From 2409402d047b7d39580cf19821082a2b20130d8e Mon Sep 17 00:00:00 2001 From: Zhang Xiao Date: Thu, 22 Jun 2017 11:36:11 +0800 Subject: [PATCH 2/2] WRL7 linux-windriver: preliminary fix to CVE-2017-100364 CVE-2017-100365 CVE: CVE-2017-100364 CVE-2017-100365 Add a bug fix commit from upstream. Signed-off-by: Zhang Xiao --- .../linux-windriver/CVE-2017-1000364_02.patch | 53 ++++++++++++++++++++++ recipes-kernel/linux/linux-windriver_3.14.bb | 4 +- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 recipes-kernel/linux/linux-windriver/CVE-2017-1000364_02.patch diff --git a/recipes-kernel/linux/linux-windriver/CVE-2017-1000364_02.patch b/recipes-kernel/linux/linux-windriver/CVE-2017-1000364_02.patch new file mode 100644 index 0000000..56313e0 --- /dev/null +++ b/recipes-kernel/linux/linux-windriver/CVE-2017-1000364_02.patch @@ -0,0 +1,53 @@ +From 2900dbf049039aa2b1996b4c85a48ac88f1f088e Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Tue, 20 Jun 2017 02:10:44 -0700 +Subject: [PATCH] mm: fix new crash in unmapped_area_topdown() + +Commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 upstream + +Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of +mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the +end of unmapped_area_topdown(). Linus points out how MAP_FIXED +(which does not have to respect our stack guard gap intentions) +could result in gap_end below gap_start there. Fix that, and +the similar case in its alternative, unmapped_area(). + +Cc: stable@vger.kernel.org +Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas") +Reported-by: Dave Jones +Debugged-by: Linus Torvalds +Signed-off-by: Hugh Dickins +Acked-by: Michal Hocko +Signed-off-by: Linus Torvalds +Signed-off-by: Zhang Xiao +--- + mm/mmap.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 5a58996..11ee83c 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1736,7 +1736,8 @@ check_current: + /* Check if current node has a suitable gap */ + if (gap_start > high_limit) + return -ENOMEM; +- if (gap_end >= low_limit && gap_end - gap_start >= length) ++ if (gap_end >= low_limit && ++ gap_end > gap_start && gap_end - gap_start >= length) + goto found; + + /* Visit right subtree if it looks promising */ +@@ -1839,7 +1840,8 @@ check_current: + gap_end = vm_start_gap(vma); + if (gap_end < low_limit) + return -ENOMEM; +- if (gap_start <= high_limit && gap_end - gap_start >= length) ++ if (gap_start <= high_limit && ++ gap_end > gap_start && gap_end - gap_start >= length) + goto found; + + /* Visit left subtree if it looks promising */ +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-windriver_3.14.bb b/recipes-kernel/linux/linux-windriver_3.14.bb index 3473c76..2c729dd 100644 --- a/recipes-kernel/linux/linux-windriver_3.14.bb +++ b/recipes-kernel/linux/linux-windriver_3.14.bb @@ -33,5 +33,7 @@ KMETA ?= "meta" KSRC_linux_windriver_3_14 ?= "${THISDIR}/../../git/kernel-3.14.x-LB21_7.0_RCPL0025" SRC_URI = "git://${KSRC_linux_windriver_3_14};protocol=file;nocheckout=1;branch=${KBRANCH},${KMETA};name=machine,meta${EXTRA_KERNEL_SRC_URI}" -SRC_URI += "file://CVE-2017-1000364.patch" +SRC_URI += "file://CVE-2017-1000364.patch \ + file://CVE-2017-1000364_02.patch \ + " -- 1.9.1