[kernel] r9738 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Sun Nov 25 21:36:10 UTC 2007

Author: dannf
Date: Sun Nov 25 21:36:10 2007
New Revision: 9738

Log:
* bugfix/wait_task_stopped-hang.patch
  [SECURITY] wait_task_stopped was incorrectly testing for TASK_TRACED -
  check p->exit_state instead avoiding a potential system hang
  See CVE-2007-5500

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/wait_task_stopped-hang.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch5

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Sun Nov 25 21:36:10 2007
@@ -11,8 +11,12 @@
     for a malicious frame to crash a system using a driver built on top of
     the Linux 802.11 wireless code.
     See CVE-2007-4997
+  * bugfix/wait_task_stopped-hang.patch
+    [SECURITY] wait_task_stopped was incorrectly testing for TASK_TRACED -
+    check p->exit_state instead avoiding a potential system hang
+    See CVE-2007-5500
 
- -- dann frazier <dannf at debian.org>  Sun, 11 Nov 2007 15:46:51 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 25 Nov 2007 13:41:20 -0700
 
 linux-2.6 (2.6.18.dfsg.1-13etch4) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/wait_task_stopped-hang.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/wait_task_stopped-hang.patch	Sun Nov 25 21:36:10 2007
@@ -0,0 +1,38 @@
+From: Roland McGrath <roland at redhat.com>
+Date: Wed, 14 Nov 2007 06:11:50 +0000 (-0800)
+Subject: wait_task_stopped: Check p->exit_state instead of TASK_TRACED
+X-Git-Tag: v2.6.24-rc3~12
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a3474224e6a01924be40a8255636ea5522c1023a
+
+wait_task_stopped: Check p->exit_state instead of TASK_TRACED
+
+The original meaning of the old test (p->state > TASK_STOPPED) was
+"not dead", since it was before TASK_TRACED existed and before the
+state/exit_state split.  It was a wrong correction in commit
+14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for
+TASK_TRACED instead.  It should have been changed when TASK_TRACED
+was introducted and again when exit_state was introduced.
+
+Signed-off-by: Roland McGrath <roland at redhat.com>
+Cc: Oleg Nesterov <oleg at tv-sign.ru>
+Cc: Alexey Dobriyan <adobriyan at sw.ru>
+Cc: Kees Cook <kees at ubuntu.com>
+Acked-by: Scott James Remnant <scott at ubuntu.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/kernel/exit.c linux-source-2.6.18/kernel/exit.c
+--- linux-source-2.6.18.orig/kernel/exit.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/kernel/exit.c	2007-11-25 13:39:32.000000000 -0700
+@@ -1287,8 +1287,7 @@ static int wait_task_stopped(struct task
+ 		int why = (p->ptrace & PT_PTRACED) ? CLD_TRAPPED : CLD_STOPPED;
+ 
+ 		exit_code = p->exit_code;
+-		if (unlikely(!exit_code) ||
+-		    unlikely(p->state & TASK_TRACED))
++		if (unlikely(!exit_code) || unlikely(p->exit_state))
+ 			goto bail_ref;
+ 		return wait_noreap_copyout(p, pid, uid,
+ 					   why, (exit_code << 8) | 0x7f,

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch5
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch5	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch5	Sun Nov 25 21:36:10 2007
@@ -2,3 +2,4 @@
 + bugfix/sysfs_readdir-NULL-deref-2.patch
 + bugfix/sysfs-fix-condition-check.patch
 + bugfix/ieee80211-underflow.patch
++ bugfix/wait_task_stopped-hang.patch

