[kernel] r8392 - in dists/etch/linux-2.6/debian: . patches/bugfix/all/vserver patches/series

Dann Frazier dannf at alioth.debian.org
Sun Mar 25 18:04:07 UTC 2007 

Author: dannf
Date: Sun Mar 25 17:04:06 2007
New Revision: 8392

Added:
   dists/etch/linux-2.6/debian/patches/bugfix/all/vserver/
   dists/etch/linux-2.6/debian/patches/bugfix/all/vserver/cross-context-renice-fix.patch
Modified:
   dists/etch/linux-2.6/debian/changelog
   dists/etch/linux-2.6/debian/patches/series/12-extra
Log:
* bugfix/all/vserver/cross-context-renice-fix.patch
  [SECURITY] Fix a vulnerability that permits renicing processes in
  other contexts.
  See CVE-2007-0241

Modified: dists/etch/linux-2.6/debian/changelog
==============================================================================
--- dists/etch/linux-2.6/debian/changelog	(original)
+++ dists/etch/linux-2.6/debian/changelog	Sun Mar 25 17:04:06 2007
@@ -44,6 +44,10 @@
   * bugfix/bnx2_tx_avail-off-by-1-fix.patch
     Fix a panic in the bnx2 driver caused by an off-by-one error
     (closes: #410010)
+  * bugfix/all/vserver/cross-context-renice-fix.patch
+    [SECURITY] Fix a vulnerability that permits renicing processes in
+    other contexts.
+    See CVE-2007-0241
 
   [ Bastian Blank ]
   * xen: Fix highmem dma copy code. (closes: #415805)

Added: dists/etch/linux-2.6/debian/patches/bugfix/all/vserver/cross-context-renice-fix.patch
==============================================================================
--- (empty file)
+++ dists/etch/linux-2.6/debian/patches/bugfix/all/vserver/cross-context-renice-fix.patch	Sun Mar 25 17:04:06 2007
@@ -0,0 +1,101 @@
+diff -urN source-i386-vserver.orig/include/linux/pid.h source-i386-vserver/include/linux/pid.h
+--- source-i386-vserver.orig/include/linux/pid.h	2007-03-24 10:01:05.000000000 -0600
++++ source-i386-vserver/include/linux/pid.h	2007-03-24 10:35:23.000000000 -0600
+@@ -92,29 +92,39 @@
+ extern struct pid *alloc_pid(void);
+ extern void FASTCALL(free_pid(struct pid *pid));
+ 
+-#define pid_next(task, type)					\
+-	((task)->pids[(type)].node.next)
+-
+-#define pid_next_task(task, type) 				\
+-	hlist_entry(pid_next(task, type), struct task_struct,	\
+-			pids[(type)].node)
+-
+-
+-/* We could use hlist_for_each_entry_rcu here but it takes more arguments
+- * than the do_each_task_pid/while_each_task_pid.  So we roll our own
+- * to preserve the existing interface.
+- */
+-#define do_each_task_pid(who, type, task)				\
+-	if ((task = find_task_by_pid_type(type, who))) {		\
+-		prefetch(pid_next(task, type));				\
+-		do {
+-
+-#define while_each_task_pid(who, type, task)				\
+-		} while (pid_next(task, type) &&  ({			\
+-				task = pid_next_task(task, type);	\
+-				rcu_dereference(task);			\
+-				prefetch(pid_next(task, type));		\
+-				1; }) );				\
+-	}
++static inline pid_t pid_nr(struct pid *pid)
++{
++	pid_t nr = 0;
++	if (pid)
++		nr = pid->nr;
++	return nr;
++}
++
++
++#define do_each_task_pid(who, type, task)					\
++	do {									\
++		struct hlist_node *pos___;					\
++		struct pid *pid___ = find_pid(who);				\
++		if (pid___ != NULL)						\
++			hlist_for_each_entry_rcu((task), pos___,		\
++			&pid___->tasks[type], pids[type].node)	\
++		if (vx_check((task)->xid, VX_ADMIN|VX_IDENT)) {
++
++#define while_each_task_pid(who, type, task)					\
++			}							\
++	} while (0)
++
++
++#define do_each_pid_task(pid, type, task)					\
++	do {									\
++		struct hlist_node *pos___;					\
++		if (pid != NULL)						\
++			hlist_for_each_entry_rcu((task), pos___,		\
++			&pid->tasks[type], pids[type].node)	\
++		if (vx_check((task)->xid, VX_ADMIN|VX_IDENT)) {
++
++#define while_each_pid_task(pid, type, task)					\
++			}							\
++	} while (0)
+ 
+ #endif /* _LINUX_PID_H */
+diff -urN source-i386-vserver.orig/kernel/pid.c source-i386-vserver/kernel/pid.c
+--- source-i386-vserver.orig/kernel/pid.c	2007-03-24 10:01:05.000000000 -0600
++++ source-i386-vserver/kernel/pid.c	2007-03-24 10:26:32.000000000 -0600
+@@ -256,6 +256,9 @@
+ struct task_struct * fastcall pid_task(struct pid *pid, enum pid_type type)
+ {
+ 	struct task_struct *result = NULL;
++
++	if (type == PIDTYPE_REALPID)
++		type = PIDTYPE_PID;
+ 	if (pid) {
+ 		struct hlist_node *first;
+ 		first = rcu_dereference(pid->tasks[type].first);
+@@ -278,11 +281,17 @@
+  */
+ struct task_struct *find_task_by_pid_type(int type, int nr)
+ {
++	struct task_struct *task;
++
+ 	if (type == PIDTYPE_PID)
+ 		nr = vx_rmap_pid(nr);
+-	else if (type == PIDTYPE_REALPID)
+-		type = PIDTYPE_PID;
+-	return pid_task(find_pid(nr), type);
++
++	task = pid_task(find_pid(nr), type);
++	if (task && (type != PIDTYPE_REALPID) &&
++		/* maybe VX_WATCH_P in the future? */
++		!vx_check(task->xid, VX_WATCH|VX_IDENT))
++		return NULL;
++	return task;
+ }
+ 
+ EXPORT_SYMBOL(find_task_by_pid_type);

Modified: dists/etch/linux-2.6/debian/patches/series/12-extra
==============================================================================
--- dists/etch/linux-2.6/debian/patches/series/12-extra	(original)
+++ dists/etch/linux-2.6/debian/patches/series/12-extra	Sun Mar 25 17:04:06 2007
@@ -1 +1,2 @@
 + bugfix/all/xen/swiotlb-highmem-copy.patch *_xen *_xen-vserver
++ bugfix/all/vserver/cross-context-renice-fix.patch *_vserver *_xen-vserver

More information about the Kernel-svn-changes mailing list