rpms/kernel/F-8 linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch, NONE, 1.1 kernel.spec, 1.547, 1.548

Chuck Ebbert cebbert at fedoraproject.org
Fri Oct 10 08:42:56 UTC 2008 

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27935

Modified Files:
	kernel.spec 
Added Files:
	linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch 
Log Message:
Fix possible oops in get_wchan()

linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch:

--- NEW FILE linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch ---
From: David Rientjes <rientjes at google.com>
Date: Tue, 7 Oct 2008 21:15:11 +0000 (-0700)
Subject: x86: avoid dereferencing beyond stack + THREAD_SIZE
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fx86%2Flinux-2.6-tip.git;a=commitdiff_plain;h=60e6258cd43f9b06884f04f0f7cefb9c40f17a32

x86: avoid dereferencing beyond stack + THREAD_SIZE

It's possible for get_wchan() to dereference past task->stack + THREAD_SIZE
while iterating through instruction pointers if fp equals the upper boundary,
causing a kernel panic.

Signed-off-by: David Rientjes <rientjes at google.com>
Signed-off-by: Ingo Molnar <mingo at elte.hu>
---

diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index e12e0e4..5a7c539 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -729,12 +729,12 @@ unsigned long get_wchan(struct task_struct *p)
 	if (!p || p == current || p->state==TASK_RUNNING)
 		return 0; 
 	stack = (unsigned long)task_stack_page(p);
-	if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE)
+	if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
 		return 0;
 	fp = *(u64 *)(p->thread.sp);
 	do { 
 		if (fp < (unsigned long)stack ||
-		    fp > (unsigned long)stack+THREAD_SIZE)
+		    fp >= (unsigned long)stack+THREAD_SIZE)
 			return 0; 
 		ip = *(u64 *)(fp+8);
 		if (!in_sched_functions(ip))


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-8/kernel.spec,v
retrieving revision 1.547
retrieving revision 1.548
diff -u -r1.547 -r1.548
--- kernel.spec	9 Oct 2008 17:38:55 -0000	1.547
+++ kernel.spec	10 Oct 2008 08:42:25 -0000	1.548
@@ -590,6 +590,7 @@
 Patch99: linux-2.6-x86-intel-msr-backport.patch
 Patch100: linux-2.6-x86-pci-detect-end_bus_number.patch
 Patch102: linux-2.6-x86-improve-up-kernel-when-cpu-hotplug-and-smp.patch
+Patch103: linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch
 
 Patch120: linux-2.6-pci-disable-aspm-per-acpi-fadt-setting.patch
 Patch121: linux-2.6-pci-disable-aspm-on-pre-1.1-devices.patch
@@ -1035,6 +1036,8 @@
 ApplyPatch linux-2.6-x86-pci-detect-end_bus_number.patch
 # switch to UP mode with only 1 CPU present at boot
 ApplyPatch linux-2.6-x86-improve-up-kernel-when-cpu-hotplug-and-smp.patch
+# fix oops in get_wchan()
+ApplyPatch linux-2.6-x86-avoid-dereferencing-beyond-stack-THREAD_SIZE.patch
 
 # disable ASPM on devices that don't support it
 ApplyPatch linux-2.6-pci-disable-aspm-per-acpi-fadt-setting.patch
@@ -1851,6 +1854,9 @@
 
 
 %changelog
+* Fri Oct 10 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.26.6-38
+- Fix possible oops in get_wchan()
+
 * Thu Oct 09 2008 Kyle McMartin <kyle at redhat.com> 2.6.26.6-37
 - add e1000e: write protect nvram to prevent corruption patch from upstream

More information about the fedora-extras-commits mailing list