[gentoo-commits] linux-patches r1245 - genpatches-2.6/trunk/2.6.23

["Daniel Drake (dsd)" <dsd@gentoo.org>]

Author: dsd
Date: 2008-02-12 14:35:25 +0000 (Tue, 12 Feb 2008)
New Revision: 1245

Added:
   genpatches-2.6/trunk/2.6.23/1500_get-zero-user-pages.patch
Modified:
   genpatches-2.6/trunk/2.6.23/0000_README
Log:
Preventative measure against future vmsplice-like security issues

Modified: genpatches-2.6/trunk/2.6.23/0000_README
===================================================================
--- genpatches-2.6/trunk/2.6.23/0000_README	2008-02-10 23:34:58 UTC (rev 1244)
+++ genpatches-2.6/trunk/2.6.23/0000_README	2008-02-12 14:35:25 UTC (rev 1245)
@@ -103,6 +103,10 @@
 From:	http://bugs.gentoo.org/209460
 Desc:	Fix another vmsplice() security issue
 
+Patch:	1500_get-zero-user-pages.patch
+From:	http://bugs.gentoo.org/209460
+Desc:	Preventative measure against future vmsplice-like security issues
+
 Patch:	2200_acpi-concurrent-thermal-checks.patch
 From:	http://bugs.gentoo.org/176615
 Desc:	Fix stack overflow due to recursive ACPI thermal checks

Added: genpatches-2.6/trunk/2.6.23/1500_get-zero-user-pages.patch
===================================================================
--- genpatches-2.6/trunk/2.6.23/1500_get-zero-user-pages.patch	                        (rev 0)
+++ genpatches-2.6/trunk/2.6.23/1500_get-zero-user-pages.patch	2008-02-12 14:35:25 UTC (rev 1245)
@@ -0,0 +1,43 @@
+From: Jonathan Corbet <corbet@lwn.net>
+Date: Mon, 11 Feb 2008 23:17:33 +0000 (-0700)
+Subject: Be more robust about bad arguments in get_user_pages()
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=900cf086fd2fbad07f72f4575449e0d0958f860f
+
+Be more robust about bad arguments in get_user_pages()
+
+So I spent a while pounding my head against my monitor trying to figure
+out the vmsplice() vulnerability - how could a failure to check for
+*read* access turn into a root exploit? It turns out that it's a buffer
+overflow problem which is made easy by the way get_user_pages() is
+coded.
+
+In particular, "len" is a signed int, and it is only checked at the
+*end* of a do {} while() loop.  So, if it is passed in as zero, the loop
+will execute once and decrement len to -1.  At that point, the loop will
+proceed until the next invalid address is found; in the process, it will
+likely overflow the pages array passed in to get_user_pages().
+
+I think that, if get_user_pages() has been asked to grab zero pages,
+that's what it should do.  Thus this patch; it is, among other things,
+enough to block the (already fixed) root exploit and any others which
+might be lurking in similar code.  I also think that the number of pages
+should be unsigned, but changing the prototype of this function probably
+requires some more careful review.
+
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/mm/memory.c b/mm/memory.c
+index e5628a5..717aa0e 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+ 	int i;
+ 	unsigned int vm_flags;
+ 
++	if (len <= 0)
++		return 0;
+ 	/* 
+ 	 * Require read or write permissions.
+ 	 * If 'force' is set, we only require the "MAY" flags.

-- 
gentoo-commits@lists.gentoo.org mailing list