[linux] 03/07: mm, proc: cap the stack gap for unpopulated growing vmas
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Jun 19 15:38:53 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch stretch-security
in repository linux.
commit 0cbfdac03e459d27b5a86ee03c654be215350664
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu Jun 15 18:58:28 2017 +0200
mm, proc: cap the stack gap for unpopulated growing vmas
---
debian/changelog | 1 +
...-the-stack-gap-for-unpopulated-growing-vm.patch | 45 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 47 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 04b217d..a0358ee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ linux (4.9.30-2+deb9u1) UNRELEASED; urgency=medium
* mm: enlarge stack guard gap (CVE-2017-1000364)
* mm: allow to configure stack gap size
+ * mm, proc: cap the stack gap for unpopulated growing vmas
-- Salvatore Bonaccorso <carnil at debian.org> Tue, 13 Jun 2017 19:05:45 +0200
diff --git a/debian/patches/bugfix/all/mm-proc-cap-the-stack-gap-for-unpopulated-growing-vm.patch b/debian/patches/bugfix/all/mm-proc-cap-the-stack-gap-for-unpopulated-growing-vm.patch
new file mode 100644
index 0000000..1d187b1
--- /dev/null
+++ b/debian/patches/bugfix/all/mm-proc-cap-the-stack-gap-for-unpopulated-growing-vm.patch
@@ -0,0 +1,45 @@
+From: Michal Hocko <mhocko at suse.com>
+Date: Wed, 14 Jun 2017 08:17:15 +0200
+Subject: mm, proc: cap the stack gap for unpopulated growing vmas
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000364
+
+Oleg has noticed that show_map_vma has been overly eager to cut the
+the vma range for growing VMAs. This wasn't a big deal with 4kB stack
+gap but now that the gap is much larger we can simply get a bogus VMA
+range in show_map_vma.
+To quote Oleg
+: On ppc PAGE_SIZE == 64K, so stack_guard_gap == 16M, the application does
+: mmap(..., length=4M, ... MAP_GROWSDOWN) and /proc/pid/maps happily reports
+:
+: 30001000000-30000400000 rw-p 00000000 00:00 0
+
+Let's cap the reported range and show an empty range for this peculiar
+case which is what we have been doing for a long time. Note that the
+range will expand as soon as the first page fault happens on this range.
+
+Reported-by: Jan Stancek <jstancek at redhat.com>
+Signed-off-by: Michal Hocko <mhocko at suse.com>
+---
+ fs/proc/task_mmu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 5ef3e14d235f..6f38f96d725f 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -303,10 +303,10 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
+ end = vma->vm_end;
+ if (vma->vm_flags & VM_GROWSDOWN) {
+ if (stack_guard_area(vma, start))
+- start += stack_guard_gap;
++ start = min(end, start + stack_guard_gap);
+ } else if (vma->vm_flags & VM_GROWSUP) {
+ if (stack_guard_area(vma, end))
+- end -= stack_guard_gap;
++ end = max(start, end - stack_guard_gap);
+ }
+
+ seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
+--
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 7709d24..a29e4d4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -122,6 +122,7 @@ bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch
bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
bugfix/all/mm-enlarge-stack-guard-gap.patch
bugfix/all/mm-allow-to-configure-stack-gap-size.patch
+bugfix/all/mm-proc-cap-the-stack-gap-for-unpopulated-growing-vm.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list