Hi,
Here are links to the two security patches. http://www.acm.cs.rpi.edu/~dilinger/patches/2.6.10/as2/linux-2.6.10-as2/033-rlimit_memlock_check.patch
http://www.acm.cs.rpi.edu/~dilinger/patches/2.6.10/as2/linux-2.6.10-as2/034-stack_resize_exploit.patch
Thanks for the suggestion. I'll check out the 2.6.11 patches to see if they already deal with these exploits.
Thanks for your help! Andy
Herbert Poetzl wrote:
On Sun, Jan 23, 2005 at 12:59:51AM -0800, Andrew Mendelsohn wrote:
After patching a 2.6.10 kernel with the patch-2.6.10-vs1.9.4-rc2 patch, I can't cleanly apply fixes for CAN-2005-0001 and RLIMIT_MEMLOCK exploits because of critical changes to mmap.c I was using fixes from the new as-patch series from Andres Salomon which is supposed to be a minimum set of security fixes that will be used by Debian as well as possibly other distros. ( http://www.acm.cs.rpi.edu/~dilinger/patches/2.6.10/as2/ ).
After studying the changes I came to the conclusion that it requires someone who understands the linux memory subsystem better than I do :) So, does anyone know how to reconcile these patches?
please be so kind an link me to the patches in question (in unified diff format if possible) and I'll see what I can do for you .. aside from that, 2.6.11-rc1 or rc2 should be an option too, no?
best, Herbert
Here is the mm/mmap.c.rej which shows how significantly the security patches change the code:
*************** *** 1351,1378 **** */ address += 4 + PAGE_SIZE - 1; address &= PAGE_MASK; - grow = (address - vma->vm_end) >> PAGE_SHIFT;
- /* Overcommit.. */
- if (security_vm_enough_memory(grow)) {
- anon_vma_unlock(vma);
- return -ENOMEM;
}
-
- if (address - vma->vm_start > current->signal->rlim[RLIMIT_STACK].rlim_$
- ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
- current->signal->rlim[RLIMIT_AS].rlim_cur) {
- anon_vma_unlock(vma);
- vm_unacct_memory(grow);
- return -ENOMEM;
- }
- vma->vm_end = address;
- vma->vm_mm->total_vm += grow;
- if (vma->vm_flags & VM_LOCKED)
- vma->vm_mm->locked_vm += grow;
- __vm_stat_account(vma->vm_mm, vma->vm_flags, vma->vm_file, grow);
anon_vma_unlock(vma);
- return 0;
}
struct vm_area_struct * --- 1395,1415 ---- */ address += 4 + PAGE_SIZE - 1; address &= PAGE_MASK; + error = 0;
+ /* Somebody else might have raced and expanded it already */ + if (address > vma->vm_end) { + unsigned long size, grow; + + size = address - vma->vm_start; + grow = (address - vma->vm_end) >> PAGE_SHIFT; + + error = acct_stack_growth(vma, size, grow); + if (!error) + vma->vm_end = address; } anon_vma_unlock(vma); + return error; }
struct vm_area_struct * ***************
and
*************** *** 1416,1444 **** * anon_vma lock to serialize against concurrent expand_stacks. */ address &= PAGE_MASK; - grow = (vma->vm_start - address) >> PAGE_SHIFT;
- /* Overcommit.. */
- if (security_vm_enough_memory(grow)) {
- anon_vma_unlock(vma);
- return -ENOMEM;
- }
-
- if (vma->vm_end - address > current->signal->rlim[RLIMIT_STACK].rlim_cu$
- ((vma->vm_mm->total_vm + grow) << PAGE_SHIFT) >
- current->signal->rlim[RLIMIT_AS].rlim_cur) {
- anon_vma_unlock(vma);
- vm_unacct_memory(grow);
- return -ENOMEM;
}
- vma->vm_start = address;
- vma->vm_pgoff -= grow;
- vma->vm_mm->total_vm += grow;
- if (vma->vm_flags & VM_LOCKED)
- vma->vm_mm->locked_vm += grow;
- __vm_stat_account(vma->vm_mm, vma->vm_flags, vma->vm_file, grow);
anon_vma_unlock(vma);
- return 0;
}
struct vm_area_struct * --- 1453,1475 ---- * anon_vma lock to serialize against concurrent expand_stacks. */ address &= PAGE_MASK; + error = 0;
+ /* Somebody else might have raced and expanded it already */ + if (address < vma->vm_start) { + unsigned long size, grow; + + size = vma->vm_end - address; + grow = (vma->vm_start - address) >> PAGE_SHIFT; + + error = acct_stack_growth(vma, size, grow); + if (!error) { + vma->vm_start = address; + vma->vm_pgoff -= grow; + } } anon_vma_unlock(vma); + return error; }
struct vm_area_struct *
_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
