series

Dann Frazier Wed, 13 Feb 2008 13:02:42 -0800

Author: dannf
Date: Wed Feb 13 21:02:36 2008
New Revision: 10532

Log:
* [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
  into address space reserved for hugetlb pages.
  See CVE-2007-3739


Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/prevent-stack-growth-into-hugetlb-region.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Wed Feb 13 21:02:36 2008
@@ -41,8 +41,11 @@
   * isdn-net-overflow.dpatch
     [SECURITY] Fix potential overflows in the ISDN subsystem
     See CVE-2007-6063
+  * [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
+    into address space reserved for hugetlb pages.
+    See CVE-2007-3739
 
- -- dann frazier <[EMAIL PROTECTED]>  Fri, 08 Feb 2008 17:28:08 -0700
+ -- dann frazier <[EMAIL PROTECTED]>  Wed, 13 Feb 2008 14:01:28 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/prevent-stack-growth-into-hugetlb-region.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/prevent-stack-growth-into-hugetlb-region.dpatch
 Wed Feb 13 21:02:36 2008
@@ -0,0 +1,48 @@
+From: Adam Litke <[EMAIL PROTECTED]>
+Date: Tue, 30 Jan 2007 22:35:39 +0000 (-0800)
+Subject: [PATCH] Don't allow the stack to grow into hugetlb reserved regions
+X-Git-Tag: v2.6.20-rc7~10
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0d59a01bc461bbab4017ff449b8401151ef44cf6
+
+[PATCH] Don't allow the stack to grow into hugetlb reserved regions
+
+When expanding the stack, we don't currently check if the VMA will cross
+into an area of the address space that is reserved for hugetlb pages.
+Subsequent faults on the expanded portion of such a VMA will confuse the
+low-level MMU code, resulting in an OOPS.  Check for this.
+
+Signed-off-by: Adam Litke <[EMAIL PROTECTED]>
+Cc: David Gibson <[EMAIL PROTECTED]>
+Cc: William Lee Irwin III <[EMAIL PROTECTED]>
+Cc: Hugh Dickins <[EMAIL PROTECTED]>
+Cc: <[EMAIL PROTECTED]>
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urpN kernel-source-2.6.8.orig/mm/mmap.c kernel-source-2.6.8/mm/mmap.c
+--- kernel-source-2.6.8.orig/mm/mmap.c 2007-05-26 02:54:40.000000000 -0600
++++ kernel-source-2.6.8/mm/mmap.c      2008-02-13 13:57:29.000000000 -0700
+@@ -1203,6 +1203,7 @@ static int acct_stack_growth(struct vm_a
+ {
+       struct mm_struct *mm = vma->vm_mm;
+       struct rlimit *rlim = current->rlim;
++      unsigned long new_start;
+ 
+       /* address space limit tests */
+       if (mm->total_vm + grow > rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT)
+@@ -1212,6 +1213,12 @@ static int acct_stack_growth(struct vm_a
+       if (size > rlim[RLIMIT_STACK].rlim_cur)
+               return -ENOMEM;
+ 
++      /* Check to ensure the stack will not grow into a hugetlb-only region */
++      new_start = (vma->vm_flags & VM_GROWSUP) ? vma->vm_start :
++                      vma->vm_end - size;
++      if (is_hugepage_only_range(vma->vm_mm, new_start, size))
++              return -EFAULT;
++
+       /*
+        * Overcommit..  This must be the final test, as it will
+        * update security statistics.

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   Wed Feb 13 21:02:36 2008
@@ -11,3 +11,4 @@
 + ext2-skip-pages-past-num-blocks.dpatch
 + minixfs-printk-hang.dpatch
 + isdn-net-overflow.dpatch
++ prevent-stack-growth-into-hugetlb-region.dpatch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r10532 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Reply via email to