CVE-2010-4169: perf_events: denial-of-service bug

2010-12-10 22:34:55 -05:00 · 2010-12-10 22:34:55 -05:00 · 6685a27880
parent ed56c73082
commit 6685a27880
2 changed files with 51 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -889,6 +889,8 @@ Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
 Patch13913: alsa-prevent-heap-corruption-in-snd_ctl_new.patch
 # CVE-2010-4258
 Patch13914: do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
+# CVE-2010-4169
+Patch13915: perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch

 %endif

@ -1703,6 +1705,8 @@ ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
 ApplyPatch alsa-prevent-heap-corruption-in-snd_ctl_new.patch
 # CVE-2010-4258
 ApplyPatch do_exit-make-sure-that-we-run-with-get_fs-user_ds.patch
+# CVE-2010-4169
+ApplyPatch perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch

 # END OF PATCH APPLICATIONS

@ -2332,6 +2336,7 @@ fi
 - CVE-2010-3705: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
 - CVE-2010-3442: ALSA: prevent heap corruption in snd_ctl_new()
 - CVE-2010-4258: failure to revert address limit override in OOPS error path
+- CVE-2010-4169: perf_events: denial-of-service bug

 * Thu Dec 09 2010 Kyle McMartin <kyle@redhat.com>
 - ioat2-catch-and-recover-from-broken-vtd-configurations.patch: copy patch
--- a/perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch
+++ b/perf_events-fix-perf_counter_mmap-hook-in-mprotect.patch
@ -0,0 +1,46 @@
+From: Pekka Enberg <penberg@kernel.org>
+Date: Mon, 8 Nov 2010 19:29:07 +0000 (+0200)
+Subject: perf_events: Fix perf_counter_mmap() hook in mprotect()
+X-Git-Tag: v2.6.37-rc2~72
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=63bfd7384b119409685a17d5c58f0b56e5dc03da
+
+perf_events: Fix perf_counter_mmap() hook in mprotect()
+
+As pointed out by Linus, commit dab5855 ("perf_counter: Add mmap event hooks to
+mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to
+merging. Fix the problem by moving perf_event_mmap() hook to
+mprotect_fixup().
+
+Note: there's another successful return path from mprotect_fixup() if old
+flags equal to new flags. We don't, however, need to call
+perf_event_mmap() there because 'perf' already knows the VMA is
+executable.
+
+Reported-by: Dave Jones <davej@redhat.com>
+Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Ingo Molnar <mingo@elte.hu>
+Reviewed-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Signed-off-by: Pekka Enberg <penberg@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/mm/mprotect.c b/mm/mprotect.c
+index 2d1bf7c..4c51338 100644
+--- a/mm/mprotect.c
+++ b/mm/mprotect.c
+@@ -211,6 +211,7 @@ success:
+ 	mmu_notifier_invalidate_range_end(mm, start, end);
+ 	vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
+ 	vm_stat_account(mm, newflags, vma->vm_file, nrpages);
+	perf_event_mmap(vma);
+ 	return 0;
+ 
+ fail:
+@@ -299,7 +300,6 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+ 		error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
+ 		if (error)
+ 			goto out;
+-		perf_event_mmap(vma);
+ 		nstart = tmp;
+ 
+ 		if (nstart < prev->vm_end)