[kernel/f13/master] CVE-2010-4169: perf_events: denial-of-service bug

Chuck Ebbert cebbert at fedoraproject.org
Sat Dec 11 03:35:14 UTC 2010 

commit 6685a27880b098c5e30b9a77fe4aa01e4164aad4
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Fri Dec 10 22:34:55 2010 -0500

    CVE-2010-4169: perf_events: denial-of-service bug

 kernel.spec                                        |    5 ++
 ...ts-fix-perf_counter_mmap-hook-in-mprotect.patch |   46 ++++++++++++++++++++
 2 files changed, 51 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index e20ccc5..f16b00d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -889,6 +889,8 @@ Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
 Patch13913: alsa-prevent-heap-corruption-in-snd_ctl_new.patch
 # CVE-2010-4258
 Patch13914: do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
+# CVE-2010-4169
+Patch13915: perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch
 
 %endif
 
@@ -1703,6 +1705,8 @@ ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
 ApplyPatch alsa-prevent-heap-corruption-in-snd_ctl_new.patch
 # CVE-2010-4258
 ApplyPatch do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
+# CVE-2010-4169
+ApplyPatch perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2332,6 +2336,7 @@ fi
 - CVE-2010-3705: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
 - CVE-2010-3442: ALSA: prevent heap corruption in snd_ctl_new()
 - CVE-2010-4258: failure to revert address limit override in OOPS error path
+- CVE-2010-4169: perf_events: denial-of-service bug
 
 * Thu Dec 09 2010 Kyle McMartin <kyle at redhat.com>
 - ioat2-catch-and-recover-from-broken-vtd-configurations.patch: copy patch
diff --git a/perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch b/perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch
new file mode 100644
index 0000000..a2883a2
--- /dev/null
+++ b/perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch
@@ -0,0 +1,46 @@
+From: Pekka Enberg <penberg at kernel.org>
+Date: Mon, 8 Nov 2010 19:29:07 +0000 (+0200)
+Subject: perf_events: Fix perf_counter_mmap() hook in mprotect()
+X-Git-Tag: v2.6.37-rc2~72
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=63bfd7384b119409685a17d5c58f0b56e5dc03da
+
+perf_events: Fix perf_counter_mmap() hook in mprotect()
+
+As pointed out by Linus, commit dab5855 ("perf_counter: Add mmap event hooks to
+mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to
+merging. Fix the problem by moving perf_event_mmap() hook to
+mprotect_fixup().
+
+Note: there's another successful return path from mprotect_fixup() if old
+flags equal to new flags. We don't, however, need to call
+perf_event_mmap() there because 'perf' already knows the VMA is
+executable.
+
+Reported-by: Dave Jones <davej at redhat.com>
+Analyzed-by: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Ingo Molnar <mingo at elte.hu>
+Reviewed-by: Peter Zijlstra <a.p.zijlstra at chello.nl>
+Signed-off-by: Pekka Enberg <penberg at kernel.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/mm/mprotect.c b/mm/mprotect.c
+index 2d1bf7c..4c51338 100644
+--- a/mm/mprotect.c
++++ b/mm/mprotect.c
+@@ -211,6 +211,7 @@ success:
+ 	mmu_notifier_invalidate_range_end(mm, start, end);
+ 	vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
+ 	vm_stat_account(mm, newflags, vma->vm_file, nrpages);
++	perf_event_mmap(vma);
+ 	return 0;
+ 
+ fail:
+@@ -299,7 +300,6 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+ 		error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
+ 		if (error)
+ 			goto out;
+-		perf_event_mmap(vma);
+ 		nstart = tmp;
+ 
+ 		if (nstart < prev->vm_end)

More information about the scm-commits mailing list