From 53e89121b1ed854095abbc6d69a554a5f83a3ebf Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 1 Nov 2011 14:47:10 +0000 Subject: [PATCH] oom: fix integer overflow of points in oom_badness (CVE-2011-4097) svn path=/dists/sid/linux-2.6/; revision=18211 --- debian/changelog | 1 + ...er-overflow-of-points-in-oom_badness.patch | 54 +++++++++++++++++++ debian/patches/series/6 | 1 + 3 files changed, 56 insertions(+) create mode 100644 debian/patches/bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch diff --git a/debian/changelog b/debian/changelog index 231a84c2c..4cce9fcff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -32,6 +32,7 @@ linux-2.6 (3.0.0-6) UNRELEASED; urgency=low * Add empty files to trigger generation of kernel-image udebs * aufs: Update to aufs3.0-20111031 (Closes: #644687) * xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077) + * oom: fix integer overflow of points in oom_badness (CVE-2011-4097) -- Uwe Kleine-König Fri, 07 Oct 2011 15:48:22 +0200 diff --git a/debian/patches/bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch b/debian/patches/bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch new file mode 100644 index 000000000..6f8d02ab1 --- /dev/null +++ b/debian/patches/bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch @@ -0,0 +1,54 @@ +From: Frantisek Hrbata +Subject: [PATCH v2] oom: fix integer overflow of points in oom_badness +Date: Mon, 31 Oct 2011 16:56:09 +0100 + +An integer overflow will happen on 64bit archs if task's sum of rss, swapents +and nr_ptes exceeds (2^31)/1000 value. This was introduced by commit + +f755a04 oom: use pte pages in OOM score + +where the oom score computation was divided into several steps and it's no +longer computed as one expression in unsigned long(rss, swapents, nr_pte are +unsigned long), where the result value assigned to points(int) is in +range(1..1000). So there could be an int overflow while computing + +176 points *= 1000; + +and points may have negative value. Meaning the oom score for a mem hog task +will be one. + +196 if (points <= 0) +197 return 1; +For example: +[ 3366] 0 3366 35390480 24303939 5 0 0 oom01 +Out of memory: Kill process 3366 (oom01) score 1 or sacrifice child + +Here the oom1 process consumes more than 24303939(rss)*4096~=92GB physical +memory, but it's oom score is one. + +In this situation the mem hog task is skipped and oom killer kills another and +most probably innocent task with oom score greater than one. + +The points variable should be of type long instead of int to prevent the int +overflow. + +Signed-off-by: Frantisek Hrbata +--- + mm/oom_kill.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index 626303b..e9a1785 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -162,7 +162,7 @@ static bool oom_unkillable_task(struct task_struct *p, + unsigned int oom_badness(struct task_struct *p, struct mem_cgroup *mem, + const nodemask_t *nodemask, unsigned long totalpages) + { +- int points; ++ long points; + + if (oom_unkillable_task(p, mem, nodemask)) + return 0; +-- +1.7.6.4 + diff --git a/debian/patches/series/6 b/debian/patches/series/6 index 45ea7108c..a398fda87 100644 --- a/debian/patches/series/6 +++ b/debian/patches/series/6 @@ -14,3 +14,4 @@ + features/all/aufs2/mark-as-staging.patch + bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink.patch + bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink-2.patch ++ bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch