* [gentoo-commits] linux-patches r1245 - genpatches-2.6/trunk/2.6.23
@ 2008-02-12 14:35 Daniel Drake (dsd)
0 siblings, 0 replies; only message in thread
From: Daniel Drake (dsd) @ 2008-02-12 14:35 UTC (permalink / raw
To: gentoo-commits
Author: dsd
Date: 2008-02-12 14:35:25 +0000 (Tue, 12 Feb 2008)
New Revision: 1245
Added:
genpatches-2.6/trunk/2.6.23/1500_get-zero-user-pages.patch
Modified:
genpatches-2.6/trunk/2.6.23/0000_README
Log:
Preventative measure against future vmsplice-like security issues
Modified: genpatches-2.6/trunk/2.6.23/0000_README
===================================================================
--- genpatches-2.6/trunk/2.6.23/0000_README 2008-02-10 23:34:58 UTC (rev 1244)
+++ genpatches-2.6/trunk/2.6.23/0000_README 2008-02-12 14:35:25 UTC (rev 1245)
@@ -103,6 +103,10 @@
From: http://bugs.gentoo.org/209460
Desc: Fix another vmsplice() security issue
+Patch: 1500_get-zero-user-pages.patch
+From: http://bugs.gentoo.org/209460
+Desc: Preventative measure against future vmsplice-like security issues
+
Patch: 2200_acpi-concurrent-thermal-checks.patch
From: http://bugs.gentoo.org/176615
Desc: Fix stack overflow due to recursive ACPI thermal checks
Added: genpatches-2.6/trunk/2.6.23/1500_get-zero-user-pages.patch
===================================================================
--- genpatches-2.6/trunk/2.6.23/1500_get-zero-user-pages.patch (rev 0)
+++ genpatches-2.6/trunk/2.6.23/1500_get-zero-user-pages.patch 2008-02-12 14:35:25 UTC (rev 1245)
@@ -0,0 +1,43 @@
+From: Jonathan Corbet <corbet@lwn.net>
+Date: Mon, 11 Feb 2008 23:17:33 +0000 (-0700)
+Subject: Be more robust about bad arguments in get_user_pages()
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=900cf086fd2fbad07f72f4575449e0d0958f860f
+
+Be more robust about bad arguments in get_user_pages()
+
+So I spent a while pounding my head against my monitor trying to figure
+out the vmsplice() vulnerability - how could a failure to check for
+*read* access turn into a root exploit? It turns out that it's a buffer
+overflow problem which is made easy by the way get_user_pages() is
+coded.
+
+In particular, "len" is a signed int, and it is only checked at the
+*end* of a do {} while() loop. So, if it is passed in as zero, the loop
+will execute once and decrement len to -1. At that point, the loop will
+proceed until the next invalid address is found; in the process, it will
+likely overflow the pages array passed in to get_user_pages().
+
+I think that, if get_user_pages() has been asked to grab zero pages,
+that's what it should do. Thus this patch; it is, among other things,
+enough to block the (already fixed) root exploit and any others which
+might be lurking in similar code. I also think that the number of pages
+should be unsigned, but changing the prototype of this function probably
+requires some more careful review.
+
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/mm/memory.c b/mm/memory.c
+index e5628a5..717aa0e 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -989,6 +989,8 @@ int get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+ int i;
+ unsigned int vm_flags;
+
++ if (len <= 0)
++ return 0;
+ /*
+ * Require read or write permissions.
+ * If 'force' is set, we only require the "MAY" flags.
--
gentoo-commits@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-02-12 14:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-12 14:35 [gentoo-commits] linux-patches r1245 - genpatches-2.6/trunk/2.6.23 Daniel Drake (dsd)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox