diff --git a/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch b/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch new file mode 100644 index 0000000..58ec52f --- /dev/null +++ b/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch @@ -0,0 +1,45 @@ +From bd726c90b6b8ce87602208701b208a208e6d5600 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 19 Jun 2017 17:34:05 +0200 +Subject: [PATCH] Allow stack to grow up to address space limit + +Fix expand_upwards() on architectures with an upward-growing stack (parisc, +metag and partly IA-64) to allow the stack to reliably grow exactly up to +the address space limit given by TASK_SIZE. + +Signed-off-by: Helge Deller +Acked-by: Hugh Dickins +Signed-off-by: Linus Torvalds +--- + mm/mmap.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 290b77d9a01e0..a5e3dcd75e79f 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2230,16 +2230,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) + if (!(vma->vm_flags & VM_GROWSUP)) + return -EFAULT; + +- /* Guard against wrapping around to address 0. */ ++ /* Guard against exceeding limits of the address space. */ + address &= PAGE_MASK; +- address += PAGE_SIZE; +- if (!address) ++ if (address >= TASK_SIZE) + return -ENOMEM; ++ address += PAGE_SIZE; + + /* Enforce stack_guard_gap */ + gap_addr = address + stack_guard_gap; +- if (gap_addr < address) +- return -ENOMEM; ++ ++ /* Guard against overflow */ ++ if (gap_addr < address || gap_addr > TASK_SIZE) ++ gap_addr = TASK_SIZE; ++ + next = vma->vm_next; + if (next && next->vm_start < gap_addr) { + if (!(next->vm_flags & VM_GROWSUP)) diff --git a/CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch b/CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch new file mode 100644 index 0000000..25fc3f5 --- /dev/null +++ b/CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch @@ -0,0 +1,47 @@ +From f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Tue, 20 Jun 2017 02:10:44 -0700 +Subject: [PATCH] mm: fix new crash in unmapped_area_topdown() + +Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of +mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the +end of unmapped_area_topdown(). Linus points out how MAP_FIXED +(which does not have to respect our stack guard gap intentions) +could result in gap_end below gap_start there. Fix that, and +the similar case in its alternative, unmapped_area(). + +Cc: stable@vger.kernel.org +Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas") +Reported-by: Dave Jones +Debugged-by: Linus Torvalds +Signed-off-by: Hugh Dickins +Acked-by: Michal Hocko +Signed-off-by: Linus Torvalds +--- + mm/mmap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 8e07976d5e477..290b77d9a01e0 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1817,7 +1817,8 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info) + /* Check if current node has a suitable gap */ + if (gap_start > high_limit) + return -ENOMEM; +- if (gap_end >= low_limit && gap_end - gap_start >= length) ++ if (gap_end >= low_limit && ++ gap_end > gap_start && gap_end - gap_start >= length) + goto found; + + /* Visit right subtree if it looks promising */ +@@ -1920,7 +1921,8 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info) + gap_end = vm_start_gap(vma); + if (gap_end < low_limit) + return -ENOMEM; +- if (gap_start <= high_limit && gap_end - gap_start >= length) ++ if (gap_start <= high_limit && ++ gap_end > gap_start && gap_end - gap_start >= length) + goto found; + + /* Visit left subtree if it looks promising */ diff --git a/PKGBUILD b/PKGBUILD index 8326afc..c9448a3 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -5,7 +5,7 @@ pkgbase=linux # Build stock -ARCH kernel #pkgbase=linux-custom # Build kernel with a different name _srcname=linux-4.11 pkgver=4.11.6 -pkgrel=2 +pkgrel=3 arch=('i686' 'x86_64') url="https://www.kernel.org/" license=('GPL2') @@ -21,7 +21,9 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz" '90-linux.hook' # standard config files for mkinitcpio ramdisk 'linux.preset' - CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch) + CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch + CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch + CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch) sha256sums=('b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6' 'SKIP' @@ -31,7 +33,9 @@ sha256sums=('b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6' '9dd9aa4a8ec613cc8261e40db897685d75e3d426219ed8d21fa3a6bc72a27a32' '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' - 'e1b6a237894fb9e7bf142eb97b5e53c2e46a15ff69ef11593007f254b9faa160') + 'e1b6a237894fb9e7bf142eb97b5e53c2e46a15ff69ef11593007f254b9faa160' + 'beede1721c92bae39049be5bcb30e4274406dc53c41436bf75bd44238ee8efe4' + 'de9c4f81b51c497de930b365f63633a005e3b8bcfbb21be93fe0cbab84ed9f76') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman @@ -44,7 +48,11 @@ prepare() { # add upstream patch patch -p1 -i "${srcdir}/patch-${pkgver}" + + # security patches patch -p1 < "${srcdir}/CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch" + patch -p1 < "${srcdir}/CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch" + patch -p1 < "${srcdir}/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch" # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git