(fixup patches for CVE-2017-1000364)
This commit is contained in:
parent
49a3ed2589
commit
cb9e37e6e2
@ -0,0 +1,45 @@
|
|||||||
|
From bd726c90b6b8ce87602208701b208a208e6d5600 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Helge Deller <deller@gmx.de>
|
||||||
|
Date: Mon, 19 Jun 2017 17:34:05 +0200
|
||||||
|
Subject: [PATCH] Allow stack to grow up to address space limit
|
||||||
|
|
||||||
|
Fix expand_upwards() on architectures with an upward-growing stack (parisc,
|
||||||
|
metag and partly IA-64) to allow the stack to reliably grow exactly up to
|
||||||
|
the address space limit given by TASK_SIZE.
|
||||||
|
|
||||||
|
Signed-off-by: Helge Deller <deller@gmx.de>
|
||||||
|
Acked-by: Hugh Dickins <hughd@google.com>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
---
|
||||||
|
mm/mmap.c | 13 ++++++++-----
|
||||||
|
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/mm/mmap.c b/mm/mmap.c
|
||||||
|
index 290b77d9a01e0..a5e3dcd75e79f 100644
|
||||||
|
--- a/mm/mmap.c
|
||||||
|
+++ b/mm/mmap.c
|
||||||
|
@@ -2230,16 +2230,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
|
||||||
|
if (!(vma->vm_flags & VM_GROWSUP))
|
||||||
|
return -EFAULT;
|
||||||
|
|
||||||
|
- /* Guard against wrapping around to address 0. */
|
||||||
|
+ /* Guard against exceeding limits of the address space. */
|
||||||
|
address &= PAGE_MASK;
|
||||||
|
- address += PAGE_SIZE;
|
||||||
|
- if (!address)
|
||||||
|
+ if (address >= TASK_SIZE)
|
||||||
|
return -ENOMEM;
|
||||||
|
+ address += PAGE_SIZE;
|
||||||
|
|
||||||
|
/* Enforce stack_guard_gap */
|
||||||
|
gap_addr = address + stack_guard_gap;
|
||||||
|
- if (gap_addr < address)
|
||||||
|
- return -ENOMEM;
|
||||||
|
+
|
||||||
|
+ /* Guard against overflow */
|
||||||
|
+ if (gap_addr < address || gap_addr > TASK_SIZE)
|
||||||
|
+ gap_addr = TASK_SIZE;
|
||||||
|
+
|
||||||
|
next = vma->vm_next;
|
||||||
|
if (next && next->vm_start < gap_addr) {
|
||||||
|
if (!(next->vm_flags & VM_GROWSUP))
|
@ -0,0 +1,47 @@
|
|||||||
|
From f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hugh Dickins <hughd@google.com>
|
||||||
|
Date: Tue, 20 Jun 2017 02:10:44 -0700
|
||||||
|
Subject: [PATCH] mm: fix new crash in unmapped_area_topdown()
|
||||||
|
|
||||||
|
Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
|
||||||
|
mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the
|
||||||
|
end of unmapped_area_topdown(). Linus points out how MAP_FIXED
|
||||||
|
(which does not have to respect our stack guard gap intentions)
|
||||||
|
could result in gap_end below gap_start there. Fix that, and
|
||||||
|
the similar case in its alternative, unmapped_area().
|
||||||
|
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
|
||||||
|
Reported-by: Dave Jones <davej@codemonkey.org.uk>
|
||||||
|
Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
Signed-off-by: Hugh Dickins <hughd@google.com>
|
||||||
|
Acked-by: Michal Hocko <mhocko@suse.com>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
---
|
||||||
|
mm/mmap.c | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/mm/mmap.c b/mm/mmap.c
|
||||||
|
index 8e07976d5e477..290b77d9a01e0 100644
|
||||||
|
--- a/mm/mmap.c
|
||||||
|
+++ b/mm/mmap.c
|
||||||
|
@@ -1817,7 +1817,8 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
|
||||||
|
/* Check if current node has a suitable gap */
|
||||||
|
if (gap_start > high_limit)
|
||||||
|
return -ENOMEM;
|
||||||
|
- if (gap_end >= low_limit && gap_end - gap_start >= length)
|
||||||
|
+ if (gap_end >= low_limit &&
|
||||||
|
+ gap_end > gap_start && gap_end - gap_start >= length)
|
||||||
|
goto found;
|
||||||
|
|
||||||
|
/* Visit right subtree if it looks promising */
|
||||||
|
@@ -1920,7 +1921,8 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
|
||||||
|
gap_end = vm_start_gap(vma);
|
||||||
|
if (gap_end < low_limit)
|
||||||
|
return -ENOMEM;
|
||||||
|
- if (gap_start <= high_limit && gap_end - gap_start >= length)
|
||||||
|
+ if (gap_start <= high_limit &&
|
||||||
|
+ gap_end > gap_start && gap_end - gap_start >= length)
|
||||||
|
goto found;
|
||||||
|
|
||||||
|
/* Visit left subtree if it looks promising */
|
14
PKGBUILD
14
PKGBUILD
@ -5,7 +5,7 @@ pkgbase=linux # Build stock -ARCH kernel
|
|||||||
#pkgbase=linux-custom # Build kernel with a different name
|
#pkgbase=linux-custom # Build kernel with a different name
|
||||||
_srcname=linux-4.11
|
_srcname=linux-4.11
|
||||||
pkgver=4.11.6
|
pkgver=4.11.6
|
||||||
pkgrel=2
|
pkgrel=3
|
||||||
arch=('i686' 'x86_64')
|
arch=('i686' 'x86_64')
|
||||||
url="https://www.kernel.org/"
|
url="https://www.kernel.org/"
|
||||||
license=('GPL2')
|
license=('GPL2')
|
||||||
@ -21,7 +21,9 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
|
|||||||
'90-linux.hook'
|
'90-linux.hook'
|
||||||
# standard config files for mkinitcpio ramdisk
|
# standard config files for mkinitcpio ramdisk
|
||||||
'linux.preset'
|
'linux.preset'
|
||||||
CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch)
|
CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch
|
||||||
|
CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch
|
||||||
|
CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch)
|
||||||
|
|
||||||
sha256sums=('b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6'
|
sha256sums=('b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6'
|
||||||
'SKIP'
|
'SKIP'
|
||||||
@ -31,7 +33,9 @@ sha256sums=('b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6'
|
|||||||
'9dd9aa4a8ec613cc8261e40db897685d75e3d426219ed8d21fa3a6bc72a27a32'
|
'9dd9aa4a8ec613cc8261e40db897685d75e3d426219ed8d21fa3a6bc72a27a32'
|
||||||
'834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0'
|
'834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0'
|
||||||
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
|
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
|
||||||
'e1b6a237894fb9e7bf142eb97b5e53c2e46a15ff69ef11593007f254b9faa160')
|
'e1b6a237894fb9e7bf142eb97b5e53c2e46a15ff69ef11593007f254b9faa160'
|
||||||
|
'beede1721c92bae39049be5bcb30e4274406dc53c41436bf75bd44238ee8efe4'
|
||||||
|
'de9c4f81b51c497de930b365f63633a005e3b8bcfbb21be93fe0cbab84ed9f76')
|
||||||
validpgpkeys=(
|
validpgpkeys=(
|
||||||
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
|
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
|
||||||
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
|
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
|
||||||
@ -44,7 +48,11 @@ prepare() {
|
|||||||
|
|
||||||
# add upstream patch
|
# add upstream patch
|
||||||
patch -p1 -i "${srcdir}/patch-${pkgver}"
|
patch -p1 -i "${srcdir}/patch-${pkgver}"
|
||||||
|
|
||||||
|
# security patches
|
||||||
patch -p1 < "${srcdir}/CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch"
|
patch -p1 < "${srcdir}/CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch"
|
||||||
|
patch -p1 < "${srcdir}/CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch"
|
||||||
|
patch -p1 < "${srcdir}/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch"
|
||||||
|
|
||||||
# add latest fixes from stable queue, if needed
|
# add latest fixes from stable queue, if needed
|
||||||
# http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
|
# http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
|
||||||
|
Loading…
Reference in New Issue
Block a user