVE-2013-0309)
-- dann frazier <dannf at dannf.org> Mon, 18 Feb 2013 16:14:40 -0700
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/mm-thp-fix-pmd_present-for-split_huge_page-and-PROT_NONE-with-THP.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/mm-thp-fix-pmd_present-for-split_huge_page-and-PROT_NONE-with-THP.patch Sun Feb 24 20:56:03 2013 (r19849)
@@ -0,0 +1,67 @@
+commit 027ef6c87853b0a9df53175063028edb4950d476
+Author: Andrea Arcangeli <aarcange at redhat.com>
+Date: Mon Oct 8 16:33:27 2012 -0700
+
+ mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP
+
+ In many places !pmd_present has been converted to pmd_none. For pmds
+ that's equivalent and pmd_none is quicker so using pmd_none is better.
+
+ However (unless we delete pmd_present) we should provide an accurate
+ pmd_present too. This will avoid the risk of code thinking the pmd is non
+ present because it's under __split_huge_page_map, see the pmd_mknotpresent
+ there and the comment above it.
+
+ If the page has been mprotected as PROT_NONE, it would also lead to a
+ pmd_present false negative in the same way as the race with
+ split_huge_page.
+
+ Because the PSE bit stays on at all times (both during split_huge_page and
+ when the _PAGE_PROTNONE bit get set), we could only check for the PSE bit,
+ but checking the PROTNONE bit too is still good to remember pmd_present
+ must always keep PROT_NONE into account.
+
+ This explains a not reproducible BUG_ON that was seldom reported on the
+ lists.
+
+ The same issue is in pmd_large, it would go wrong with both PROT_NONE and
+ if it races with split_huge_page.
+
+ Signed-off-by: Andrea Arcangeli <aarcange at redhat.com>
+ Acked-by: Rik van Riel <riel at redhat.com>
+ Cc: Johannes Weiner <jweiner at redhat.com>
+ Cc: Hugh Dickins <hughd at google.com>
+ Cc: Mel Gorman <mgorman at suse.de>
+ Cc: <stable at vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
+index fc99484..a1f780d 100644
+--- a/arch/x86/include/asm/pgtable.h
++++ b/arch/x86/include/asm/pgtable.h
+@@ -146,8 +146,7 @@ static inline unsigned long pmd_pfn(pmd_t pmd)
+
+ static inline int pmd_large(pmd_t pte)
+ {
+- return (pmd_flags(pte) & (_PAGE_PSE | _PAGE_PRESENT)) ==
+- (_PAGE_PSE | _PAGE_PRESENT);
++ return pmd_flags(pte) & _PAGE_PSE;
+ }
+
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+@@ -415,7 +414,13 @@ static inline int pte_hidden(pte_t pte)
+
+ static inline int pmd_present(pmd_t pmd)
+ {
+- return pmd_flags(pmd) & _PAGE_PRESENT;
++ /*
++ * Checking for _PAGE_PSE is needed too because
++ * split_huge_page will temporarily clear the present bit (but
++ * the _PAGE_PSE flag will remain set at all times while the
++ * _PAGE_PRESENT bit is clear).
++ */
++ return pmd_flags(pmd) & (_PAGE_PRESENT | _PAGE_PROTNONE | _PAGE_PSE);
+ }
+
+ static inline int pmd_none(pmd_t pmd)
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze1 Sun Feb 24 20:45:06 2013 (r19848)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze1 Sun Feb 24 20:56:03 2013 (r19849)
@@ -2,3 +2,4 @@
+ bugfix/all/ptrace-introduce-signal_wake_up_state-and-ptrace_signal_wake_up.patch
+ bugfix/all/ptrace-ensure-arch_ptrace-ptrace_request-can-never-race-with-SIGKILL.patch
+ bugfix/all/wake_up_process-should-be-never-used-to-wakeup-a-TASK_STOPPED-TRACED-task.patch
++ bugfix/x86/mm-thp-fix-pmd_present-for-split_huge_page-and-PROT_NONE-with-THP.patch
More information about the Kernel-svn-changes
mailing list