1 |
Author: tomwij |
2 |
Date: 2013-08-29 12:24:04 +0000 (Thu, 29 Aug 2013) |
3 |
New Revision: 2498 |
4 |
|
5 |
Added: |
6 |
genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch |
7 |
Modified: |
8 |
genpatches-2.6/trunk/3.10.7/0000_README |
9 |
Log: |
10 |
fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8. |
11 |
|
12 |
Modified: genpatches-2.6/trunk/3.10.7/0000_README |
13 |
=================================================================== |
14 |
--- genpatches-2.6/trunk/3.10.7/0000_README 2013-08-29 12:09:12 UTC (rev 2497) |
15 |
+++ genpatches-2.6/trunk/3.10.7/0000_README 2013-08-29 12:24:04 UTC (rev 2498) |
16 |
@@ -67,6 +67,10 @@ |
17 |
From: http://www.kernel.org |
18 |
Desc: Linux 3.10.7 |
19 |
|
20 |
+Patch: 1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch |
21 |
+From: http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=f30d87b004dcb4b260dcb2667d5ef6998f4aac1f |
22 |
+Desc: fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8. |
23 |
+ |
24 |
Patch: 1500_XATTR_USER_PREFIX.patch |
25 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
26 |
Desc: Support for namespace user.pax.* on tmpfs. |
27 |
|
28 |
Added: genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch |
29 |
=================================================================== |
30 |
--- genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch (rev 0) |
31 |
+++ genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch 2013-08-29 12:24:04 UTC (rev 2498) |
32 |
@@ -0,0 +1,67 @@ |
33 |
+From f30d87b004dcb4b260dcb2667d5ef6998f4aac1f Mon Sep 17 00:00:00 2001 |
34 |
+From: yonghua zheng <younghua.zheng@×××××.com> |
35 |
+Date: Tue, 13 Aug 2013 23:01:03 +0000 |
36 |
+Subject: fs/proc/task_mmu.c: fix buffer overflow in add_page_map() |
37 |
+ |
38 |
+commit 8c8296223f3abb142be8fc31711b18a704c0e7d8 upstream. |
39 |
+ |
40 |
+Recently we met quite a lot of random kernel panic issues after enabling |
41 |
+CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something |
42 |
+to do with following bug in pagemap: |
43 |
+ |
44 |
+In struct pagemapread: |
45 |
+ |
46 |
+ struct pagemapread { |
47 |
+ int pos, len; |
48 |
+ pagemap_entry_t *buffer; |
49 |
+ bool v2; |
50 |
+ }; |
51 |
+ |
52 |
+pos is number of PM_ENTRY_BYTES in buffer, but len is the size of |
53 |
+buffer, it is a mistake to compare pos and len in add_page_map() for |
54 |
+checking buffer is full or not, and this can lead to buffer overflow and |
55 |
+random kernel panic issue. |
56 |
+ |
57 |
+Correct len to be total number of PM_ENTRY_BYTES in buffer. |
58 |
+ |
59 |
+[akpm@××××××××××××××××.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] |
60 |
+Signed-off-by: Yonghua Zheng <younghua.zheng@×××××.com> |
61 |
+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org> |
62 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
63 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@×××××××××××××××.org> |
64 |
+ |
65 |
+--- |
66 |
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c |
67 |
+index 3e636d8..65fc60a 100644 |
68 |
+--- a/fs/proc/task_mmu.c |
69 |
++++ b/fs/proc/task_mmu.c |
70 |
+@@ -792,14 +792,14 @@ typedef struct { |
71 |
+ } pagemap_entry_t; |
72 |
+ |
73 |
+ struct pagemapread { |
74 |
+- int pos, len; |
75 |
++ int pos, len; /* units: PM_ENTRY_BYTES, not bytes */ |
76 |
+ pagemap_entry_t *buffer; |
77 |
+ }; |
78 |
+ |
79 |
+ #define PAGEMAP_WALK_SIZE (PMD_SIZE) |
80 |
+ #define PAGEMAP_WALK_MASK (PMD_MASK) |
81 |
+ |
82 |
+-#define PM_ENTRY_BYTES sizeof(u64) |
83 |
++#define PM_ENTRY_BYTES sizeof(pagemap_entry_t) |
84 |
+ #define PM_STATUS_BITS 3 |
85 |
+ #define PM_STATUS_OFFSET (64 - PM_STATUS_BITS) |
86 |
+ #define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET) |
87 |
+@@ -1038,8 +1038,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, |
88 |
+ if (!count) |
89 |
+ goto out_task; |
90 |
+ |
91 |
+- pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT); |
92 |
+- pm.buffer = kmalloc(pm.len, GFP_TEMPORARY); |
93 |
++ pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT); |
94 |
++ pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY); |
95 |
+ ret = -ENOMEM; |
96 |
+ if (!pm.buffer) |
97 |
+ goto out_task; |
98 |
+-- |
99 |
+cgit v0.9.2 |