Author: dannf Date: Wed Feb 13 22:19:19 2008 New Revision: 10535 Log: * hugetlb-prio_tree-unit-fix.dpatch [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree which could be used to trigger a BUG_ON() call in exit_mmap. See CVE-2007-4133
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hugetlb-prio_tree-unit-fix.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Wed Feb 13 22:19:19 2008 @@ -48,8 +48,12 @@ * bugfix/cifs-honor-umask.dpatch [SECURITY] Make CIFS honor a process' umask See CVE-2007-3740 + * hugetlb-prio_tree-unit-fix.dpatch + [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree + which could be used to trigger a BUG_ON() call in exit_mmap. + See CVE-2007-4133 - -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 14:12:35 -0700 + -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 15:18:17 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hugetlb-prio_tree-unit-fix.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hugetlb-prio_tree-unit-fix.dpatch Wed Feb 13 22:19:19 2008 @@ -0,0 +1,88 @@ +From: Hugh Dickins <[EMAIL PROTECTED]> +Date: Sat, 28 Oct 2006 17:38:43 +0000 (-0700) +Subject: [PATCH] hugetlb: fix prio_tree unit +X-Git-Tag: v2.6.19-rc4~50 +X-Git-Url: http://git.kernel.org/gitweb.cgi?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=856fc29505556cf263f3dcda2533cf3766c14ab6 + +[PATCH] hugetlb: fix prio_tree unit + +hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in +units of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas +its radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be +absurdly sparse). + +At first I thought the error benign, just calling __unmap_hugepage_range on +more vmas than necessary; but on 32-bit machines, when the prio_tree is +searched correctly, it happens to ensure the v_offset calculation won't +overflow. As it stood, when truncating at or beyond 4GB, it was liable to +discard pages COWed from lower offsets; or even to clear pmd entries of +preceding vmas, triggering exit_mmap's BUG_ON(nr_ptes). + +Signed-off-by: Hugh Dickins <[EMAIL PROTECTED]> +Cc: Adam Litke <[EMAIL PROTECTED]> +Cc: David Gibson <[EMAIL PROTECTED]> +Cc: "Chen, Kenneth W" <[EMAIL PROTECTED]> +Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]> + +diff -urpN kernel-source-2.6.8.orig/fs/hugetlbfs/inode.c kernel-source-2.6.8/fs/hugetlbfs/inode.c +--- kernel-source-2.6.8.orig/fs/hugetlbfs/inode.c 2004-08-13 23:37:40.000000000 -0600 ++++ kernel-source-2.6.8/fs/hugetlbfs/inode.c 2008-02-13 14:54:51.000000000 -0700 +@@ -265,28 +265,26 @@ static void hugetlbfs_drop_inode(struct + hugetlbfs_forget_inode(inode); + } + +-/* +- * h_pgoff is in HPAGE_SIZE units. +- * vma->vm_pgoff is in PAGE_SIZE units. +- */ + static inline void +-hugetlb_vmtruncate_list(struct prio_tree_root *root, unsigned long h_pgoff) ++hugetlb_vmtruncate_list(struct prio_tree_root *root, pgoff_t pgoff) + { + struct vm_area_struct *vma = NULL; + struct prio_tree_iter iter; + + while ((vma = vma_prio_tree_next(vma, root, &iter, +- h_pgoff, ULONG_MAX)) != NULL) { +- unsigned long h_vm_pgoff; ++ pgoff, ULONG_MAX)) != NULL) { + unsigned long v_length; + unsigned long v_offset; + +- h_vm_pgoff = vma->vm_pgoff >> (HPAGE_SHIFT - PAGE_SHIFT); +- v_offset = (h_pgoff - h_vm_pgoff) << HPAGE_SHIFT; + /* +- * Is this VMA fully outside the truncation point? ++ * Can the expression below overflow on 32-bit arches? ++ * No, because the prio_tree returns us only those vmas ++ * which overlap the truncated area starting at pgoff, ++ * and no vma on a 32-bit arch can span beyond the 4GB. + */ +- if (h_vm_pgoff >= h_pgoff) ++ if (vma->vm_pgoff < pgoff) ++ v_offset = (pgoff - vma->vm_pgoff) << PAGE_SHIFT; ++ else + v_offset = 0; + + v_length = vma->vm_end - vma->vm_start; +@@ -302,14 +300,14 @@ hugetlb_vmtruncate_list(struct prio_tree + */ + static int hugetlb_vmtruncate(struct inode *inode, loff_t offset) + { +- unsigned long pgoff; ++ pgoff_t pgoff; + struct address_space *mapping = inode->i_mapping; + + if (offset > inode->i_size) + return -EINVAL; + + BUG_ON(offset & ~HPAGE_MASK); +- pgoff = offset >> HPAGE_SHIFT; ++ pgoff = offset >> PAGE_SHIFT; + + inode->i_size = offset; + spin_lock(&mapping->i_mmap_lock); Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Wed Feb 13 22:19:19 2008 @@ -13,3 +13,4 @@ + isdn-net-overflow.dpatch + prevent-stack-growth-into-hugetlb-region.dpatch + cifs-honor-umask.dpatch ++ hugetlb-prio_tree-unit-fix.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes