From 12fe812bc3200fcacaef62e906956590ded33118 Mon Sep 17 00:00:00 2001 From: Jan-Simon Möller Date: Wed, 28 Jun 2017 11:46:43 +0200 Subject: Fix CVE-2017-1000364 by backporting the patches for rpi3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Backport of patches from upstream for 4.4 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.4.74&id=4b359430674caa2c98d0049a6941f157d2a33741 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.4.74&id=f41512c6acb71c63cf4e3bd50934365ae2a23891 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.4.74&id=1f2284fac2180d7a9442c796d9755e3ce7ab0bd9 Bug-AGL: SPEC-705 SPEC-706 Change-Id: I66fa6e271095c2319791480089a9e6f3392c51d3 Signed-off-by: Jan-Simon Möller Reviewed-on: https://gerrit.automotivelinux.org/gerrit/9875 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Leon Anavi --- ...w-stack-to-grow-up-to-address-space-limit.patch | 64 ++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-4.4/0002-Allow-stack-to-grow-up-to-address-space-limit.patch (limited to 'meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-4.4/0002-Allow-stack-to-grow-up-to-address-space-limit.patch') diff --git a/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-4.4/0002-Allow-stack-to-grow-up-to-address-space-limit.patch b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-4.4/0002-Allow-stack-to-grow-up-to-address-space-limit.patch new file mode 100644 index 000000000..093c2e98a --- /dev/null +++ b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-4.4/0002-Allow-stack-to-grow-up-to-address-space-limit.patch @@ -0,0 +1,64 @@ +From a5294b0a0ebd761773d692ce862629af8a7a9eed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan-Simon=20M=C3=B6ller?= +Date: Wed, 28 Jun 2017 02:46:40 +0200 +Subject: [PATCH 2/3] Allow stack to grow up to address space limit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From cd20f002742028366c33b38b3ca613eaee4582c9 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 19 Jun 2017 17:34:05 +0200 +Subject: [PATCH 2/3] Allow stack to grow up to address space limit + +commit bd726c90b6b8ce87602208701b208a208e6d5600 upstream. + +Fix expand_upwards() on architectures with an upward-growing stack (parisc, +metag and partly IA-64) to allow the stack to reliably grow exactly up to +the address space limit given by TASK_SIZE. + +Signed-off-by: Helge Deller +Acked-by: Hugh Dickins +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/mmap.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +Signed-off-by: Jan-Simon Möller +--- + mm/mmap.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 5e043dd..fcf4c88 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2172,16 +2172,19 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) + if (!(vma->vm_flags & VM_GROWSUP)) + return -EFAULT; + +- /* Guard against wrapping around to address 0. */ ++ /* Guard against exceeding limits of the address space. */ + address &= PAGE_MASK; +- address += PAGE_SIZE; +- if (!address) ++ if (address >= TASK_SIZE) + return -ENOMEM; ++ address += PAGE_SIZE; + + /* Enforce stack_guard_gap */ + gap_addr = address + stack_guard_gap; +- if (gap_addr < address) +- return -ENOMEM; ++ ++ /* Guard against overflow */ ++ if (gap_addr < address || gap_addr > TASK_SIZE) ++ gap_addr = TASK_SIZE; ++ + next = vma->vm_next; + if (next && next->vm_start < gap_addr) { + if (!(next->vm_flags & VM_GROWSUP)) +-- +2.1.4 + -- cgit 1.2.3-korg