From 05a23137a6b99a1f4ec627f1ac9d5a52aa50ef1d Mon Sep 17 00:00:00 2001 From: Zhang Xiao Date: Fri, 23 Jun 2017 15:46:26 +0800 Subject: [PATCH 2/2] WRL8 linux-windriver: preliminary fix to CVE-2017-100364 CVE-2017-100365 CVE: CVE-2017-100364 CVE-2017-100365 Commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream Signed-off-by: Zhang Xiao --- ...mm-fix-new-crash-in-unmapped_area_topdown.patch | 53 ++++++++++++++++++++++ recipes-kernel/linux/linux-windriver_4.1.bb | 4 +- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 recipes-kernel/linux/linux-windriver/0001-mm-fix-new-crash-in-unmapped_area_topdown.patch diff --git a/recipes-kernel/linux/linux-windriver/0001-mm-fix-new-crash-in-unmapped_area_topdown.patch b/recipes-kernel/linux/linux-windriver/0001-mm-fix-new-crash-in-unmapped_area_topdown.patch new file mode 100644 index 0000000..96c613b --- /dev/null +++ b/recipes-kernel/linux/linux-windriver/0001-mm-fix-new-crash-in-unmapped_area_topdown.patch @@ -0,0 +1,53 @@ +From 2dd038367876b48c73864dba6e3e9f8ba1934299 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Tue, 20 Jun 2017 02:10:44 -0700 +Subject: [PATCH] mm: fix new crash in unmapped_area_topdown() + +commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream + +Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of +mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the +end of unmapped_area_topdown(). Linus points out how MAP_FIXED +(which does not have to respect our stack guard gap intentions) +could result in gap_end below gap_start there. Fix that, and +the similar case in its alternative, unmapped_area(). + +Cc: stable@vger.kernel.org +Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas") +Reported-by: Dave Jones +Debugged-by: Linus Torvalds +Signed-off-by: Hugh Dickins +Acked-by: Michal Hocko +Signed-off-by: Linus Torvalds +Signed-off-by: Zhang Xiao +--- + mm/mmap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index f8e214b..101e265 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1761,7 +1761,8 @@ check_current: + /* Check if current node has a suitable gap */ + if (gap_start > high_limit) + return -ENOMEM; +- if (gap_end >= low_limit && gap_end - gap_start >= length) ++ if (gap_end >= low_limit && ++ gap_end > gap_start && gap_end - gap_start >= length) + goto found; + + /* Visit right subtree if it looks promising */ +@@ -1864,7 +1865,8 @@ check_current: + gap_end = vm_start_gap(vma); + if (gap_end < low_limit) + return -ENOMEM; +- if (gap_start <= high_limit && gap_end - gap_start >= length) ++ if (gap_start <= high_limit && ++ gap_end > gap_start && gap_end - gap_start >= length) + goto found; + + /* Visit left subtree if it looks promising */ +-- +2.5.0 + diff --git a/recipes-kernel/linux/linux-windriver_4.1.bb b/recipes-kernel/linux/linux-windriver_4.1.bb index 46d118b..31dba65 100644 --- a/recipes-kernel/linux/linux-windriver_4.1.bb +++ b/recipes-kernel/linux/linux-windriver_4.1.bb @@ -33,7 +33,9 @@ COMPATIBLE_MACHINE ?= '${@ machine_ktype_compatibility(d,"${LINUX_KERNEL_TYPE}") KMETA ?= "kernel-meta" KSRC_linux_windriver_4_1 ?= "${THISDIR}/../../git/kernel-4.1.x-LB13_8.0_RCPL0018" KSRC_kernel_cache ?= "${THISDIR}/../../git/kernel-cache.git" -EXTRA_KERNEL_SRC_URI += "file://CVE-2017-1000364.patch" +EXTRA_KERNEL_SRC_URI += "file://CVE-2017-1000364.patch \ + file://0001-mm-fix-new-crash-in-unmapped_area_topdown.patch \ + " SRC_URI = "git://${KSRC_linux_windriver_4_1};protocol=file;branch=${KBRANCH};name=machine \ git://${KSRC_kernel_cache};protocol=file;type=kmeta;name=meta;branch=LB13_8.0_RCPL0018;destsuffix=${KMETA} \ ${EXTRA_KERNEL_SRC_URI} \ -- 1.9.1