oom: fix integer overflow of points in oom_badness (CVE-2011-4097)
svn path=/dists/sid/linux-2.6/; revision=18211
This commit is contained in:
parent
ed64a80b90
commit
53e89121b1
|
@ -32,6 +32,7 @@ linux-2.6 (3.0.0-6) UNRELEASED; urgency=low
|
|||
* Add empty files to trigger generation of kernel-image udebs
|
||||
* aufs: Update to aufs3.0-20111031 (Closes: #644687)
|
||||
* xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)
|
||||
* oom: fix integer overflow of points in oom_badness (CVE-2011-4097)
|
||||
|
||||
-- Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Fri, 07 Oct 2011 15:48:22 +0200
|
||||
|
||||
|
|
54
debian/patches/bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch
vendored
Normal file
54
debian/patches/bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch
vendored
Normal file
|
@ -0,0 +1,54 @@
|
|||
From: Frantisek Hrbata <fhrbata@redhat.com>
|
||||
Subject: [PATCH v2] oom: fix integer overflow of points in oom_badness
|
||||
Date: Mon, 31 Oct 2011 16:56:09 +0100
|
||||
|
||||
An integer overflow will happen on 64bit archs if task's sum of rss, swapents
|
||||
and nr_ptes exceeds (2^31)/1000 value. This was introduced by commit
|
||||
|
||||
f755a04 oom: use pte pages in OOM score
|
||||
|
||||
where the oom score computation was divided into several steps and it's no
|
||||
longer computed as one expression in unsigned long(rss, swapents, nr_pte are
|
||||
unsigned long), where the result value assigned to points(int) is in
|
||||
range(1..1000). So there could be an int overflow while computing
|
||||
|
||||
176 points *= 1000;
|
||||
|
||||
and points may have negative value. Meaning the oom score for a mem hog task
|
||||
will be one.
|
||||
|
||||
196 if (points <= 0)
|
||||
197 return 1;
|
||||
For example:
|
||||
[ 3366] 0 3366 35390480 24303939 5 0 0 oom01
|
||||
Out of memory: Kill process 3366 (oom01) score 1 or sacrifice child
|
||||
|
||||
Here the oom1 process consumes more than 24303939(rss)*4096~=92GB physical
|
||||
memory, but it's oom score is one.
|
||||
|
||||
In this situation the mem hog task is skipped and oom killer kills another and
|
||||
most probably innocent task with oom score greater than one.
|
||||
|
||||
The points variable should be of type long instead of int to prevent the int
|
||||
overflow.
|
||||
|
||||
Signed-off-by: Frantisek Hrbata <fhrbata@redhat.com>
|
||||
---
|
||||
mm/oom_kill.c | 2 +-
|
||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||
diff --git a/mm/oom_kill.c b/mm/oom_kill.c
|
||||
index 626303b..e9a1785 100644
|
||||
--- a/mm/oom_kill.c
|
||||
+++ b/mm/oom_kill.c
|
||||
@@ -162,7 +162,7 @@ static bool oom_unkillable_task(struct task_struct *p,
|
||||
unsigned int oom_badness(struct task_struct *p, struct mem_cgroup *mem,
|
||||
const nodemask_t *nodemask, unsigned long totalpages)
|
||||
{
|
||||
- int points;
|
||||
+ long points;
|
||||
|
||||
if (oom_unkillable_task(p, mem, nodemask))
|
||||
return 0;
|
||||
--
|
||||
1.7.6.4
|
||||
|
|
@ -14,3 +14,4 @@
|
|||
+ features/all/aufs2/mark-as-staging.patch
|
||||
+ bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink.patch
|
||||
+ bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink-2.patch
|
||||
+ bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch
|
||||
|
|
Loading…
Reference in New Issue