(fixup patches for CVE-2017-1000364)
This commit is contained in:
parent
49a3ed2589
commit
cb9e37e6e2
|
@ -0,0 +1,45 @@
|
|||
From bd726c90b6b8ce87602208701b208a208e6d5600 Mon Sep 17 00:00:00 2001
|
||||
From: Helge Deller <deller@gmx.de>
|
||||
Date: Mon, 19 Jun 2017 17:34:05 +0200
|
||||
Subject: [PATCH] Allow stack to grow up to address space limit
|
||||
|
||||
Fix expand_upwards() on architectures with an upward-growing stack (parisc,
|
||||
metag and partly IA-64) to allow the stack to reliably grow exactly up to
|
||||
the address space limit given by TASK_SIZE.
|
||||
|
||||
Signed-off-by: Helge Deller <deller@gmx.de>
|
||||
Acked-by: Hugh Dickins <hughd@google.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
mm/mmap.c | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/mm/mmap.c b/mm/mmap.c
|
||||
index 290b77d9a01e0..a5e3dcd75e79f 100644
|
||||
--- a/mm/mmap.c
|
||||
+++ b/mm/mmap.c
|
||||
@@ -2230,16 +2230,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
|
||||
if (!(vma->vm_flags & VM_GROWSUP))
|
||||
return -EFAULT;
|
||||
|
||||
- /* Guard against wrapping around to address 0. */
|
||||
+ /* Guard against exceeding limits of the address space. */
|
||||
address &= PAGE_MASK;
|
||||
- address += PAGE_SIZE;
|
||||
- if (!address)
|
||||
+ if (address >= TASK_SIZE)
|
||||
return -ENOMEM;
|
||||
+ address += PAGE_SIZE;
|
||||
|
||||
/* Enforce stack_guard_gap */
|
||||
gap_addr = address + stack_guard_gap;
|
||||
- if (gap_addr < address)
|
||||
- return -ENOMEM;
|
||||
+
|
||||
+ /* Guard against overflow */
|
||||
+ if (gap_addr < address || gap_addr > TASK_SIZE)
|
||||
+ gap_addr = TASK_SIZE;
|
||||
+
|
||||
next = vma->vm_next;
|
||||
if (next && next->vm_start < gap_addr) {
|
||||
if (!(next->vm_flags & VM_GROWSUP))
|
|
@ -0,0 +1,47 @@
|
|||
From f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 Mon Sep 17 00:00:00 2001
|
||||
From: Hugh Dickins <hughd@google.com>
|
||||
Date: Tue, 20 Jun 2017 02:10:44 -0700
|
||||
Subject: [PATCH] mm: fix new crash in unmapped_area_topdown()
|
||||
|
||||
Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of
|
||||
mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the
|
||||
end of unmapped_area_topdown(). Linus points out how MAP_FIXED
|
||||
(which does not have to respect our stack guard gap intentions)
|
||||
could result in gap_end below gap_start there. Fix that, and
|
||||
the similar case in its alternative, unmapped_area().
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
|
||||
Reported-by: Dave Jones <davej@codemonkey.org.uk>
|
||||
Debugged-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Hugh Dickins <hughd@google.com>
|
||||
Acked-by: Michal Hocko <mhocko@suse.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
mm/mmap.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/mm/mmap.c b/mm/mmap.c
|
||||
index 8e07976d5e477..290b77d9a01e0 100644
|
||||
--- a/mm/mmap.c
|
||||
+++ b/mm/mmap.c
|
||||
@@ -1817,7 +1817,8 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
|
||||
/* Check if current node has a suitable gap */
|
||||
if (gap_start > high_limit)
|
||||
return -ENOMEM;
|
||||
- if (gap_end >= low_limit && gap_end - gap_start >= length)
|
||||
+ if (gap_end >= low_limit &&
|
||||
+ gap_end > gap_start && gap_end - gap_start >= length)
|
||||
goto found;
|
||||
|
||||
/* Visit right subtree if it looks promising */
|
||||
@@ -1920,7 +1921,8 @@ unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
|
||||
gap_end = vm_start_gap(vma);
|
||||
if (gap_end < low_limit)
|
||||
return -ENOMEM;
|
||||
- if (gap_start <= high_limit && gap_end - gap_start >= length)
|
||||
+ if (gap_start <= high_limit &&
|
||||
+ gap_end > gap_start && gap_end - gap_start >= length)
|
||||
goto found;
|
||||
|
||||
/* Visit left subtree if it looks promising */
|
14
PKGBUILD
14
PKGBUILD
|
@ -5,7 +5,7 @@ pkgbase=linux # Build stock -ARCH kernel
|
|||
#pkgbase=linux-custom # Build kernel with a different name
|
||||
_srcname=linux-4.11
|
||||
pkgver=4.11.6
|
||||
pkgrel=2
|
||||
pkgrel=3
|
||||
arch=('i686' 'x86_64')
|
||||
url="https://www.kernel.org/"
|
||||
license=('GPL2')
|
||||
|
@ -21,7 +21,9 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
|
|||
'90-linux.hook'
|
||||
# standard config files for mkinitcpio ramdisk
|
||||
'linux.preset'
|
||||
CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch)
|
||||
CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch
|
||||
CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch
|
||||
CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch)
|
||||
|
||||
sha256sums=('b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6'
|
||||
'SKIP'
|
||||
|
@ -31,7 +33,9 @@ sha256sums=('b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6'
|
|||
'9dd9aa4a8ec613cc8261e40db897685d75e3d426219ed8d21fa3a6bc72a27a32'
|
||||
'834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0'
|
||||
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
|
||||
'e1b6a237894fb9e7bf142eb97b5e53c2e46a15ff69ef11593007f254b9faa160')
|
||||
'e1b6a237894fb9e7bf142eb97b5e53c2e46a15ff69ef11593007f254b9faa160'
|
||||
'beede1721c92bae39049be5bcb30e4274406dc53c41436bf75bd44238ee8efe4'
|
||||
'de9c4f81b51c497de930b365f63633a005e3b8bcfbb21be93fe0cbab84ed9f76')
|
||||
validpgpkeys=(
|
||||
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
|
||||
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
|
||||
|
@ -44,7 +48,11 @@ prepare() {
|
|||
|
||||
# add upstream patch
|
||||
patch -p1 -i "${srcdir}/patch-${pkgver}"
|
||||
|
||||
# security patches
|
||||
patch -p1 < "${srcdir}/CVE-2017-1000364.mm-larger-stack-guard-gap-between-vmas.patch"
|
||||
patch -p1 < "${srcdir}/CVE-2017-1000364.mm-fix-new-crash-in-unmapped_area_topdown.patch"
|
||||
patch -p1 < "${srcdir}/CVE-2017-1000364.fixup.allow-stack-to-grow-up-to-address-space-limit.patch"
|
||||
|
||||
# add latest fixes from stable queue, if needed
|
||||
# http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
|
||||
|
|
Loading…
Reference in New Issue