From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 6 Dec 2010 19:36:07 +0000 (-0800)
Subject: .27 patches
X-Git-Tag: v2.6.27.57~48
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2ca475f212d8570c481403dda28fb485c081b35f;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patches
---

diff --git a/queue-2.6.27/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch b/queue-2.6.27/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
new file mode 100644
index 00000000000..d1ce18f49c8
--- /dev/null
+++ b/queue-2.6.27/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
@@ -0,0 +1,58 @@
+From cb4644cac4a2797afc847e6c92736664d4b0ea34 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jaxboe@fusionio.com>
+Date: Wed, 10 Nov 2010 14:36:25 +0100
+Subject: bio: take care not overflow page count when mapping/copying user data
+
+From: Jens Axboe <jaxboe@fusionio.com>
+
+commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
+
+If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
+to overflow, we could end up attempting to map a huge number of
+pages. Check for this invalid input type.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/bio.c |   14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/fs/bio.c
++++ b/fs/bio.c
+@@ -593,6 +593,12 @@ struct bio *bio_copy_user_iov(struct req
+ 		end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ 		start = uaddr >> PAGE_SHIFT;
+ 
++		/*
++		 * Overflow, abort
++		 */
++		if (end < start)
++			return ERR_PTR(-EINVAL);
++
+ 		nr_pages += end - start;
+ 		len += iov[i].iov_len;
+ 	}
+@@ -691,6 +697,12 @@ static struct bio *__bio_map_user_iov(st
+ 		unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ 		unsigned long start = uaddr >> PAGE_SHIFT;
+ 
++		/*
++		 * Overflow, abort
++		 */
++		if (end < start)
++			return ERR_PTR(-EINVAL);
++
+ 		nr_pages += end - start;
+ 		/*
+ 		 * buffer must be aligned to at least hardsector size for now
+@@ -718,7 +730,7 @@ static struct bio *__bio_map_user_iov(st
+ 		unsigned long start = uaddr >> PAGE_SHIFT;
+ 		const int local_nr_pages = end - start;
+ 		const int page_limit = cur_page + local_nr_pages;
+-		
++
+ 		ret = get_user_pages_fast(uaddr, local_nr_pages,
+ 				write_to_vm, &pages[cur_page]);
+ 		if (ret < local_nr_pages) {
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index 04f75f56cc5..c3b09e77fa1 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -11,3 +11,4 @@ ipc-shm-fix-information-leak-to-userland.patch
 sys_semctl-fix-kernel-stack-leakage.patch
 drivers-char-vt_ioctl.c-fix-vt_openqry-error-value.patch
 ecryptfs-clear-lookup_open-flag-when-creating-lower-file.patch
+bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch