CVE-2010-4169: perf_events: denial-of-service bug
This commit is contained in:
parent
ed56c73082
commit
6685a27880
|
@ -889,6 +889,8 @@ Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
|||
Patch13913: alsa-prevent-heap-corruption-in-snd_ctl_new.patch
|
||||
# CVE-2010-4258
|
||||
Patch13914: do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
|
||||
# CVE-2010-4169
|
||||
Patch13915: perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch
|
||||
|
||||
%endif
|
||||
|
||||
|
@ -1703,6 +1705,8 @@ ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
|||
ApplyPatch alsa-prevent-heap-corruption-in-snd_ctl_new.patch
|
||||
# CVE-2010-4258
|
||||
ApplyPatch do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
|
||||
# CVE-2010-4169
|
||||
ApplyPatch perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
@ -2332,6 +2336,7 @@ fi
|
|||
- CVE-2010-3705: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
|
||||
- CVE-2010-3442: ALSA: prevent heap corruption in snd_ctl_new()
|
||||
- CVE-2010-4258: failure to revert address limit override in OOPS error path
|
||||
- CVE-2010-4169: perf_events: denial-of-service bug
|
||||
|
||||
* Thu Dec 09 2010 Kyle McMartin <kyle@redhat.com>
|
||||
- ioat2-catch-and-recover-from-broken-vtd-configurations.patch: copy patch
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
From: Pekka Enberg <penberg@kernel.org>
|
||||
Date: Mon, 8 Nov 2010 19:29:07 +0000 (+0200)
|
||||
Subject: perf_events: Fix perf_counter_mmap() hook in mprotect()
|
||||
X-Git-Tag: v2.6.37-rc2~72
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=63bfd7384b119409685a17d5c58f0b56e5dc03da
|
||||
|
||||
perf_events: Fix perf_counter_mmap() hook in mprotect()
|
||||
|
||||
As pointed out by Linus, commit dab5855 ("perf_counter: Add mmap event hooks to
|
||||
mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to
|
||||
merging. Fix the problem by moving perf_event_mmap() hook to
|
||||
mprotect_fixup().
|
||||
|
||||
Note: there's another successful return path from mprotect_fixup() if old
|
||||
flags equal to new flags. We don't, however, need to call
|
||||
perf_event_mmap() there because 'perf' already knows the VMA is
|
||||
executable.
|
||||
|
||||
Reported-by: Dave Jones <davej@redhat.com>
|
||||
Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Ingo Molnar <mingo@elte.hu>
|
||||
Reviewed-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
|
||||
Signed-off-by: Pekka Enberg <penberg@kernel.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
|
||||
diff --git a/mm/mprotect.c b/mm/mprotect.c
|
||||
index 2d1bf7c..4c51338 100644
|
||||
--- a/mm/mprotect.c
|
||||
+++ b/mm/mprotect.c
|
||||
@@ -211,6 +211,7 @@ success:
|
||||
mmu_notifier_invalidate_range_end(mm, start, end);
|
||||
vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
|
||||
vm_stat_account(mm, newflags, vma->vm_file, nrpages);
|
||||
+ perf_event_mmap(vma);
|
||||
return 0;
|
||||
|
||||
fail:
|
||||
@@ -299,7 +300,6 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
|
||||
error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
|
||||
if (error)
|
||||
goto out;
|
||||
- perf_event_mmap(vma);
|
||||
nstart = tmp;
|
||||
|
||||
if (nstart < prev->vm_end)
|
Loading…
Reference in New Issue