From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5BD451381F3 for ; Thu, 29 Aug 2013 12:24:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 23508E0CCF; Thu, 29 Aug 2013 12:24:08 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A33A4E0CCF for ; Thu, 29 Aug 2013 12:24:07 +0000 (UTC) Received: from flycatcher.gentoo.org (flycatcher.gentoo.org [81.93.255.6]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 84F3C33ECF3 for ; Thu, 29 Aug 2013 12:24:06 +0000 (UTC) Received: by flycatcher.gentoo.org (Postfix, from userid 2335) id 4DD9E2004C; Thu, 29 Aug 2013 12:24:05 +0000 (UTC) To: gentoo-commits@lists.gentoo.org From: "Tom Wijsman (tomwij)" Subject: [gentoo-commits] linux-patches r2498 - genpatches-2.6/trunk/3.10.7 X-VCS-Repository: linux-patches X-VCS-Revision: 2498 X-VCS-Files: genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch genpatches-2.6/trunk/3.10.7/0000_README X-VCS-Directories: genpatches-2.6/trunk/3.10.7 X-VCS-Committer: tomwij X-VCS-Committer-Name: Tom Wijsman Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Message-Id: <20130829122405.4DD9E2004C@flycatcher.gentoo.org> Date: Thu, 29 Aug 2013 12:24:05 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: e536acab-6b19-4fd5-a800-11980fc05d6f X-Archives-Hash: 7943ca693f51b69469a178218a0f249e Author: tomwij Date: 2013-08-29 12:24:04 +0000 (Thu, 29 Aug 2013) New Revision: 2498 Added: genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch Modified: genpatches-2.6/trunk/3.10.7/0000_README Log: fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8. Modified: genpatches-2.6/trunk/3.10.7/0000_README =================================================================== --- genpatches-2.6/trunk/3.10.7/0000_README 2013-08-29 12:09:12 UTC (rev 2497) +++ genpatches-2.6/trunk/3.10.7/0000_README 2013-08-29 12:24:04 UTC (rev 2498) @@ -67,6 +67,10 @@ From: http://www.kernel.org Desc: Linux 3.10.7 +Patch: 1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch +From: http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=f30d87b004dcb4b260dcb2667d5ef6998f4aac1f +Desc: fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8. + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. Added: genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch =================================================================== --- genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch (rev 0) +++ genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch 2013-08-29 12:24:04 UTC (rev 2498) @@ -0,0 +1,67 @@ +From f30d87b004dcb4b260dcb2667d5ef6998f4aac1f Mon Sep 17 00:00:00 2001 +From: yonghua zheng +Date: Tue, 13 Aug 2013 23:01:03 +0000 +Subject: fs/proc/task_mmu.c: fix buffer overflow in add_page_map() + +commit 8c8296223f3abb142be8fc31711b18a704c0e7d8 upstream. + +Recently we met quite a lot of random kernel panic issues after enabling +CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something +to do with following bug in pagemap: + +In struct pagemapread: + + struct pagemapread { + int pos, len; + pagemap_entry_t *buffer; + bool v2; + }; + +pos is number of PM_ENTRY_BYTES in buffer, but len is the size of +buffer, it is a mistake to compare pos and len in add_page_map() for +checking buffer is full or not, and this can lead to buffer overflow and +random kernel panic issue. + +Correct len to be total number of PM_ENTRY_BYTES in buffer. + +[akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] +Signed-off-by: Yonghua Zheng +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index 3e636d8..65fc60a 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -792,14 +792,14 @@ typedef struct { + } pagemap_entry_t; + + struct pagemapread { +- int pos, len; ++ int pos, len; /* units: PM_ENTRY_BYTES, not bytes */ + pagemap_entry_t *buffer; + }; + + #define PAGEMAP_WALK_SIZE (PMD_SIZE) + #define PAGEMAP_WALK_MASK (PMD_MASK) + +-#define PM_ENTRY_BYTES sizeof(u64) ++#define PM_ENTRY_BYTES sizeof(pagemap_entry_t) + #define PM_STATUS_BITS 3 + #define PM_STATUS_OFFSET (64 - PM_STATUS_BITS) + #define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET) +@@ -1038,8 +1038,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, + if (!count) + goto out_task; + +- pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT); +- pm.buffer = kmalloc(pm.len, GFP_TEMPORARY); ++ pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT); ++ pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY); + ret = -ENOMEM; + if (!pm.buffer) + goto out_task; +-- +cgit v0.9.2