* [gentoo-commits] linux-patches r2498 - genpatches-2.6/trunk/3.10.7
@ 2013-08-29 12:24 99% Tom Wijsman (tomwij)
0 siblings, 0 replies; 1+ results
From: Tom Wijsman (tomwij) @ 2013-08-29 12:24 UTC (permalink / raw
To: gentoo-commits
Author: tomwij
Date: 2013-08-29 12:24:04 +0000 (Thu, 29 Aug 2013)
New Revision: 2498
Added:
genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch
Modified:
genpatches-2.6/trunk/3.10.7/0000_README
Log:
fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8.
Modified: genpatches-2.6/trunk/3.10.7/0000_README
===================================================================
--- genpatches-2.6/trunk/3.10.7/0000_README 2013-08-29 12:09:12 UTC (rev 2497)
+++ genpatches-2.6/trunk/3.10.7/0000_README 2013-08-29 12:24:04 UTC (rev 2498)
@@ -67,6 +67,10 @@
From: http://www.kernel.org
Desc: Linux 3.10.7
+Patch: 1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch
+From: http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=f30d87b004dcb4b260dcb2667d5ef6998f4aac1f
+Desc: fs/proc/task_mmu.c: fix buffer overflow in add_page_map() reported by stintel on IRC, backported from 3.10.8.
+
Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
Added: genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch
===================================================================
--- genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch (rev 0)
+++ genpatches-2.6/trunk/3.10.7/1500_task-mmu_fix-buffer-overflow-in-add_page_map.patch 2013-08-29 12:24:04 UTC (rev 2498)
@@ -0,0 +1,67 @@
+From f30d87b004dcb4b260dcb2667d5ef6998f4aac1f Mon Sep 17 00:00:00 2001
+From: yonghua zheng <younghua.zheng@gmail.com>
+Date: Tue, 13 Aug 2013 23:01:03 +0000
+Subject: fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
+
+commit 8c8296223f3abb142be8fc31711b18a704c0e7d8 upstream.
+
+Recently we met quite a lot of random kernel panic issues after enabling
+CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
+to do with following bug in pagemap:
+
+In struct pagemapread:
+
+ struct pagemapread {
+ int pos, len;
+ pagemap_entry_t *buffer;
+ bool v2;
+ };
+
+pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
+buffer, it is a mistake to compare pos and len in add_page_map() for
+checking buffer is full or not, and this can lead to buffer overflow and
+random kernel panic issue.
+
+Correct len to be total number of PM_ENTRY_BYTES in buffer.
+
+[akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
+Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 3e636d8..65fc60a 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -792,14 +792,14 @@ typedef struct {
+ } pagemap_entry_t;
+
+ struct pagemapread {
+- int pos, len;
++ int pos, len; /* units: PM_ENTRY_BYTES, not bytes */
+ pagemap_entry_t *buffer;
+ };
+
+ #define PAGEMAP_WALK_SIZE (PMD_SIZE)
+ #define PAGEMAP_WALK_MASK (PMD_MASK)
+
+-#define PM_ENTRY_BYTES sizeof(u64)
++#define PM_ENTRY_BYTES sizeof(pagemap_entry_t)
+ #define PM_STATUS_BITS 3
+ #define PM_STATUS_OFFSET (64 - PM_STATUS_BITS)
+ #define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET)
+@@ -1038,8 +1038,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+ if (!count)
+ goto out_task;
+
+- pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
+- pm.buffer = kmalloc(pm.len, GFP_TEMPORARY);
++ pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
++ pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
+ ret = -ENOMEM;
+ if (!pm.buffer)
+ goto out_task;
+--
+cgit v0.9.2
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2013-08-29 12:24 99% [gentoo-commits] linux-patches r2498 - genpatches-2.6/trunk/3.10.7 Tom Wijsman (tomwij)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox