Date: Saturday, June 24, 2017 @ 07:52:30 Author: tpowa Revision: 299189
upgpkg: linux 4.11.7-1 bump to latest version Deleted: linux/trunk/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch linux/trunk/CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch linux/trunk/CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch ----------------------------------------------------------------------------+ CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch | 45 --------- CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch | 47 ---------- 2 files changed, 92 deletions(-) Deleted: CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch =================================================================== --- CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch 2017-06-24 07:49:57 UTC (rev 299188) +++ CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch 2017-06-24 07:52:30 UTC (rev 299189) @@ -1,45 +0,0 @@ -From bd726c90b6b8ce87602208701b208a208e6d5600 Mon Sep 17 00:00:00 2001 -From: Helge Deller <del...@gmx.de> -Date: Mon, 19 Jun 2017 17:34:05 +0200 -Subject: [PATCH] Allow stack to grow up to address space limit - -Fix expand_upwards() on architectures with an upward-growing stack (parisc, -metag and partly IA-64) to allow the stack to reliably grow exactly up to -the address space limit given by TASK_SIZE. - -Signed-off-by: Helge Deller <del...@gmx.de> -Acked-by: Hugh Dickins <hu...@google.com> -Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> ---- - mm/mmap.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/mm/mmap.c b/mm/mmap.c -index 290b77d9a01e0..a5e3dcd75e79f 100644 ---- a/mm/mmap.c -+++ b/mm/mmap.c -@@ -2230,16 +2230,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) - if (!(vma->vm_flags & VM_GROWSUP)) - return -EFAULT; - -- /* Guard against wrapping around to address 0. */ -+ /* Guard against exceeding limits of the address space. */ - address &= PAGE_MASK; -- address += PAGE_SIZE; -- if (!address) -+ if (address >= TASK_SIZE) - return -ENOMEM; -+ address += PAGE_SIZE; - - /* Enforce stack_guard_gap */ - gap_addr = address + stack_guard_gap; -- if (gap_addr < address) -- return -ENOMEM; -+ -+ /* Guard against overflow */ -+ if (gap_addr < address || gap_addr > TASK_SIZE) -+ gap_addr = TASK_SIZE; -+ - next = vma->vm_next; - if (next && next->vm_start < gap_addr) { - if (!(next->vm_flags & VM_GROWSUP)) Deleted: CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch =================================================================== --- CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch 2017-06-24 07:49:57 UTC (rev 299188) +++ CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch 2017-06-24 07:52:30 UTC (rev 299189) @@ -1,47 +0,0 @@ -From f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 Mon Sep 17 00:00:00 2001 -From: Hugh Dickins <hu...@google.com> -Date: Tue, 20 Jun 2017 02:10:44 -0700 -Subject: [PATCH] mm: fix new crash in unmapped_area_topdown() - -Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of -mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the -end of unmapped_area_topdown(). Linus points out how MAP_FIXED -(which does not have to respect our stack guard gap intentions) -could result in gap_end below gap_start there. Fix that, and -the similar case in its alternative, unmapped_area(). - -Cc: sta...@vger.kernel.org -Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas") -Reported-by: Dave Jones <da...@codemonkey.org.uk> -Debugged-by: Linus Torvalds <torva...@linux-foundation.org> -Signed-off-by: Hugh Dickins <hu...@google.com> -Acked-by: Michal Hocko <mho...@suse.com> -Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> ---- - mm/mmap.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/mm/mmap.c b/mm/mmap.c -index 8e07976d5e477..290b77d9a01e0 100644 ---- a/mm/mmap.c -+++ b/mm/mmap.c -@@ -1817,7 +1817,8 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info) - /* Check if current node has a suitable gap */ - if (gap_start > high_limit) - return -ENOMEM; -- if (gap_end >= low_limit && gap_end - gap_start >= length) -+ if (gap_end >= low_limit && -+ gap_end > gap_start && gap_end - gap_start >= length) - goto found; - - /* Visit right subtree if it looks promising */ -@@ -1920,7 +1921,8 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info) - gap_end = vm_start_gap(vma); - if (gap_end < low_limit) - return -ENOMEM; -- if (gap_start <= high_limit && gap_end - gap_start >= length) -+ if (gap_start <= high_limit && -+ gap_end > gap_start && gap_end - gap_start >= length) - goto found; - - /* Visit left subtree if it looks promising */ Deleted: CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch =================================================================== (Binary files differ)