Version bump for the overwrapping VMA security fix, bug #72452.

5 files changed, 282 insertions, 6 deletions

diff --git a/sys-kernel/win4lin-sources/ChangeLog b/sys-kernel/win4lin-sources/ChangeLog
index ec8a1043eb52..4b0b048b05f0 100644
--- a/sys-kernel/win4lin-sources/ChangeLog
+++ b/sys-kernel/win4lin-sources/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for sys-kernel/win4lin-sources
 # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/win4lin-sources/ChangeLog,v 1.44 2004/11/28 11:47:54 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/win4lin-sources/ChangeLog,v 1.45 2004/12/04 00:19:09 plasmaroo Exp $
+
+*win4lin-sources-2.6.9-r3 (04 Dec 2004)
+
+  04 Dec 2004; <plasmaroo@gentoo.org> -win4lin-sources-2.6.9-r2.ebuild,
+  +win4lin-sources-2.6.9-r3.ebuild, +files/win4lin-sources-2.6.9.vma.patch:
+  Version bump for the overwrapping VMA security fix, bug #72452.
 
   28 Nov 2004; <plasmaroo@gentoo.org> win4lin-sources-2.6.9-r2.ebuild,
   +files/win4lin-sources-2.6.9.AF_UNIX.patch:
diff --git a/sys-kernel/win4lin-sources/Manifest b/sys-kernel/win4lin-sources/Manifest
index 49e1d9dbc96d..7808d556dddf 100644
--- a/sys-kernel/win4lin-sources/Manifest
+++ b/sys-kernel/win4lin-sources/Manifest
@@ -1,7 +1,7 @@
-MD5 c0bd5bf2cabe755d0d1c617b6605d20a ChangeLog 10440
-MD5 00796dd07666fb6de4381c4ab7015eeb win4lin-sources-2.6.9-r2.ebuild 1326
+MD5 4d01ebeb2c8fe8422064eddbceae6bd6 ChangeLog 10696
 MD5 608fe99985244b0445f76cee44c9ae14 metadata.xml 290
 MD5 2b671599525fa8f6972df4bf3130c139 win4lin-sources-2.4.26-r10.ebuild 2675
+MD5 d4c3642bd5419fa11e2fbaa81c5ed191 win4lin-sources-2.6.9-r3.ebuild 1354
 MD5 530630d25910e6bd9376b63ea099655f files/win4lin-sources-2.6.9.AF_UNIX.patch 469
 MD5 2b3ddb8b8b15f8da35ade38544b57857 files/win4lin-sources-2.4.26.XDRWrapFix.patch 1499
 MD5 53fe3d26f6fc45487d69895fc07770cb files/win4lin-sources-2.6.9.binfmt_elf.patch 2350
@@ -9,13 +9,14 @@ MD5 8812f60b8d02b0b3b4c46a3311ddd851 files/win4lin-sources-2.6.9.smbfs.patch 266
 MD5 a9991d6324d7404ed99e79be6e44e9de files/win4lin-sources-2.6.binfmt_elf.patch 2348
 MD5 c9da1bc82b906f6abc648c056e7bf662 files/win4lin-sources-2.4.26.FPULockup-53804.patch 354
 MD5 d1ccc2047be533c992f67270a150a210 files/win4lin-sources-2.4.26.cmdlineLeak.patch 388
+MD5 42b42f2a4f260fad2fef264b82aff2ae files/win4lin-sources-2.6.9.vma.patch 8952
 MD5 b0a1f80aff51d6601e8924329023b241 files/win4lin-sources.AF_UNIX.patch 515
 MD5 65254b087906bead43e7e7bf9eba7610 files/digest-win4lin-sources-2.4.26-r10 353
+MD5 2bd92617d5f73fe2973abc0ceb071fc5 files/digest-win4lin-sources-2.6.9-r3 207
 MD5 dc18e982f8149588a291956481885a8c files/win4lin-sources-2.4.26.CAN-2004-0495.patch 17549
 MD5 60d25ff310fc6abfdce39ec9e47345af files/win4lin-sources-2.4.26.CAN-2004-0685.patch 2809
 MD5 b9a94233e1457787352e5f85e3e3582d files/win4lin-sources-2.4.26.binfmt_a.out.patch 2009
 MD5 1e1fe7bb98c80db4644f4b7fd7dd5d32 files/win4lin-sources-2.4.26.smbfs.patch 3434
-MD5 2bd92617d5f73fe2973abc0ceb071fc5 files/digest-win4lin-sources-2.6.9-r2 207
 MD5 d4a740ae56c2049247083af387a22a85 files/win4lin-sources-2.4.26.CAN-2004-0394.patch 350
 MD5 915e8d7a0618736caa44d96968015467 files/win4lin-sources-2.4.26.binfmt_elf.patch 2346
 MD5 025c80544aef14ce3a49024d791c5596 files/win4lin-sources-2.6.9.binfmt_a.out.patch 1763
diff --git a/sys-kernel/win4lin-sources/files/digest-win4lin-sources-2.6.9-r2 b/sys-kernel/win4lin-sources/files/digest-win4lin-sources-2.6.9-r3
index 12075686996a..12075686996a 100644
--- a/sys-kernel/win4lin-sources/files/digest-win4lin-sources-2.6.9-r2
+++ b/sys-kernel/win4lin-sources/files/digest-win4lin-sources-2.6.9-r3
diff --git a/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.vma.patch b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.vma.patch
new file mode 100644
index 000000000000..a335bfc2e269
--- /dev/null
+++ b/sys-kernel/win4lin-sources/files/win4lin-sources-2.6.9.vma.patch
@@ -0,0 +1,268 @@
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+#   2004/11/25 16:00:28-08:00 nanhai.zou@intel.com 
+#   [PATCH] ia64/x86_64/s390 overlapping vma fix
+#   
+#   IA64 is also vulnerable to the huge-vma-in-executable bug in 64 bit elf
+#   support, it just insert a vma of zero page without checking overlap, so user
+#   can construct a elf with section begin from 0x0 to trigger this BUGON().
+#   
+#   However, I think it's safe to check overlap before we actually insert a vma
+#   into vma list.  And I also feel check vma overlap everywhere is unnecessary,
+#   because invert_vm_struct will check it again, so the check is duplicated.
+#   It's better to have invert_vm_struct return a value then let caller check if
+#   it successes.  Here is a patch against 2.6.10.rc2-mm3 I have tested it on
+#   i386, x86_64 and ia64 machines.
+#   
+#   Signed-off-by: Tony Luck <tony.luck@intel.com>
+#   Signed-off-by: Zou Nan hai <Nanhai.zou@intel.com>
+#   Signed-off-by: Andrew Morton <akpm@osdl.org>
+#   Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+# 
+# arch/ia64/ia32/binfmt_elf32.c
+#   2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +21 -5
+#   ia64/x86_64/s390 overlapping vma fix
+# 
+# arch/ia64/mm/init.c
+#   2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +14 -2
+#   ia64/x86_64/s390 overlapping vma fix
+# 
+# arch/s390/kernel/compat_exec.c
+#   2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +6 -2
+#   ia64/x86_64/s390 overlapping vma fix
+# 
+# arch/x86_64/ia32/ia32_binfmt.c
+#   2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +6 -2
+#   ia64/x86_64/s390 overlapping vma fix
+# 
+# fs/exec.c
+#   2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +3 -6
+#   ia64/x86_64/s390 overlapping vma fix
+# 
+# include/linux/mm.h
+#   2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +1 -1
+#   ia64/x86_64/s390 overlapping vma fix
+# 
+# mm/mmap.c
+#   2004/11/24 22:42:43-08:00 nanhai.zou@intel.com +3 -2
+#   ia64/x86_64/s390 overlapping vma fix
+# 
+diff -Nru a/arch/ia64/ia32/binfmt_elf32.c b/arch/ia64/ia32/binfmt_elf32.c
+--- a/arch/ia64/ia32/binfmt_elf32.c	2004-12-03 12:01:20 -08:00
++++ b/arch/ia64/ia32/binfmt_elf32.c	2004-12-03 12:01:20 -08:00
+@@ -100,7 +100,11 @@
+ 		vma->vm_ops = &ia32_shared_page_vm_ops;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -123,7 +127,11 @@
+ 		vma->vm_ops = &ia32_gate_page_vm_ops;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -142,7 +150,11 @@
+ 		vma->vm_flags = VM_READ|VM_WRITE|VM_MAYREAD|VM_MAYWRITE;
+ 		down_write(&current->mm->mmap_sem);
+ 		{
+-			insert_vm_struct(current->mm, vma);
++			if (insert_vm_struct(current->mm, vma)) {
++				kmem_cache_free(vm_area_cachep, vma);
++				up_write(&current->mm->mmap_sem);
++				return;
++			}
+ 		}
+ 		up_write(&current->mm->mmap_sem);
+ 	}
+@@ -190,7 +202,7 @@
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+ 	struct mm_struct *mm = current->mm;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = IA32_STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 	mm->arg_start = bprm->p + stack_base;
+@@ -225,7 +237,11 @@
+ 			mpnt->vm_flags = VM_STACK_FLAGS;
+ 		mpnt->vm_page_prot = (mpnt->vm_flags & VM_EXEC)?
+ 					PAGE_COPY_EXEC: PAGE_COPY;
+-		insert_vm_struct(current->mm, mpnt);
++		if ((ret = insert_vm_struct(current->mm, mpnt))) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		current->mm->stack_vm = current->mm->total_vm = vma_pages(mpnt);
+ 	}
+ 
+diff -Nru a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c
+--- a/arch/ia64/mm/init.c	2004-12-03 12:01:20 -08:00
++++ b/arch/ia64/mm/init.c	2004-12-03 12:01:20 -08:00
+@@ -131,7 +131,13 @@
+ 		vma->vm_end = vma->vm_start + PAGE_SIZE;
+ 		vma->vm_page_prot = protection_map[VM_DATA_DEFAULT_FLAGS & 0x7];
+ 		vma->vm_flags = VM_DATA_DEFAULT_FLAGS | VM_GROWSUP;
+-		insert_vm_struct(current->mm, vma);
++		down_write(&current->mm->mmap_sem);
++		if (insert_vm_struct(current->mm, vma)) {
++			up_write(&current->mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, vma);
++			return;
++		}
++		up_write(&current->mm->mmap_sem);
+ 	}
+ 
+ 	/* map NaT-page at address zero to speed up speculative dereferencing of NULL: */
+@@ -143,7 +149,13 @@
+ 			vma->vm_end = PAGE_SIZE;
+ 			vma->vm_page_prot = __pgprot(pgprot_val(PAGE_READONLY) | _PAGE_MA_NAT);
+ 			vma->vm_flags = VM_READ | VM_MAYREAD | VM_IO | VM_RESERVED;
+-			insert_vm_struct(current->mm, vma);
++			down_write(&current->mm->mmap_sem);
++			if (insert_vm_struct(current->mm, vma)) {
++				up_write(&current->mm->mmap_sem);
++				kmem_cache_free(vm_area_cachep, vma);
++				return;
++			}
++			up_write(&current->mm->mmap_sem);
+ 		}
+ 	}
+ }
+diff -Nru a/arch/s390/kernel/compat_exec.c b/arch/s390/kernel/compat_exec.c
+--- a/arch/s390/kernel/compat_exec.c	2004-12-03 12:01:20 -08:00
++++ b/arch/s390/kernel/compat_exec.c	2004-12-03 12:01:20 -08:00
+@@ -39,7 +39,7 @@
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+ 	struct mm_struct *mm = current->mm;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
+ 	mm->arg_start = bprm->p + stack_base;
+@@ -68,7 +68,11 @@
+ 		/* executable stack setting would be applied here */
+ 		mpnt->vm_page_prot = PAGE_COPY;
+ 		mpnt->vm_flags = VM_STACK_FLAGS;
+-		insert_vm_struct(mm, mpnt);
++		if ((ret = insert_vm_struct(mm, mpnt))) {
++			up_write(&mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		mm->stack_vm = mm->total_vm = vma_pages(mpnt);
+ 	} 
+ 
+diff -Nru a/arch/x86_64/ia32/ia32_binfmt.c b/arch/x86_64/ia32/ia32_binfmt.c
+--- a/arch/x86_64/ia32/ia32_binfmt.c	2004-12-03 12:01:20 -08:00
++++ b/arch/x86_64/ia32/ia32_binfmt.c	2004-12-03 12:01:20 -08:00
+@@ -334,7 +334,7 @@
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+ 	struct mm_struct *mm = current->mm;
+-	int i;
++	int i, ret;
+ 
+ 	stack_base = IA32_STACK_TOP - MAX_ARG_PAGES * PAGE_SIZE;
+ 	mm->arg_start = bprm->p + stack_base;
+@@ -368,7 +368,11 @@
+ 			mpnt->vm_flags = VM_STACK_FLAGS;
+  		mpnt->vm_page_prot = (mpnt->vm_flags & VM_EXEC) ? 
+  			PAGE_COPY_EXEC : PAGE_COPY;
+-		insert_vm_struct(mm, mpnt);
++		if ((ret = insert_vm_struct(mm, mpnt))) {
++			up_write(&mm->mmap_sem);
++			kmem_cache_free(vm_area_cachep, mpnt);
++			return ret;
++		}
+ 		mm->stack_vm = mm->total_vm = vma_pages(mpnt);
+ 	} 
+ 
+diff -Nru a/fs/exec.c b/fs/exec.c
+--- a/fs/exec.c	2004-12-03 12:01:20 -08:00
++++ b/fs/exec.c	2004-12-03 12:01:20 -08:00
+@@ -342,7 +342,7 @@
+ 	unsigned long stack_base;
+ 	struct vm_area_struct *mpnt;
+ 	struct mm_struct *mm = current->mm;
+-	int i;
++	int i, ret;
+ 	long arg_size;
+ 
+ #ifdef CONFIG_STACK_GROWSUP
+@@ -413,7 +413,6 @@
+ 
+ 	down_write(&mm->mmap_sem);
+ 	{
+-		struct vm_area_struct *vma;
+ 		mpnt->vm_mm = mm;
+ #ifdef CONFIG_STACK_GROWSUP
+ 		mpnt->vm_start = stack_base;
+@@ -434,13 +433,11 @@
+ 			mpnt->vm_flags = VM_STACK_FLAGS;
+ 		mpnt->vm_flags |= mm->def_flags;
+ 		mpnt->vm_page_prot = protection_map[mpnt->vm_flags & 0x7];
+-		vma = find_vma(mm, mpnt->vm_start);
+-		if (vma) {
++		if ((ret = insert_vm_struct(mm, mpnt))) {
+ 			up_write(&mm->mmap_sem);
+ 			kmem_cache_free(vm_area_cachep, mpnt);
+-			return -ENOMEM;
++			return ret;
+ 		}
+-		insert_vm_struct(mm, mpnt);
+ 		mm->stack_vm = mm->total_vm = vma_pages(mpnt);
+ 	}
+ 
+diff -Nru a/include/linux/mm.h b/include/linux/mm.h
+--- a/include/linux/mm.h	2004-12-03 12:01:20 -08:00
++++ b/include/linux/mm.h	2004-12-03 12:01:20 -08:00
+@@ -675,7 +675,7 @@
+ extern struct anon_vma *find_mergeable_anon_vma(struct vm_area_struct *);
+ extern int split_vma(struct mm_struct *,
+ 	struct vm_area_struct *, unsigned long addr, int new_below);
+-extern void insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
++extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *);
+ extern void __vma_link_rb(struct mm_struct *, struct vm_area_struct *,
+ 	struct rb_node **, struct rb_node *);
+ extern struct vm_area_struct *copy_vma(struct vm_area_struct **,
+diff -Nru a/mm/mmap.c b/mm/mmap.c
+--- a/mm/mmap.c	2004-12-03 12:01:20 -08:00
++++ b/mm/mmap.c	2004-12-03 12:01:20 -08:00
+@@ -1871,7 +1871,7 @@
+  * and into the inode's i_mmap tree.  If vm_file is non-NULL
+  * then i_mmap_lock is taken here.
+  */
+-void insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
++int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+ {
+ 	struct vm_area_struct * __vma, * prev;
+ 	struct rb_node ** rb_link, * rb_parent;
+@@ -1894,8 +1894,9 @@
+ 	}
+ 	__vma = find_vma_prepare(mm,vma->vm_start,&prev,&rb_link,&rb_parent);
+ 	if (__vma && __vma->vm_start < vma->vm_end)
+-		BUG();
++		return -ENOMEM;
+ 	vma_link(mm, vma, prev, rb_link, rb_parent);
++	return 0;
+ }
+ 
+ /*
diff --git a/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r2.ebuild b/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r3.ebuild
index 4daf4cce7e51..2dc82c7692e5 100644
--- a/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r2.ebuild
+++ b/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r2.ebuild,v 1.2 2004/11/28 11:47:54 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/win4lin-sources/win4lin-sources-2.6.9-r3.ebuild,v 1.1 2004/12/04 00:19:09 plasmaroo Exp $
 
 ETYPE="sources"
 inherit kernel-2
@@ -13,7 +13,8 @@ UNIPATCH_LIST="
 	${FILESDIR}/${P}.binfmt_elf.patch
 	${FILESDIR}/${P}.binfmt_a.out.patch
 	${FILESDIR}/${P}.smbfs.patch
-	${FILESDIR}/${P}.AF_UNIX.patch"
+	${FILESDIR}/${P}.AF_UNIX.patch
+	${FILESDIR}/${P}.vma.patch"
 
 S=${WORKDIR}/linux-${KV}