Commit 10fa3105 authored by Dann Frazier's avatar Dann Frazier

* bugfix/prevent-stack-growth-into-hugetlb-region.patch

  [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
  into address space reserved for hugetlb pages.
  See CVE-2007-3739

svn path=/dists/etch-security/linux-2.6/; revision=9542
parent 7dc0b95f
......@@ -5,8 +5,12 @@ linux-2.6 (2.6.18.dfsg.1-13etch3) UNRELEASED; urgency=low
[SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
during ptrace single-step operations that can be used to trigger a
NULL-pointer dereference causing an Oops.
* bugfix/prevent-stack-growth-into-hugetlb-region.patch
[SECURITY] Prevent OOPS during stack expansion when the VMA crosses
into address space reserved for hugetlb pages.
See CVE-2007-3739
-- dann frazier <dannf@debian.org> Thu, 20 Sep 2007 08:24:55 -0600
-- dann frazier <dannf@debian.org> Fri, 21 Sep 2007 10:36:12 -0600
linux-2.6 (2.6.18.dfsg.1-13etch2) stable-security; urgency=high
......
From: Adam Litke <agl@us.ibm.com>
Date: Tue, 30 Jan 2007 22:35:39 +0000 (-0800)
Subject: [PATCH] Don't allow the stack to grow into hugetlb reserved regions
X-Git-Tag: v2.6.20-rc7~10
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0d59a01bc461bbab4017ff449b8401151ef44cf6
[PATCH] Don't allow the stack to grow into hugetlb reserved regions
When expanding the stack, we don't currently check if the VMA will cross
into an area of the address space that is reserved for hugetlb pages.
Subsequent faults on the expanded portion of such a VMA will confuse the
low-level MMU code, resulting in an OOPS. Check for this.
Signed-off-by: Adam Litke <agl@us.ibm.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Cc: William Lee Irwin III <wli@holomorphy.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
diff --git a/mm/mmap.c b/mm/mmap.c
index 9717337..cc3a208 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1477,6 +1477,7 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
{
struct mm_struct *mm = vma->vm_mm;
struct rlimit *rlim = current->signal->rlim;
+ unsigned long new_start;
/* address space limit tests */
if (!may_expand_vm(mm, grow))
@@ -1496,6 +1497,12 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
return -ENOMEM;
}
+ /* Check to ensure the stack will not grow into a hugetlb-only region */
+ new_start = (vma->vm_flags & VM_GROWSUP) ? vma->vm_start :
+ vma->vm_end - size;
+ if (is_hugepage_only_range(vma->vm_mm, new_start, size))
+ return -EFAULT;
+
/*
* Overcommit.. This must be the final test, as it will
* update security statistics.
+ bugfix/ptrace-handle-bogus-selector.patch
+ bugfix/fixup-trace_irq-breakage.patch
+ bugfix/prevent-stack-growth-into-hugetlb-region.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment