[kernel/f14] Fix address wrapping in stack expansion code.
Chuck Ebbert
cebbert at fedoraproject.org
Sat May 21 17:12:52 UTC 2011
commit fcf92486278252f98ab7c203c7e9510009ed9324
Author: Chuck Ebbert <cebbert at redhat.com>
Date: Sat May 21 13:13:37 2011 -0400
Fix address wrapping in stack expansion code.
kernel.spec | 7 +++
vm-fix-vm_pgoff-wrap-in-stack-expansion.patch | 50 +++++++++++++++++++++++++
2 files changed, 57 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 105effc..2c15112 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -855,6 +855,9 @@ Patch13970: cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
# cve-2011-1770
Patch13980: dccp-handle-invalid-feature-options-length.patch
+# the rest of the pgoff wrap fix
+Patch13990: vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1609,6 +1612,9 @@ ApplyPatch cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
# cve-2011-1770
ApplyPatch dccp-handle-invalid-feature-options-length.patch
+# the rest of the pgoff wrap fix
+ApplyPatch vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2198,6 +2204,7 @@ fi
* Fri May 20 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.35.13-92
- Add the rest of the fix for bug #704059
- dccp: handle invalid feature options length (CVE-2011-1770)
+- Fix address wrapping in stack expansion code.
* Wed May 18 2011 Chuck Ebbert <cebbert at redhat.com>
- Fix cifs bug in 2.6.35.13 with old Windows servers (#704125)
diff --git a/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch b/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
new file mode 100644
index 0000000..da1ddfd
--- /dev/null
+++ b/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
@@ -0,0 +1,50 @@
+From a626ca6a656450e9f4df91d0dda238fff23285f4 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed, 13 Apr 2011 08:07:28 -0700
+Subject: vm: fix vm_pgoff wrap in stack expansion
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds at linux-foundation.org>
+
+commit a626ca6a656450e9f4df91d0dda238fff23285f4 upstream.
+
+Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
+the case of a expanding mapping causing vm_pgoff wrapping when you used
+mremap. But there was another case where we expand mappings hiding in
+plain sight: the automatic stack expansion.
+
+This fixes that case too.
+
+This one also found by Robert Święcki, using his nasty system call
+fuzzer tool. Good job.
+
+Reported-and-tested-by: Robert Święcki <robert at swiecki.net>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ mm/mmap.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1814,10 +1814,13 @@ static int expand_downwards(struct vm_ar
+ size = vma->vm_end - address;
+ grow = (vma->vm_start - address) >> PAGE_SHIFT;
+
+- error = acct_stack_growth(vma, size, grow);
+- if (!error) {
+- vma->vm_start = address;
+- vma->vm_pgoff -= grow;
++ error = -ENOMEM;
++ if (grow <= vma->vm_pgoff) {
++ error = acct_stack_growth(vma, size, grow);
++ if (!error) {
++ vma->vm_start = address;
++ vma->vm_pgoff -= grow;
++ }
+ }
+ }
+ vma_unlock_anon_vma(vma);
More information about the scm-commits
mailing list