kernel vuln

marty goodoldmarty at gmail.com
Mon Feb 18 19:48:00 PST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.securityfocus.com/bid/27694

Linux Kernel 'tmpfs' filesystem Local Security Vulnerability
Bugtraq ID:  	 27694
CVE:  	 CVE-2007-6417

You can easily apply this patch manually with vi.

tmpfs was misconverted to __GFP_ZERO in 2.6.11.  There's an unusual case in
which shmem_getpage receives the page from its caller instead of allocating.
We must cover this case by clear_highpage before SetPageUptodate, as before.

Signed-off-by: Hugh Dickins <hugh at veritas.com>
- ---
Desirable in 2.6.23-stable and 2.6.22-stable and 2.6.16-stable
(and any other 2.6-stable if not already at end of life).

 mm/shmem.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

- --- 2.6.24-rc3-git/mm/shmem.c	2007-10-31 06:18:05.000000000 +0000
+++ linux/mm/shmem.c	2007-11-28 17:01:20.000000000 +0000
@@ -1072,7 +1072,7 @@ shmem_alloc_page(gfp_t gfp, struct shmem
 	pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, idx);
 	pvma.vm_pgoff = idx;
 	pvma.vm_end = PAGE_SIZE;
- -	page = alloc_page_vma(gfp | __GFP_ZERO, &pvma, 0);
+	page = alloc_page_vma(gfp, &pvma, 0);
 	mpol_free(pvma.vm_policy);
 	return page;
 }
@@ -1093,7 +1093,7 @@ shmem_swapin(struct shmem_inode_info *in
 static inline struct page *
 shmem_alloc_page(gfp_t gfp,struct shmem_inode_info *info, unsigned long idx)
 {
- -	return alloc_page(gfp | __GFP_ZERO);
+	return alloc_page(gfp);
 }
 #endif

@@ -1306,6 +1306,7 @@ repeat:

 		info->alloced++;
 		spin_unlock(&info->lock);
+		clear_highpage(filepage);
 		flush_dcache_page(filepage);
 		SetPageUptodate(filepage);
 	}

Marty B.
- --
Putting Microsoft in a computer is like putting screen doors in a submarine.
Hopeless.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFHulFwodd/GHZYnVQRAlbSAJ4iSXLREZV+8UYiEcFOakNJSuZrdQCgoEh7
THcsF5XWDAAT+J3IuzztZPk=
=3zYN
-----END PGP SIGNATURE-----



More information about the hlfs-dev mailing list