diff options
author | Tim Yamin <plasmaroo@gentoo.org> | 2004-12-03 20:19:55 +0000 |
---|---|---|
committer | Tim Yamin <plasmaroo@gentoo.org> | 2004-12-03 20:19:55 +0000 |
commit | 9f22ef3ab67746604627a8acb7a412e24ea7b4c7 (patch) | |
tree | 71bb867bd0980f216b2be4a1e5baf3d7498870a1 /sys-kernel | |
parent | Adding overwrapping VMA security fix, bug #72452. (Manifest recommit) (diff) | |
download | gentoo-2-9f22ef3ab67746604627a8acb7a412e24ea7b4c7.tar.gz gentoo-2-9f22ef3ab67746604627a8acb7a412e24ea7b4c7.tar.bz2 gentoo-2-9f22ef3ab67746604627a8acb7a412e24ea7b4c7.zip |
Adding overwrapping VMA security fix, bug #72452.
Diffstat (limited to 'sys-kernel')
-rw-r--r-- | sys-kernel/ck-sources/ChangeLog | 6 | ||||
-rw-r--r-- | sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild | 5 | ||||
-rw-r--r-- | sys-kernel/ck-sources/files/ck-sources-2.6.9.vma.patch | 268 |
3 files changed, 276 insertions, 3 deletions
diff --git a/sys-kernel/ck-sources/ChangeLog b/sys-kernel/ck-sources/ChangeLog index a47d2cb47b35..7b1bd98259bd 100644 --- a/sys-kernel/ck-sources/ChangeLog +++ b/sys-kernel/ck-sources/ChangeLog @@ -1,6 +1,10 @@ # ChangeLog for sys-kernel/ck-sources # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.71 2004/11/28 11:52:23 plasmaroo Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ChangeLog,v 1.72 2004/12/03 20:19:55 plasmaroo Exp $ + + 03 Dec 2004; <plasmaroo@gentoo.org> ck-sources-2.6.9-r3.ebuild, + +files/ck-sources-2.6.9.vma.patch: + Adding overwrapping VMA security fix, bug #72452. 28 Nov 2004; <plasmaroo@gentoo.org> ck-sources-2.6.9-r3.ebuild, +files/ck-sources-2.6.9.AF_UNIX.patch: diff --git a/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild b/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild index 240fff4c70ed..1b1384d01f08 100644 --- a/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild +++ b/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild @@ -1,11 +1,12 @@ # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild,v 1.6 2004/11/28 11:52:23 plasmaroo Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/ck-sources/ck-sources-2.6.9-r3.ebuild,v 1.7 2004/12/03 20:19:55 plasmaroo Exp $ UNIPATCH_LIST="${DISTDIR}/patch-${KV}.bz2 ${FILESDIR}/${P}.binfmt_elf.patch ${FILESDIR}/${P}.binfmt_a.out.patch - ${FILESDIR}/${P}.AF_UNIX.patch" + ${FILESDIR}/${P}.AF_UNIX.patch + ${FILESDIR}/${P}.vma.patch" K_PREPATCHED="yes" UNIPATCH_STRICTORDER="yes" diff --git a/sys-kernel/ck-sources/files/ck-sources-2.6.9.vma.patch b/sys-kernel/ck-sources/files/ck-sources-2.6.9.vma.patch new file mode 100644 index 000000000000..a335bfc2e269 --- /dev/null +++ b/sys-kernel/ck-sources/files/ck-sources-2.6.9.vma.patch @@ -0,0 +1,268 @@ +# This is a BitKeeper generated diff -Nru style patch. +# +# ChangeSet +# 2004/11/25 16:00:28-08:00 nanhai.zou@intel.com +# [PATCH] ia64/x86_64/s390 overlapping vma fix +# +# IA64 is also vulnerable to the huge-vma-in-executable bug in 64 bit elf +# support, it just insert a vma of zero page without checking overlap, so user +# can construct a elf with section begin from 0x0 to trigger this BUGON(). +# +# However, I think it's safe to check overlap before we actually insert a vma +# into vma list. And I also feel check vma overlap everywhere is unnecessary, +# because invert_vm_struct will check it again, so the check is duplicated. +# It's better to have invert_vm_struct return a value then let caller check if +# it successes. Here is a patch against 2.6.10.rc2-mm3 I have tested it on +# i386, x86_64 and ia64 machines. +# +# Signed-off-by: Tony Luck <tony.luck@intel.com> +# Signed-off-by: Zou Nan hai <Nanhai.zou@intel.com> +# Signed-off-by: Andrew Morton <akpm@osdl.org> +# Signed-off-by: Linus Torvalds <torvalds@osdl.org> +# +# arch/ia64/ia32/binfmt_elf32.c +# 2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +21 -5 +# ia64/x86_64/s390 overlapping vma fix +# +# arch/ia64/mm/init.c +# 2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +14 -2 +# ia64/x86_64/s390 overlapping vma fix +# +# arch/s390/kernel/compat_exec.c +# 2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +6 -2 +# ia64/x86_64/s390 overlapping vma fix +# +# arch/x86_64/ia32/ia32_binfmt.c +# 2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +6 -2 +# ia64/x86_64/s390 overlapping vma fix +# +# fs/exec.c +# 2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +3 -6 +# ia64/x86_64/s390 overlapping vma fix +# +# include/linux/mm.h +# 2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +1 -1 +# ia64/x86_64/s390 overlapping vma fix +# +# mm/mmap.c +# 2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +3 -2 +# ia64/x86_64/s390 overlapping vma fix +# +diff -Nru a/arch/ia64/ia32/binfmt_elf32.c b/arch/ia64/ia32/binfmt_elf32.c +--- a/arch/ia64/ia32/binfmt_elf32.c 2004-12-03 12:01:20 -08:00 ++++ b/arch/ia64/ia32/binfmt_elf32.c 2004-12-03 12:01:20 -08:00 +@@ -100,7 +100,11 @@ + vma->vm_ops = &ia32_shared_page_vm_ops; + down_write(¤t->mm->mmap_sem); + { +- insert_vm_struct(current->mm, vma); ++ if (insert_vm_struct(current->mm, vma)) { ++ kmem_cache_free(vm_area_cachep, vma); ++ up_write(¤t->mm->mmap_sem); ++ return; ++ } + } + up_write(¤t->mm->mmap_sem); + } +@@ -123,7 +127,11 @@ + vma->vm_ops = &ia32_gate_page_vm_ops; + down_write(¤t->mm->mmap_sem); + { +- insert_vm_struct(current->mm, vma); ++ if (insert_vm_struct(current->mm, vma)) { ++ kmem_cache_free(vm_area_cachep, vma); ++ up_write(¤t->mm->mmap_sem); ++ return; ++ } + } + up_write(¤t->mm->mmap_sem); + } +@@ -142,7 +150,11 @@ + vma->vm_flags = VM_READ|VM_WRITE|VM_MAYREAD|VM_MAYWRITE; + down_write(¤t->mm->mmap_sem); + { +- insert_vm_struct(current->mm, vma); ++ if (insert_vm_struct(current->mm, vma)) { ++ kmem_cache_free(vm_area_cachep, vma); ++ up_write(¤t->mm->mmap_sem); ++ return; ++ } + } + up_write(¤t->mm->mmap_sem); + } +@@ -190,7 +202,7 @@ + unsigned long stack_base; + struct vm_area_struct *mpnt; + struct mm_struct *mm = current->mm; +- int i; ++ int i, ret; + + stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + mm->arg_start = bprm->p + stack_base; +@@ -225,7 +237,11 @@ + mpnt->vm_flags = VM_STACK_FLAGS; + mpnt->vm_page_prot = (mpnt->vm_flags & VM_EXEC)? + PAGE_COPY_EXEC: PAGE_COPY; +- insert_vm_struct(current->mm, mpnt); ++ if ((ret = insert_vm_struct(current->mm, mpnt))) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + current->mm->stack_vm = current->mm->total_vm = vma_pages(mpnt); + } + +diff -Nru a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c +--- a/arch/ia64/mm/init.c 2004-12-03 12:01:20 -08:00 ++++ b/arch/ia64/mm/init.c 2004-12-03 12:01:20 -08:00 +@@ -131,7 +131,13 @@ + vma->vm_end = vma->vm_start + PAGE_SIZE; + vma->vm_page_prot = protection_map[VM_DATA_DEFAULT_FLAGS & 0x7]; + vma->vm_flags = VM_DATA_DEFAULT_FLAGS | VM_GROWSUP; +- insert_vm_struct(current->mm, vma); ++ down_write(¤t->mm->mmap_sem); ++ if (insert_vm_struct(current->mm, vma)) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return; ++ } ++ up_write(¤t->mm->mmap_sem); + } + + /* map NaT-page at address zero to speed up speculative dereferencing of NULL: */ +@@ -143,7 +149,13 @@ + vma->vm_end = PAGE_SIZE; + vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT); + vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED; +- insert_vm_struct(current->mm, vma); ++ down_write(¤t->mm->mmap_sem); ++ if (insert_vm_struct(current->mm, vma)) { ++ up_write(¤t->mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, vma); ++ return; ++ } ++ up_write(¤t->mm->mmap_sem); + } + } + } +diff -Nru a/arch/s390/kernel/compat_exec.c b/arch/s390/kernel/compat_exec.c +--- a/arch/s390/kernel/compat_exec.c 2004-12-03 12:01:20 -08:00 ++++ b/arch/s390/kernel/compat_exec.c 2004-12-03 12:01:20 -08:00 +@@ -39,7 +39,7 @@ + unsigned long stack_base; + struct vm_area_struct *mpnt; + struct mm_struct *mm = current->mm; +- int i; ++ int i, ret; + + stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE; + mm->arg_start = bprm->p + stack_base; +@@ -68,7 +68,11 @@ + /* executable stack setting would be applied here */ + mpnt->vm_page_prot = PAGE_COPY; + mpnt->vm_flags = VM_STACK_FLAGS; +- insert_vm_struct(mm, mpnt); ++ if ((ret = insert_vm_struct(mm, mpnt))) { ++ up_write(&mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + mm->stack_vm = mm->total_vm = vma_pages(mpnt); + } + +diff -Nru a/arch/x86_64/ia32/ia32_binfmt.c b/arch/x86_64/ia32/ia32_binfmt.c +--- a/arch/x86_64/ia32/ia32_binfmt.c 2004-12-03 12:01:20 -08:00 ++++ b/arch/x86_64/ia32/ia32_binfmt.c 2004-12-03 12:01:20 -08:00 +@@ -334,7 +334,7 @@ + unsigned long stack_base; + struct vm_area_struct *mpnt; + struct mm_struct *mm = current->mm; +- int i; ++ int i, ret; + + stack_base = IA32_STACK_TOP - MAX_ARG_PAGES * PAGE_SIZE; + mm->arg_start = bprm->p + stack_base; +@@ -368,7 +368,11 @@ + mpnt->vm_flags = VM_STACK_FLAGS; + mpnt->vm_page_prot = (mpnt->vm_flags & VM_EXEC) ? + PAGE_COPY_EXEC : PAGE_COPY; +- insert_vm_struct(mm, mpnt); ++ if ((ret = insert_vm_struct(mm, mpnt))) { ++ up_write(&mm->mmap_sem); ++ kmem_cache_free(vm_area_cachep, mpnt); ++ return ret; ++ } + mm->stack_vm = mm->total_vm = vma_pages(mpnt); + } + +diff -Nru a/fs/exec.c b/fs/exec.c +--- a/fs/exec.c 2004-12-03 12:01:20 -08:00 ++++ b/fs/exec.c 2004-12-03 12:01:20 -08:00 +@@ -342,7 +342,7 @@ + unsigned long stack_base; + struct vm_area_struct *mpnt; + struct mm_struct *mm = current->mm; +- int i; ++ int i, ret; + long arg_size; + + #ifdef CONFIG_STACK_GROWSUP +@@ -413,7 +413,6 @@ + + down_write(&mm->mmap_sem); + { +- struct vm_area_struct *vma; + mpnt->vm_mm = mm; + #ifdef CONFIG_STACK_GROWSUP + mpnt->vm_start = stack_base; +@@ -434,13 +433,11 @@ + mpnt->vm_flags = VM_STACK_FLAGS; + mpnt->vm_flags |= mm->def_flags; + mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7]; +- vma = find_vma(mm, mpnt->vm_start); +- if (vma) { ++ if ((ret = insert_vm_struct(mm, mpnt))) { + up_write(&mm->mmap_sem); + kmem_cache_free(vm_area_cachep, mpnt); +- return -ENOMEM; ++ return ret; + } +- insert_vm_struct(mm, mpnt); + mm->stack_vm = mm->total_vm = vma_pages(mpnt); + } + +diff -Nru a/include/linux/mm.h b/include/linux/mm.h +--- a/include/linux/mm.h 2004-12-03 12:01:20 -08:00 ++++ b/include/linux/mm.h 2004-12-03 12:01:20 -08:00 +@@ -675,7 +675,7 @@ + extern struct anon_vma *find_mergeable_anon_vma(struct vm_area_struct *); + extern int split_vma(struct mm_struct *, + struct vm_area_struct *, unsigned long addr, int new_below); +-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *); ++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *); + extern void __vma_link_rb(struct mm_struct *, struct vm_area_struct *, + struct rb_node **, struct rb_node *); + extern struct vm_area_struct *copy_vma(struct vm_area_struct **, +diff -Nru a/mm/mmap.c b/mm/mmap.c +--- a/mm/mmap.c 2004-12-03 12:01:20 -08:00 ++++ b/mm/mmap.c 2004-12-03 12:01:20 -08:00 +@@ -1871,7 +1871,7 @@ + * and into the inode's i_mmap tree. If vm_file is non-NULL + * then i_mmap_lock is taken here. + */ +-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) ++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma) + { + struct vm_area_struct * __vma, * prev; + struct rb_node ** rb_link, * rb_parent; +@@ -1894,8 +1894,9 @@ + } + __vma = find_vma_prepare(mm,vma->vm_start,&prev,&rb_link,&rb_parent); + if (__vma && __vma->vm_start < vma->vm_end) +- BUG(); ++ return -ENOMEM; + vma_link(mm, vma, prev, rb_link, rb_parent); ++ return 0; + } + + /* |