From 56b115af69a2cdcc9db26ca249dfce575ef1bb9f Mon Sep 17 00:00:00 2001 From: Jan-Simon Möller Date: Wed, 28 Jun 2017 01:46:34 +0200 Subject: Fix CVE-2017-1000364 by backporting the patches for rpi3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Backport of patches from upstream for 4.4 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.4.74&id=4b359430674caa2c98d0049a6941f157d2a33741 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.4.74&id=f41512c6acb71c63cf4e3bd50934365ae2a23891 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.4.74&id=1f2284fac2180d7a9442c796d9755e3ce7ab0bd9 Backport of patches from upstream for 4.9 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-4.9.y&id=cfc0eb403816c5c4f9667d959de5e22789b5421e - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-4.9.y&id=5d10ad6297260e9b85e7645ee544a6115bb229e4 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-4.9.y&id=ce7fe8595902c3f03ef528c2dc1928b3f4b67fcf Bug-AGL: SPEC-705 Change-Id: If330fb7de09ab00f84d35a1e4c5343f958fcbf56 Signed-off-by: Jan-Simon Möller Reviewed-on: https://gerrit.automotivelinux.org/gerrit/9857 Tested-by: Jenkins Job builder account Reviewed-by: Leon Anavi --- ...mm-fix-new-crash-in-unmapped_area_topdown.patch | 52 ++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-4.4/0003-mm-fix-new-crash-in-unmapped_area_topdown.patch (limited to 'meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-4.4/0003-mm-fix-new-crash-in-unmapped_area_topdown.patch') diff --git a/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-4.4/0003-mm-fix-new-crash-in-unmapped_area_topdown.patch b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-4.4/0003-mm-fix-new-crash-in-unmapped_area_topdown.patch new file mode 100644 index 000000000..3f0acfa29 --- /dev/null +++ b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-4.4/0003-mm-fix-new-crash-in-unmapped_area_topdown.patch @@ -0,0 +1,52 @@ +From 1c182004bcb1cd619b58ba6631b9d88052d18e02 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Tue, 20 Jun 2017 02:10:44 -0700 +Subject: [PATCH 3/3] mm: fix new crash in unmapped_area_topdown() + +commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream. + +Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of +mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the +end of unmapped_area_topdown(). Linus points out how MAP_FIXED +(which does not have to respect our stack guard gap intentions) +could result in gap_end below gap_start there. Fix that, and +the similar case in its alternative, unmapped_area(). + +Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas") +Reported-by: Dave Jones +Debugged-by: Linus Torvalds +Signed-off-by: Hugh Dickins +Acked-by: Michal Hocko +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/mmap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index fcf4c88..0990f8b 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1771,7 +1771,8 @@ check_current: + /* Check if current node has a suitable gap */ + if (gap_start > high_limit) + return -ENOMEM; +- if (gap_end >= low_limit && gap_end - gap_start >= length) ++ if (gap_end >= low_limit && ++ gap_end > gap_start && gap_end - gap_start >= length) + goto found; + + /* Visit right subtree if it looks promising */ +@@ -1874,7 +1875,8 @@ check_current: + gap_end = vm_start_gap(vma); + if (gap_end < low_limit) + return -ENOMEM; +- if (gap_start <= high_limit && gap_end - gap_start >= length) ++ if (gap_start <= high_limit && ++ gap_end > gap_start && gap_end - gap_start >= length) + goto found; + + /* Visit left subtree if it looks promising */ +-- +2.1.4 + -- cgit 1.2.3-korg