(fixup patches for CVE-2017-1000364)

CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch

@@ -0,0 +1,45 @@
+From bd726c90b6b8ce87602208701b208a208e6d5600 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 19 Jun 2017 17:34:05 +0200
+Subject: [PATCH] Allow stack to grow up to address space limit
+
+Fix expand_upwards() on architectures with an upward-growing stack (parisc,
+metag and partly IA-64) to allow the stack to reliably grow exactly up to
+the address space limit given by TASK_SIZE.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Acked-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ mm/mmap.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 290b77d9a01e0..a5e3dcd75e79f 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2230,16 +2230,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+ 	if (!(vma->vm_flags & VM_GROWSUP))
+ 		return -EFAULT;
+ 
+-	/* Guard against wrapping around to address 0. */
++	/* Guard against exceeding limits of the address space. */
+ 	address &= PAGE_MASK;
+-	address += PAGE_SIZE;
+-	if (!address)
++	if (address >= TASK_SIZE)
+ 		return -ENOMEM;
++	address += PAGE_SIZE;
+ 
+ 	/* Enforce stack_guard_gap */
+ 	gap_addr = address + stack_guard_gap;
+-	if (gap_addr < address)
+-		return -ENOMEM;
++
++	/* Guard against overflow */
++	if (gap_addr < address || gap_addr > TASK_SIZE)
++		gap_addr = TASK_SIZE;
++
+ 	next = vma->vm_next;
+ 	if (next && next->vm_start < gap_addr) {
+ 		if (!(next->vm_flags & VM_GROWSUP))

CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch

@@ -0,0 +1,47 @@
+From f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Tue, 20 Jun 2017 02:10:44 -0700
+Subject: [PATCH] mm: fix new crash in unmapped_area_topdown()
+
+Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
+mmap testing.  That's the VM_BUG_ON(gap_end < gap_start) at the
+end of unmapped_area_topdown().  Linus points out how MAP_FIXED
+(which does not have to respect our stack guard gap intentions)
+could result in gap_end below gap_start there.  Fix that, and
+the similar case in its alternative, unmapped_area().
+
+Cc: stable@vger.kernel.org
+Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ mm/mmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 8e07976d5e477..290b77d9a01e0 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1817,7 +1817,8 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
+ 		/* Check if current node has a suitable gap */
+ 		if (gap_start > high_limit)
+ 			return -ENOMEM;
+-		if (gap_end >= low_limit && gap_end - gap_start >= length)
++		if (gap_end >= low_limit &&
++		    gap_end > gap_start && gap_end - gap_start >= length)
+ 			goto found;
+ 
+ 		/* Visit right subtree if it looks promising */
+@@ -1920,7 +1921,8 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
+ 		gap_end = vm_start_gap(vma);
+ 		if (gap_end < low_limit)
+ 			return -ENOMEM;
+-		if (gap_start <= high_limit && gap_end - gap_start >= length)
++		if (gap_start <= high_limit &&
++		    gap_end > gap_start && gap_end - gap_start >= length)
+ 			goto found;
+ 
+ 		/* Visit left subtree if it looks promising */

PKGBUILD

@@ -5,7 +5,7 @@ pkgbase=linux               # Build stock -ARCH kernel
 #pkgbase=linux-custom       # Build kernel with a different name
 _srcname=linux-4.11
 pkgver=4.11.6
-pkgrel=2
+pkgrel=3
 arch=('i686' 'x86_64')
 url="https://www.kernel.org/"
 license=('GPL2')
@@ -21,7 +21,9 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
         '90-linux.hook'
         # standard config files for mkinitcpio ramdisk
         'linux.preset'
-        CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch)
+        CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch
+        CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch
+        CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch)
 
 sha256sums=('b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6'
             'SKIP'
@@ -31,7 +33,9 @@ sha256sums=('b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6'
             '9dd9aa4a8ec613cc8261e40db897685d75e3d426219ed8d21fa3a6bc72a27a32'
             '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
-            'e1b6a237894fb9e7bf142eb97b5e53c2e46a15ff69ef11593007f254b9faa160')
+            'e1b6a237894fb9e7bf142eb97b5e53c2e46a15ff69ef11593007f254b9faa160'
+            'beede1721c92bae39049be5bcb30e4274406dc53c41436bf75bd44238ee8efe4'
+            'de9c4f81b51c497de930b365f63633a005e3b8bcfbb21be93fe0cbab84ed9f76')
 validpgpkeys=(
               'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
               '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
@@ -44,7 +48,11 @@ prepare() {
 
   # add upstream patch
   patch -p1 -i "${srcdir}/patch-${pkgver}"
+
+  # security patches
   patch -p1 < "${srcdir}/CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch"
+  patch -p1 < "${srcdir}/CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch"
+  patch -p1 < "${srcdir}/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch"
 
   # add latest fixes from stable queue, if needed
   # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git