[gentoo-commits] linux-patches r2498 - genpatches-2.6/trunk/3.10.7 - gentoo-commits

From:	"Tom Wijsman (tomwij)" <tomwij@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] linux-patches r2498 - genpatches-2.6/trunk/3.10.7
Date:	Thu, 29 Aug 2013 12:24:11
Message-Id:	`20130829122405.4DD9E2004C@flycatcher.gentoo.org`

1

Author: tomwij

2

Date: 2013-08-29 12:24:04 +0000 (Thu, 29 Aug 2013)

3

New Revision: 2498

4

5

Added:

6

   genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch

7

Modified:

8

   genpatches-2.6/trunk/3.10.7/0000_README

9

Log:

10

fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8.

11

12

Modified: genpatches-2.6/trunk/3.10.7/0000_README

13

===================================================================

14

--- genpatches-2.6/trunk/3.10.7/0000_README	2013-08-29 12:09:12 UTC (rev 2497)

15

+++ genpatches-2.6/trunk/3.10.7/0000_README	2013-08-29 12:24:04 UTC (rev 2498)

16

@@ -67,6 +67,10 @@

17

 From:   http://www.kernel.org

18

 Desc:   Linux 3.10.7

19

20

+Patch:  1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch

21

+From:   http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=f30d87b004dcb4b260dcb2667d5ef6998f4aac1f

22

+Desc:   fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8.

23

+

24

 Patch:  1500_XATTR_USER_PREFIX.patch

25

 From:   https://bugs.gentoo.org/show_bug.cgi?id=470644

26

 Desc:   Support for namespace user.pax.* on tmpfs.

27

28

Added: genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch

29

===================================================================

30

--- genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch	                        (rev 0)

31

+++ genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch	2013-08-29 12:24:04 UTC (rev 2498)

32

@@ -0,0 +1,67 @@

33

+From f30d87b004dcb4b260dcb2667d5ef6998f4aac1f Mon Sep 17 00:00:00 2001

34

+From: yonghua zheng <younghua.zheng@×××××.com>

35

+Date: Tue, 13 Aug 2013 23:01:03 +0000

36

+Subject: fs/proc/task_mmu.c: fix buffer overflow in add_page_map()

37

+

38

+commit 8c8296223f3abb142be8fc31711b18a704c0e7d8 upstream.

39

+

40

+Recently we met quite a lot of random kernel panic issues after enabling

41

+CONFIG_PROC_PAGE_MONITOR.  After debuggind we found this has something

42

+to do with following bug in pagemap:

43

+

44

+In struct pagemapread:

45

+

46

+  struct pagemapread {

47

+      int pos, len;

48

+      pagemap_entry_t *buffer;

49

+      bool v2;

50

+  };

51

+

52

+pos is number of PM_ENTRY_BYTES in buffer, but len is the size of

53

+buffer, it is a mistake to compare pos and len in add_page_map() for

54

+checking buffer is full or not, and this can lead to buffer overflow and

55

+random kernel panic issue.

56

+

57

+Correct len to be total number of PM_ENTRY_BYTES in buffer.

58

+

59

+[akpm@××××××××××××××××.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]

60

+Signed-off-by: Yonghua Zheng <younghua.zheng@×××××.com>

61

+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org>

62

+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>

63

+Signed-off-by: Greg Kroah-Hartman <gregkh@×××××××××××××××.org>

64

+

65

+---

66

+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c

67

+index 3e636d8..65fc60a 100644

68

+--- a/fs/proc/task_mmu.c

69

++++ b/fs/proc/task_mmu.c

70

+@@ -792,14 +792,14 @@ typedef struct {

71

+ } pagemap_entry_t;

72

+

73

+ struct pagemapread {

74

+-	int pos, len;

75

++	int pos, len;		/* units: PM_ENTRY_BYTES, not bytes */

76

+ 	pagemap_entry_t *buffer;

77

+ };

78

+

79

+ #define PAGEMAP_WALK_SIZE	(PMD_SIZE)

80

+ #define PAGEMAP_WALK_MASK	(PMD_MASK)

81

+

82

+-#define PM_ENTRY_BYTES      sizeof(u64)

83

++#define PM_ENTRY_BYTES      sizeof(pagemap_entry_t)

84

+ #define PM_STATUS_BITS      3

85

+ #define PM_STATUS_OFFSET    (64 - PM_STATUS_BITS)

86

+ #define PM_STATUS_MASK      (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET)

87

+@@ -1038,8 +1038,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,

88

+ 	if (!count)

89

+ 		goto out_task;

90

+

91

+-	pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);

92

+-	pm.buffer = kmalloc(pm.len, GFP_TEMPORARY);

93

++	pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);

94

++	pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);

95

+ 	ret = -ENOMEM;

96

+ 	if (!pm.buffer)

97

+ 		goto out_task;

98

+--

99

+cgit v0.9.2

1	Author: tomwij
2	Date: 2013-08-29 12:24:04 +0000 (Thu, 29 Aug 2013)
3	New Revision: 2498
4
5	Added:
6	genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch
7	Modified:
8	genpatches-2.6/trunk/3.10.7/0000_README
9	Log:
10	fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8.
11
12	Modified: genpatches-2.6/trunk/3.10.7/0000_README
13	===================================================================
14	--- genpatches-2.6/trunk/3.10.7/0000_README 2013-08-29 12:09:12 UTC (rev 2497)
15	+++ genpatches-2.6/trunk/3.10.7/0000_README 2013-08-29 12:24:04 UTC (rev 2498)
16	@@ -67,6 +67,10 @@
17	From: http://www.kernel.org
18	Desc: Linux 3.10.7
19
20	+Patch: 1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch
21	+From: http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=f30d87b004dcb4b260dcb2667d5ef6998f4aac1f
22	+Desc: fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8.
23	+
24	Patch: 1500_XATTR_USER_PREFIX.patch
25	From: https://bugs.gentoo.org/show_bug.cgi?id=470644
26	Desc: Support for namespace user.pax.* on tmpfs.
27
28	Added: genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch
29	===================================================================
30	--- genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch (rev 0)
31	+++ genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch 2013-08-29 12:24:04 UTC (rev 2498)
32	@@ -0,0 +1,67 @@
33	+From f30d87b004dcb4b260dcb2667d5ef6998f4aac1f Mon Sep 17 00:00:00 2001
34	+From: yonghua zheng <younghua.zheng@×××××.com>
35	+Date: Tue, 13 Aug 2013 23:01:03 +0000
36	+Subject: fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
37	+
38	+commit 8c8296223f3abb142be8fc31711b18a704c0e7d8 upstream.
39	+
40	+Recently we met quite a lot of random kernel panic issues after enabling
41	+CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
42	+to do with following bug in pagemap:
43	+
44	+In struct pagemapread:
45	+
46	+ struct pagemapread {
47	+ int pos, len;
48	+ pagemap_entry_t *buffer;
49	+ bool v2;
50	+ };
51	+
52	+pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
53	+buffer, it is a mistake to compare pos and len in add_page_map() for
54	+checking buffer is full or not, and this can lead to buffer overflow and
55	+random kernel panic issue.
56	+
57	+Correct len to be total number of PM_ENTRY_BYTES in buffer.
58	+
59	+[akpm@××××××××××××××××.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
60	+Signed-off-by: Yonghua Zheng <younghua.zheng@×××××.com>
61	+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org>
62	+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
63	+Signed-off-by: Greg Kroah-Hartman <gregkh@×××××××××××××××.org>
64	+
65	+---
66	+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
67	+index 3e636d8..65fc60a 100644
68	+--- a/fs/proc/task_mmu.c
69	++++ b/fs/proc/task_mmu.c
70	+@@ -792,14 +792,14 @@ typedef struct {
71	+ } pagemap_entry_t;
72	+
73	+ struct pagemapread {
74	+- int pos, len;
75	++ int pos, len; /* units: PM_ENTRY_BYTES, not bytes */
76	+ pagemap_entry_t *buffer;
77	+ };
78	+
79	+ #define PAGEMAP_WALK_SIZE (PMD_SIZE)
80	+ #define PAGEMAP_WALK_MASK (PMD_MASK)
81	+
82	+-#define PM_ENTRY_BYTES sizeof(u64)
83	++#define PM_ENTRY_BYTES sizeof(pagemap_entry_t)
84	+ #define PM_STATUS_BITS 3
85	+ #define PM_STATUS_OFFSET (64 - PM_STATUS_BITS)
86	+ #define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET)
87	+@@ -1038,8 +1038,8 @@ static ssize_t pagemap_read(struct file file, char __user buf,
88	+ if (!count)
89	+ goto out_task;
90	+
91	+- pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
92	+- pm.buffer = kmalloc(pm.len, GFP_TEMPORARY);
93	++ pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
94	++ pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
95	+ ret = -ENOMEM;
96	+ if (!pm.buffer)
97	+ goto out_task;
98	+--
99	+cgit v0.9.2

Gentoo Archives: gentoo-commits