This is a note to let you know that I've just added the patch titled
next_pidmap: fix overflow condition
to the 2.6.38-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
next_pidmap-fix-overflow-condition.patch
and it can be found in the queue-2.6.38 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
From c78193e9c7bcbf25b8237ad0dec82f805c4ea69b Mon Sep 17 00:00:00 2001
From: Linus Torvalds <[email protected]>
Date: Mon, 18 Apr 2011 10:35:30 -0700
Subject: next_pidmap: fix overflow condition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Linus Torvalds <[email protected]>
commit c78193e9c7bcbf25b8237ad0dec82f805c4ea69b upstream.
next_pidmap() just quietly accepted whatever 'last' pid that was passed
in, which is not all that safe when one of the users is /proc.
Admittedly the proc code should do some sanity checking on the range
(and that will be the next commit), but that doesn't mean that the
helper functions should just do that pidmap pointer arithmetic without
checking the range of its arguments.
So clamp 'last' to PID_MAX_LIMIT. The fact that we then do "last+1"
doesn't really matter, the for-loop does check against the end of the
pidmap array properly (it's only the actual pointer arithmetic overflow
case we need to worry about, and going one bit beyond isn't going to
overflow).
[ Use PID_MAX_LIMIT rather than pid_max as per Eric Biederman ]
Reported-by: Tavis Ormandy <[email protected]>
Analyzed-by: Robert Święcki <[email protected]>
Cc: Eric W. Biederman <[email protected]>
Cc: Pavel Emelyanov <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/pid.h | 2 +-
kernel/pid.c | 5 ++++-
2 files changed, 5 insertions(+), 2 deletions(-)
--- a/include/linux/pid.h
+++ b/include/linux/pid.h
@@ -117,7 +117,7 @@ extern struct pid *find_vpid(int nr);
*/
extern struct pid *find_get_pid(int nr);
extern struct pid *find_ge_pid(int nr, struct pid_namespace *);
-int next_pidmap(struct pid_namespace *pid_ns, int last);
+int next_pidmap(struct pid_namespace *pid_ns, unsigned int last);
extern struct pid *alloc_pid(struct pid_namespace *ns);
extern void free_pid(struct pid *pid);
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -217,11 +217,14 @@ static int alloc_pidmap(struct pid_names
return -1;
}
-int next_pidmap(struct pid_namespace *pid_ns, int last)
+int next_pidmap(struct pid_namespace *pid_ns, unsigned int last)
{
int offset;
struct pidmap *map, *end;
+ if (last >= PID_MAX_LIMIT)
+ return -1;
+
offset = (last + 1) & BITS_PER_PAGE_MASK;
map = &pid_ns->pidmap[(last + 1)/BITS_PER_PAGE];
end = &pid_ns->pidmap[PIDMAP_ENTRIES];
Patches currently in stable-queue which might be from
[email protected] are
queue-2.6.38/kstrto-converting-strings-to-integers-done-hopefully-right.patch
queue-2.6.38/proc-do-proper-range-check-on-readdir-offset.patch
queue-2.6.38/ramfs-fix-memleak-on-no-mmu-arch.patch
queue-2.6.38/brk-compat_brk-fix-detection-of-randomized-brk.patch
queue-2.6.38/vmscan-all_unreclaimable-use-zone-all_unreclaimable-as-a-name.patch
queue-2.6.38/mm-thp-use-conventional-format-for-boolean-attributes.patch
queue-2.6.38/maintainers-update-stable-branch-info.patch
queue-2.6.38/next_pidmap-fix-overflow-condition.patch
queue-2.6.38/vfs-fix-absolute-rcu-path-walk-failures-due-to-uninitialized-seq-number.patch
queue-2.6.38/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
queue-2.6.38/oom-kill-remove-boost_dying_task_prio.patch
queue-2.6.38/vm-fix-mlock-on-stack-guard-page.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
