Author: dannf
Date: Sat Mar 31 20:41:20 2007
New Revision: 8406
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/unmap_hugepage_area-check-null-pte.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* unmap_hugepage_area-check-null-pte.dpatch
[SECURITY] Fix a potential DoS (crash) in unmap_hugepage_area().
No kerel-image builds appear to compile this code, so this fix is only
for users that compile their own kernels with the Debian source and
enable/use huge pages.
See CVE-2005-4811
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
Sat Mar 31 20:41:20 2007
@@ -37,8 +37,14 @@
[SECURITY] Fix initialization of info->nr_pages in aio_setup_ring() to
avoid a race that can lead to a system crash
See CVE-2006-5754
+ * unmap_hugepage_area-check-null-pte.dpatch
+ [SECURITY] Fix a potential DoS (crash) in unmap_hugepage_area().
+ No kerel-image builds appear to compile this code, so this fix is only
+ for users that compile their own kernels with the Debian source and
+ enable/use huge pages.
+ See CVE-2005-4811
- -- dann frazier <[EMAIL PROTECTED]> Sat, 31 Mar 2007 13:51:04 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Sat, 31 Mar 2007 14:38:33 -0600
kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Sat Mar 31 20:41:20 2007
@@ -7,3 +7,4 @@
+ __find_get_block_slow-race.dpatch
+ listxattr-mem-corruption.dpatch
+ aio-fix-nr_pages-init.dpatch
++ unmap_hugepage_area-check-null-pte.dpatch
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/unmap_hugepage_area-check-null-pte.dpatch
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/unmap_hugepage_area-check-null-pte.dpatch
Sat Mar 31 20:41:20 2007
@@ -0,0 +1,76 @@
+From: David Gibson <[EMAIL PROTECTED]>
+Date: Fri, 5 Aug 2005 18:59:35 +0000 (-0700)
+Subject: [PATCH] Fix hugepage crash on failing mmap()
+X-Git-Tag: v2.6.13-rc6~29
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=c7546f8f03f5a4fa612605b6be930234d602686;hp=e6cb99413da42af413c11a394538ddc8b9d201e1
+
+[PATCH] Fix hugepage crash on failing mmap()
+
+This patch fixes a crash in the hugepage code. unmap_hugepage_area() was
+assuming that (due to prefault) PTEs must exist for all the area in
+question. However, this may not be the case, if mmap() encounters an error
+before the prefault and calls unmap_region() to clean up any partial
+mapping.
+
+Depending on the hugepage configuration, this crash can be triggered by an
+unpriveleged user.
+
+Signed-off-by: David Gibson <[EMAIL PROTECTED]>
+Cc: William Lee Irwin III <[EMAIL PROTECTED]>
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+Ported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urpN kernel-source-2.6.8.orig/arch/i386/mm/hugetlbpage.c
kernel-source-2.6.8/arch/i386/mm/hugetlbpage.c
+--- kernel-source-2.6.8.orig/arch/i386/mm/hugetlbpage.c 2004-08-13
23:37:42.000000000 -0600
++++ kernel-source-2.6.8/arch/i386/mm/hugetlbpage.c 2007-03-31
13:33:43.000000000 -0600
+@@ -205,6 +205,7 @@ void unmap_hugepage_range(struct vm_area
+ {
+ struct mm_struct *mm = vma->vm_mm;
+ unsigned long address;
++ pte_t *ptep;
+ pte_t pte;
+ struct page *page;
+
+@@ -212,7 +213,13 @@ void unmap_hugepage_range(struct vm_area
+ BUG_ON(end & (HPAGE_SIZE - 1));
+
+ for (address = start; address < end; address += HPAGE_SIZE) {
+- pte = ptep_get_and_clear(huge_pte_offset(mm, address));
++ ptep = huge_pte_offset(mm, address);
++ if (! ptep)
++ /* This can happen on truncate, or if an
++ * mmap() is aborted due to an error before
++ * the prefault */
++ continue;
++ pte = ptep_get_and_clear(ptep);
+ if (pte_none(pte))
+ continue;
+ page = pte_page(pte);
+diff -urpN kernel-source-2.6.8.orig/arch/ia64/mm/hugetlbpage.c
kernel-source-2.6.8/arch/ia64/mm/hugetlbpage.c
+--- kernel-source-2.6.8.orig/arch/ia64/mm/hugetlbpage.c 2004-08-13
23:36:58.000000000 -0600
++++ kernel-source-2.6.8/arch/ia64/mm/hugetlbpage.c 2007-03-31
13:30:14.000000000 -0600
+@@ -243,7 +243,7 @@ void unmap_hugepage_range(struct vm_area
+
+ for (address = start; address < end; address += HPAGE_SIZE) {
+ pte = huge_pte_offset(mm, address);
+- if (pte_none(*pte))
++ if (!pte || pte_none(*pte))
+ continue;
+ page = pte_page(*pte);
+ put_page(page);
+diff -urpN kernel-source-2.6.8.orig/arch/sparc64/mm/hugetlbpage.c
kernel-source-2.6.8/arch/sparc64/mm/hugetlbpage.c
+--- kernel-source-2.6.8.orig/arch/sparc64/mm/hugetlbpage.c 2004-08-13
23:37:25.000000000 -0600
++++ kernel-source-2.6.8/arch/sparc64/mm/hugetlbpage.c 2007-03-31
13:30:42.000000000 -0600
+@@ -193,8 +193,7 @@ void unmap_hugepage_range(struct vm_area
+
+ for (address = start; address < end; address += HPAGE_SIZE) {
+ pte = huge_pte_offset(mm, address);
+- BUG_ON(!pte);
+- if (pte_none(*pte))
++ if (!pte || pte_none(*pte))
+ continue;
+ page = pte_page(*pte);
+ put_page(page);
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
