diff options
author | Jan-Simon Möller <jsmoeller@linuxfoundation.org> | 2017-06-27 23:00:39 +0200 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2017-06-27 21:29:28 +0000 |
commit | 82ab0db0c470ead700f08c02e16257432d8b52ab (patch) | |
tree | 319920d763095648a8304fe5fe180de80e26e020 /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/0002-SEC-Backport-mm-fix-new-crash-in-unmapped_area_topdo.patch | |
parent | ae3bda689107a5af833514a79c7ea7fa0bae30d0 (diff) |
Fix CVE-2017-1000364 by backporting the patches from 3.10.107dab_4.0.3dab_4.0.2dab_4.0.1dab_4.0.0dab_3.99.3dab_3.99.2dab/4.0.3dab/4.0.2dab/4.0.1dab/4.0.0dab/3.99.3dab/3.99.24.0.34.0.24.0.14.0.03.99.33.99.2dab
Backport of patches from upstream:
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/patch/?id=1ad9a25dd06fda9bdc27875e1cedb8277accb212
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/patch/?id=28ebf89579a055259280252f68f6c26d986e3ce3
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/patch/?id=0fcba8f954460c56217897bdffbf62060815329a
Bug-AGL: SPEC-707 SPEC-705
Change-Id: I7847ddbbd9fbd8051930e823af415fdf6ebad2ae
Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/0002-SEC-Backport-mm-fix-new-crash-in-unmapped_area_topdo.patch')
-rw-r--r-- | meta-rcar-gen2/recipes-kernel/linux/linux-renesas/0002-SEC-Backport-mm-fix-new-crash-in-unmapped_area_topdo.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/0002-SEC-Backport-mm-fix-new-crash-in-unmapped_area_topdo.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/0002-SEC-Backport-mm-fix-new-crash-in-unmapped_area_topdo.patch new file mode 100644 index 0000000..8ad1dc3 --- /dev/null +++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/0002-SEC-Backport-mm-fix-new-crash-in-unmapped_area_topdo.patch @@ -0,0 +1,58 @@ +From 880bd724f76f26f712968fdf4917174b16540a4d Mon Sep 17 00:00:00 2001 +From: Hugh Dickins <hughd@google.com> +Date: Tue, 20 Jun 2017 02:10:44 -0700 +Subject: [PATCH 2/3] [SEC][Backport] mm: fix new crash in + unmapped_area_topdown() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream. + +Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of +mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the +end of unmapped_area_topdown(). Linus points out how MAP_FIXED +(which does not have to respect our stack guard gap intentions) +could result in gap_end below gap_start there. Fix that, and +the similar case in its alternative, unmapped_area(). + +Cc: stable@vger.kernel.org +Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas") +Reported-by: Dave Jones <davej@codemonkey.org.uk> +Debugged-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Hugh Dickins <hughd@google.com> +Acked-by: Michal Hocko <mhocko@suse.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Willy Tarreau <w@1wt.eu> +Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org> +--- + mm/mmap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index cbdac38..4a113e3 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1700,7 +1700,8 @@ check_current: + /* Check if current node has a suitable gap */ + if (gap_start > high_limit) + return -ENOMEM; +- if (gap_end >= low_limit && gap_end - gap_start >= length) ++ if (gap_end >= low_limit && ++ gap_end > gap_start && gap_end - gap_start >= length) + goto found; + + /* Visit right subtree if it looks promising */ +@@ -1803,7 +1804,8 @@ check_current: + gap_end = vm_start_gap(vma); + if (gap_end < low_limit) + return -ENOMEM; +- if (gap_start <= high_limit && gap_end - gap_start >= length) ++ if (gap_start <= high_limit && ++ gap_end > gap_start && gap_end - gap_start >= length) + goto found; + + /* Visit left subtree if it looks promising */ +-- +2.1.4 + |