From patchwork Wed Oct 12 08:28:54 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 119161 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id E3095B6F71 for ; Wed, 12 Oct 2011 19:29:19 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1RDuBS-0007AL-AH; Wed, 12 Oct 2011 08:29:02 +0000 Received: from mail.tpi.com ([70.99.223.143]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1RDuBP-00078r-Hh for kernel-team@lists.ubuntu.com; Wed, 12 Oct 2011 08:29:00 +0000 Received: from [127.0.0.1] (mail.tpi.com [70.99.223.143]) by mail.tpi.com (Postfix) with ESMTP id 6591125CC63; Wed, 12 Oct 2011 01:28:56 -0700 (PDT) Message-ID: <4E954FC6.3030600@canonical.com> Date: Wed, 12 Oct 2011 09:28:54 +0100 From: Tim Gardner User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110922 Thunderbird/3.1.15 MIME-Version: 1.0 To: Paolo Pisati Subject: APPLIED: [PATCH 0/3] [hardy] CVE-2011-2496 References: <1318342628-32016-1-git-send-email-paolo.pisati@canonical.com> In-Reply-To: <1318342628-32016-1-git-send-email-paolo.pisati@canonical.com> Cc: kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com On 10/11/2011 03:17 PM, Paolo Pisati wrote: > mm: avoid wrapping vm_pgoff in mremap() and stack expansions > > Following this email are 3 patches for hardy. > > Linus Torvalds (2): > mm: avoid wrapping vm_pgoff in mremap() - CVE-2011-2496 > vm: fix vm_pgoff wrap in stack expansion - CVE-2011-2496 > > Paolo Pisati (1): > vm: fix vm_pgoff wrap in upward expansion - CVE-2011-2496 > > mm/mmap.c | 20 +++++++++++++------- > mm/mremap.c | 11 +++++++++-- > 2 files changed, 22 insertions(+), 9 deletions(-) > This is what was actually applied. From a7c538dd567bb4c34837a3afce44a4a5f80629c6 Mon Sep 17 00:00:00 2001 From: Hugh Dickins Date: Mon, 9 May 2011 17:44:42 -0700 Subject: [PATCH 3/3] vm: fix vm_pgoff wrap in upward expansion, CVE-2011-2496 BugLink: http://bugs.launchpad.net/bugs/869243 CVE-2011-2496 Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed the case of an expanding mapping causing vm_pgoff wrapping when you had downward stack expansion. But there was another case where IA64 and PA-RISC expand mappings: upward expansion. This fixes that case too. Signed-off-by: Hugh Dickins Cc: stable@kernel.org Signed-off-by: Linus Torvalds Backported from 42c36f63ac1366ab0ecc2d5717821362c259f517 Acked-by: Stefan Bader Signed-off-by: Paolo Pisati Signed-off-by: Tim Gardner --- mm/mmap.c | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index dcd3dcc..6ea8c93 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1600,9 +1600,13 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) size = address - vma->vm_start; grow = (address - vma->vm_end) >> PAGE_SHIFT; - error = acct_stack_growth(vma, size, grow); - if (!error) - vma->vm_end = address; + error = -ENOMEM; + if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) { + error = acct_stack_growth(vma, size, grow); + if (!error) { + vma->vm_end = address; + } + } } anon_vma_unlock(vma); return error; -- 1.7.1