rpms/kernel/devel linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch, NONE, 1.1 TODO, 1.12, 1.13 kernel.spec, 1.1037, 1.1038

Chuck Ebbert cebbert at fedoraproject.org
Fri Oct 10 01:06:12 UTC 2008 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13406

Modified Files:
	TODO kernel.spec 
Added Files:
	linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch 
Log Message:
Fix possible oops in get_wchan()

linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch:

--- NEW FILE linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch ---
From: David Rientjes <rientjes at google.com>
Date: Tue, 7 Oct 2008 21:15:11 +0000 (-0700)
Subject: x86: avoid dereferencing beyond stack + THREAD_SIZE
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fx86%2Flinux-2.6-tip.git;a=commitdiff_plain;h=60e6258cd43f9b06884f04f0f7cefb9c40f17a32

x86: avoid dereferencing beyond stack + THREAD_SIZE

It's possible for get_wchan() to dereference past task->stack + THREAD_SIZE
while iterating through instruction pointers if fp equals the upper boundary,
causing a kernel panic.

Signed-off-by: David Rientjes <rientjes at google.com>
Signed-off-by: Ingo Molnar <mingo at elte.hu>
---

diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index e12e0e4..5a7c539 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -729,12 +729,12 @@ unsigned long get_wchan(struct task_struct *p)
 	if (!p || p == current || p->state==TASK_RUNNING)
 		return 0; 
 	stack = (unsigned long)task_stack_page(p);
-	if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE)
+	if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
 		return 0;
 	fp = *(u64 *)(p->thread.sp);
 	do { 
 		if (fp < (unsigned long)stack ||
-		    fp > (unsigned long)stack+THREAD_SIZE)
+		    fp >= (unsigned long)stack+THREAD_SIZE)
 			return 0; 
 		ip = *(u64 *)(fp+8);
 		if (!in_sched_functions(ip))


Index: TODO
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/TODO,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- TODO	9 Oct 2008 23:38:54 -0000	1.12
+++ TODO	10 Oct 2008 01:05:41 -0000	1.13
@@ -149,3 +149,9 @@
 percpu_counter_sum_cleanup.patch
 	EXT4 bits for 2.6.28
 	Eric looks after this stuff.
+
+linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch
+	from Ingo's x86/urgent tree, should have been in 2.6.27
+
+linux-2.6-x86-improve-up-kernel-when-cpu-hotplug-and-smp.patch
+	scheduled for 2.6.28, should go in 2.6.27-stable after merging


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.1037
retrieving revision 1.1038
diff -u -r1.1037 -r1.1038
--- kernel.spec	10 Oct 2008 00:26:03 -0000	1.1037
+++ kernel.spec	10 Oct 2008 01:05:41 -0000	1.1038
@@ -585,6 +585,7 @@
 Patch41: linux-2.6-sysrq-c.patch
 Patch42: linux-2.6-x86-tune-generic.patch
 Patch43: linux-2.6-x86-improve-up-kernel-when-cpu-hotplug-and-smp.patch
+Patch44: linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch
 
 Patch140: linux-2.6-ps3-ehci-iso.patch
 Patch141: linux-2.6-ps3-storage-alias.patch
@@ -1060,6 +1061,8 @@
 ApplyPatch linux-2.6-x86-tune-generic.patch
 # detect single CPU present at boot properly
 ApplyPatch linux-2.6-x86-improve-up-kernel-when-cpu-hotplug-and-smp.patch
+# don't oops in get_wchan()
+ApplyPatch linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch
 
 #
 # PowerPC
@@ -1822,6 +1825,9 @@
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
+* Thu Oct 09 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.27-2
+- Fix possible oops in get_wchan()
+
 * Thu Oct 09 2008 Dave Jones <davej at redhat.com>
 - 2.6.27

More information about the scm-commits mailing list