rpms/kernel/FC-4 linux-2.6-vm-invalidate_inode_pages2-DoS.patch, NONE, 1.1 kernel-2.6.spec, 1.1514, 1.1515

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Nov 23 20:24:37 UTC 2005 

Author: davej

Update of /cvs/dist/rpms/kernel/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv991

Modified Files:
	kernel-2.6.spec 
Added Files:
	linux-2.6-vm-invalidate_inode_pages2-DoS.patch 
Log Message:
32bit integer overflow in invalidate_inode_pages2() (local DoS)



linux-2.6-vm-invalidate_inode_pages2-DoS.patch:
 truncate.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

--- NEW FILE linux-2.6-vm-invalidate_inode_pages2-DoS.patch ---

Subject: 32bit integer overflow in invalidate_inode_pages2() (local DoS)

Hello!

   Today looking for a way to do atomic page-unmap + removing page from
   page cache, I found 32 bit integer overflow in invalidate_inode_pages2_range.
   Attached program demonstrates the problem (on x86 with 2.6.14
   I quickly get SOFT Lockup trace and after a few seconds entire
   userspace locks up (not sure why)).
   Seems that all 2.6 kernels are having same problem, 2.6.5 has similar
   (though not identical) code.

   Please consider this patch below:

--- linux-2.6.14/mm/truncate.c.orig	2005-11-23 16:34:21.000000000 +0200
+++ linux-2.6.14/mm/truncate.c	2005-11-23 16:37:18.000000000 +0200
@@ -291,8 +291,8 @@
 					 * Zap the rest of the file in one hit.
 					 */
 					unmap_mapping_range(mapping,
-					    page_index << PAGE_CACHE_SHIFT,
-					    (end - page_index + 1)
+					   (loff_t)page_index<<PAGE_CACHE_SHIFT,
+					   (loff_t)(end - page_index + 1)
 							<< PAGE_CACHE_SHIFT,
 					    0);
 					did_range_unmap = 1;
@@ -301,8 +301,8 @@
 					 * Just zap this page
 					 */
 					unmap_mapping_range(mapping,
-					  page_index << PAGE_CACHE_SHIFT,
-					  PAGE_CACHE_SIZE, 0);
+					  (loff_t)page_index<<PAGE_CACHE_SHIFT,
+					  PAGE_CACHE_SIZE, 0);
 				}
 			}
 			was_dirty = test_clear_page_dirty(page);




Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-4/kernel-2.6.spec,v
retrieving revision 1.1514
retrieving revision 1.1515
diff -u -r1.1514 -r1.1515
--- kernel-2.6.spec	23 Nov 2005 20:21:15 -0000	1.1514
+++ kernel-2.6.spec	23 Nov 2005 20:24:33 -0000	1.1515
@@ -362,6 +362,7 @@
 # VM bits.
 Patch2000: linux-2.6-vm-oomkiller-debugging.patch
 Patch2001: linux-2.6-vm-silence-atomic-alloc-failures.patch
+Patch2002: linux-2.6-vm-invalidate_inode_pages2-DoS.patch
 
 
 #
@@ -809,6 +810,8 @@
 %patch2000 -p1
 # Silence GFP_ATOMIC failures.
 %patch2001 -p1
+# Fix 32bit integer overflow in invalidate_inode_pages2()
+%patch2002 -p1
 
 #
 # Patches 5000 to 6000 are reserved for new drivers that are about to
@@ -1252,6 +1255,9 @@
 %endif
 
 %changelog
+* Wed Nov 23 2005 Dave Jones <davej at redhat.com> [2.6.14-1.1642_FC4]
+- Fix 32bit integer overflow in invalidate_inode_pages2() (local DoS)
+
 * Wed Nov 23 2005 Dave Jones <davej at redhat.com> [2.6.14-1.1641_FC4]
 - Merge patches likely to end up in 2.6.14.3

More information about the fedora-cvs-commits mailing list