[gentoo-commits] linux-patches r2498 - genpatches-2.6/trunk/3.10.7

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] linux-patches r2498 - genpatches-2.6/trunk/3.10.7
@ 2013-08-29 12:24 Tom Wijsman (tomwij)
  0 siblings, 0 replies; only message in thread
From: Tom Wijsman (tomwij) @ 2013-08-29 12:24 UTC (permalink / raw
  To: gentoo-commits

Author: tomwij
Date: 2013-08-29 12:24:04 +0000 (Thu, 29 Aug 2013)
New Revision: 2498

Added:
   genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch
Modified:
   genpatches-2.6/trunk/3.10.7/0000_README
Log:
fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8.

Modified: genpatches-2.6/trunk/3.10.7/0000_README
===================================================================
--- genpatches-2.6/trunk/3.10.7/0000_README	2013-08-29 12:09:12 UTC (rev 2497)
+++ genpatches-2.6/trunk/3.10.7/0000_README	2013-08-29 12:24:04 UTC (rev 2498)
@@ -67,6 +67,10 @@
 From:   http://www.kernel.org
 Desc:   Linux 3.10.7
 
+Patch:  1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch
+From:   http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=f30d87b004dcb4b260dcb2667d5ef6998f4aac1f
+Desc:   fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8.
+
 Patch:  1500_XATTR_USER_PREFIX.patch
 From:   https://bugs.gentoo.org/show_bug.cgi?id=470644
 Desc:   Support for namespace user.pax.* on tmpfs.

Added: genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch	                        (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch	2013-08-29 12:24:04 UTC (rev 2498)
@@ -0,0 +1,67 @@
+From f30d87b004dcb4b260dcb2667d5ef6998f4aac1f Mon Sep 17 00:00:00 2001
+From: yonghua zheng <younghua.zheng@gmail.com>
+Date: Tue, 13 Aug 2013 23:01:03 +0000
+Subject: fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
+
+commit 8c8296223f3abb142be8fc31711b18a704c0e7d8 upstream.
+
+Recently we met quite a lot of random kernel panic issues after enabling
+CONFIG_PROC_PAGE_MONITOR.  After debuggind we found this has something
+to do with following bug in pagemap:
+
+In struct pagemapread:
+
+  struct pagemapread {
+      int pos, len;
+      pagemap_entry_t *buffer;
+      bool v2;
+  };
+
+pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
+buffer, it is a mistake to compare pos and len in add_page_map() for
+checking buffer is full or not, and this can lead to buffer overflow and
+random kernel panic issue.
+
+Correct len to be total number of PM_ENTRY_BYTES in buffer.
+
+[akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
+Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 3e636d8..65fc60a 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -792,14 +792,14 @@ typedef struct {
+ } pagemap_entry_t;
+ 
+ struct pagemapread {
+-	int pos, len;
++	int pos, len;		/* units: PM_ENTRY_BYTES, not bytes */
+ 	pagemap_entry_t *buffer;
+ };
+ 
+ #define PAGEMAP_WALK_SIZE	(PMD_SIZE)
+ #define PAGEMAP_WALK_MASK	(PMD_MASK)
+ 
+-#define PM_ENTRY_BYTES      sizeof(u64)
++#define PM_ENTRY_BYTES      sizeof(pagemap_entry_t)
+ #define PM_STATUS_BITS      3
+ #define PM_STATUS_OFFSET    (64 - PM_STATUS_BITS)
+ #define PM_STATUS_MASK      (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET)
+@@ -1038,8 +1038,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+ 	if (!count)
+ 		goto out_task;
+ 
+-	pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
+-	pm.buffer = kmalloc(pm.len, GFP_TEMPORARY);
++	pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
++	pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
+ 	ret = -ENOMEM;
+ 	if (!pm.buffer)
+ 		goto out_task;
+--
+cgit v0.9.2



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2013-08-29 12:24 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-29 12:24 [gentoo-commits] linux-patches r2498 - genpatches-2.6/trunk/3.10.7 Tom Wijsman (tomwij)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox