rpms/kernel/F-13 hugetlb-fix-infinite-loop-in-get-futex-key.patch, NONE, 1.1 reiserfs-fix-permissions-on-reiserfs-priv.patch, NONE, 1.1 kernel.spec, 1.2002, 1.2003

Chuck Ebbert cebbert at fedoraproject.org
Tue Apr 27 04:14:55 UTC 2010 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv2563

Modified Files:
	kernel.spec 
Added Files:
	hugetlb-fix-infinite-loop-in-get-futex-key.patch 
	reiserfs-fix-permissions-on-reiserfs-priv.patch 
Log Message:
hugetlb-fix-infinite-loop-in-get-futex-key.patch (F12#552557)
reiserfs-fix-permissions-on-reiserfs-priv.patch (CVE-2010-1146)

hugetlb-fix-infinite-loop-in-get-futex-key.patch:
 include/linux/poison.h |    9 +++++++++
 mm/hugetlb.c           |    5 ++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

--- NEW FILE hugetlb-fix-infinite-loop-in-get-futex-key.patch ---
From: Mel Gorman <mel at csn.ul.ie>
Date: Fri, 23 Apr 2010 17:17:56 +0000 (-0400)
Subject: hugetlb: fix infinite loop in get_futex_key() when backed by huge pages
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=23be7468e8802a2ac1de6ee3eecb3ec7f14dc703

hugetlb: fix infinite loop in get_futex_key() when backed by huge pages

If a futex key happens to be located within a huge page mapped
MAP_PRIVATE, get_futex_key() can go into an infinite loop waiting for a
page->mapping that will never exist.

See https://bugzilla.redhat.com/show_bug.cgi?id=552257 for more details
about the problem.

This patch makes page->mapping a poisoned value that includes
PAGE_MAPPING_ANON mapped MAP_PRIVATE.  This is enough for futex to
continue but because of PAGE_MAPPING_ANON, the poisoned value is not
dereferenced or used by futex.  No other part of the VM should be
dereferencing the page->mapping of a hugetlbfs page as its page cache is
not on the LRU.

This patch fixes the problem with the test case described in the bugzilla.

[akpm at linux-foundation.org: mel cant spel]
Signed-off-by: Mel Gorman <mel at csn.ul.ie>
Acked-by: Peter Zijlstra <peterz at infradead.org>
Acked-by: Darren Hart <darren at dvhart.com>
Cc: <stable at kernel.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---

diff --git a/include/linux/poison.h b/include/linux/poison.h
index 2110a81..34066ff 100644
--- a/include/linux/poison.h
+++ b/include/linux/poison.h
@@ -48,6 +48,15 @@
 #define POISON_FREE	0x6b	/* for use-after-free poisoning */
 #define	POISON_END	0xa5	/* end-byte of poisoning */
 
+/********** mm/hugetlb.c **********/
+/*
+ * Private mappings of hugetlb pages use this poisoned value for
+ * page->mapping. The core VM should not be doing anything with this mapping
+ * but futex requires the existence of some page->mapping value even though it
+ * is unused if PAGE_MAPPING_ANON is set.
+ */
+#define HUGETLB_POISON	((void *)(0x00300300 + POISON_POINTER_DELTA + PAGE_MAPPING_ANON))
+
 /********** arch/$ARCH/mm/init.c **********/
 #define POISON_FREE_INITMEM	0xcc
 
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 6034dc9..ffbdfc8 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -546,6 +546,7 @@ static void free_huge_page(struct page *page)
 
 	mapping = (struct address_space *) page_private(page);
 	set_page_private(page, 0);
+	page->mapping = NULL;
 	BUG_ON(page_count(page));
 	INIT_LIST_HEAD(&page->lru);
 
@@ -2447,8 +2448,10 @@ retry:
 			spin_lock(&inode->i_lock);
 			inode->i_blocks += blocks_per_huge_page(h);
 			spin_unlock(&inode->i_lock);
-		} else
+		} else {
 			lock_page(page);
+			page->mapping = HUGETLB_POISON;
+		}
 	}
 
 	/*

reiserfs-fix-permissions-on-reiserfs-priv.patch:
 dir.c   |    2 --
 xattr.c |   17 ++++-------------
 2 files changed, 4 insertions(+), 15 deletions(-)

--- NEW FILE reiserfs-fix-permissions-on-reiserfs-priv.patch ---
From: Jeff Mahoney <jeffm at suse.com>
Date: Fri, 23 Apr 2010 17:17:37 +0000 (-0400)
Subject: reiserfs: fix permissions on .reiserfs_priv
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=cac36f707119b792b2396aed371d6b5cdc194890

reiserfs: fix permissions on .reiserfs_priv

Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a ("reiserfs: remove
privroot hiding in lookup") removed the magic from the lookup code to hide
the .reiserfs_priv directory since it was getting loaded at mount-time
instead.  The intent was that the entry would be hidden from the user via
a poisoned d_compare, but this was faulty.

This introduced a security issue where unprivileged users could access and
modify extended attributes or ACLs belonging to other users, including
root.

This patch resolves the issue by properly hiding .reiserfs_priv.  This was
the intent of the xattr poisoning code, but it appears to have never
worked as expected.  This is fixed by using d_revalidate instead of
d_compare.

This patch makes -oexpose_privroot a no-op.  I'm fine leaving it this way.
The effort involved in working out the corner cases wrt permissions and
caching outweigh the benefit of the feature.

Signed-off-by: Jeff Mahoney <jeffm at suse.com>
Acked-by: Edward Shishkin <edward.shishkin at gmail.com>
Reported-by: Matt McCutchen <matt at mattmccutchen.net>
Tested-by: Matt McCutchen <matt at mattmccutchen.net>
Cc: Frederic Weisbecker <fweisbec at gmail.com>
Cc: Al Viro <viro at zeniv.linux.org.uk>
Cc: <stable at kernel.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---

diff --git a/fs/reiserfs/dir.c b/fs/reiserfs/dir.c
index f8a6075..0793044 100644
--- a/fs/reiserfs/dir.c
+++ b/fs/reiserfs/dir.c
@@ -46,8 +46,6 @@ static inline bool is_privroot_deh(struct dentry *dir,
 				   struct reiserfs_de_head *deh)
 {
 	struct dentry *privroot = REISERFS_SB(dir->d_sb)->priv_root;
-	if (reiserfs_expose_privroot(dir->d_sb))
-		return 0;
 	return (dir == dir->d_parent && privroot->d_inode &&
 	        deh->deh_objectid == INODE_PKEY(privroot->d_inode)->k_objectid);
 }
diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c
index 4f9586b..28f0a44 100644
--- a/fs/reiserfs/xattr.c
+++ b/fs/reiserfs/xattr.c
@@ -973,21 +973,13 @@ int reiserfs_permission(struct inode *inode, int mask)
 	return generic_permission(inode, mask, NULL);
 }
 
-/* This will catch lookups from the fs root to .reiserfs_priv */
-static int
-xattr_lookup_poison(struct dentry *dentry, struct qstr *q1, struct qstr *name)
+static int xattr_hide_revalidate(struct dentry *dentry, struct nameidata *nd)
 {
-	struct dentry *priv_root = REISERFS_SB(dentry->d_sb)->priv_root;
-	if (container_of(q1, struct dentry, d_name) == priv_root)
-		return -ENOENT;
-	if (q1->len == name->len &&
-		   !memcmp(q1->name, name->name, name->len))
-		return 0;
-	return 1;
+	return -EPERM;
 }
 
 static const struct dentry_operations xattr_lookup_poison_ops = {
-	.d_compare = xattr_lookup_poison,
+	.d_revalidate = xattr_hide_revalidate,
 };
 
 int reiserfs_lookup_privroot(struct super_block *s)
@@ -1001,8 +993,7 @@ int reiserfs_lookup_privroot(struct super_block *s)
 				strlen(PRIVROOT_NAME));
 	if (!IS_ERR(dentry)) {
 		REISERFS_SB(s)->priv_root = dentry;
-		if (!reiserfs_expose_privroot(s))
-			s->s_root->d_op = &xattr_lookup_poison_ops;
+		dentry->d_op = &xattr_lookup_poison_ops;
 		if (dentry->d_inode)
 			dentry->d_inode->i_flags |= S_PRIVATE;
 	} else


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-13/kernel.spec,v
retrieving revision 1.2002
retrieving revision 1.2003
diff -u -p -r1.2002 -r1.2003
--- kernel.spec	26 Apr 2010 21:50:39 -0000	1.2002
+++ kernel.spec	27 Apr 2010 04:14:54 -0000	1.2003
@@ -831,6 +831,11 @@ Patch12416: iwlwifi_-iwl_good_ack_health
 # should be upstream soon
 Patch12500: linux-2.6-creds_are_invalid-race.patch
 
+# RHBZ#552257
+Patch12600: hugetlb-fix-infinite-loop-in-get-futex-key.patch
+# CVE-2010-1146
+Patch12610: reiserfs-fix-permissions-on-reiserfs-priv.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1511,6 +1516,11 @@ ApplyPatch iwlwifi_-iwl_good_ack_health-
 # RHBZ#583843
 ApplyPatch linux-2.6-creds_are_invalid-race.patch
 
+# RHBZ#552257
+ApplyPatch hugetlb-fix-infinite-loop-in-get-futex-key.patch
+# CVE-2010-1146
+ApplyPatch reiserfs-fix-permissions-on-reiserfs-priv.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2160,6 +2170,10 @@ fi
 # and build.
 
 %changelog
+* Mon Apr 26 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.33.2-67
+- hugetlb-fix-infinite-loop-in-get-futex-key.patch (F12#552557)
+- reiserfs-fix-permissions-on-reiserfs-priv.patch (CVE-2010-1146)
+
 * Mon Apr 26 2010 Chuck Ebbert <cebbert at redhat.com>  2.6.33.2-66
 - Turn off debugging and enable debug kernel builds.

More information about the scm-commits mailing list