[kernel] r9738 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Nov 25 21:36:10 UTC 2007
Author: dannf
Date: Sun Nov 25 21:36:10 2007
New Revision: 9738
Log:
* bugfix/wait_task_stopped-hang.patch
[SECURITY] wait_task_stopped was incorrectly testing for TASK_TRACED -
check p->exit_state instead avoiding a potential system hang
See CVE-2007-5500
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/wait_task_stopped-hang.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/13etch5
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Sun Nov 25 21:36:10 2007
@@ -11,8 +11,12 @@
for a malicious frame to crash a system using a driver built on top of
the Linux 802.11 wireless code.
See CVE-2007-4997
+ * bugfix/wait_task_stopped-hang.patch
+ [SECURITY] wait_task_stopped was incorrectly testing for TASK_TRACED -
+ check p->exit_state instead avoiding a potential system hang
+ See CVE-2007-5500
- -- dann frazier <dannf at debian.org> Sun, 11 Nov 2007 15:46:51 -0700
+ -- dann frazier <dannf at debian.org> Sun, 25 Nov 2007 13:41:20 -0700
linux-2.6 (2.6.18.dfsg.1-13etch4) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/wait_task_stopped-hang.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/wait_task_stopped-hang.patch Sun Nov 25 21:36:10 2007
@@ -0,0 +1,38 @@
+From: Roland McGrath <roland at redhat.com>
+Date: Wed, 14 Nov 2007 06:11:50 +0000 (-0800)
+Subject: wait_task_stopped: Check p->exit_state instead of TASK_TRACED
+X-Git-Tag: v2.6.24-rc3~12
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a3474224e6a01924be40a8255636ea5522c1023a
+
+wait_task_stopped: Check p->exit_state instead of TASK_TRACED
+
+The original meaning of the old test (p->state > TASK_STOPPED) was
+"not dead", since it was before TASK_TRACED existed and before the
+state/exit_state split. It was a wrong correction in commit
+14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for
+TASK_TRACED instead. It should have been changed when TASK_TRACED
+was introducted and again when exit_state was introduced.
+
+Signed-off-by: Roland McGrath <roland at redhat.com>
+Cc: Oleg Nesterov <oleg at tv-sign.ru>
+Cc: Alexey Dobriyan <adobriyan at sw.ru>
+Cc: Kees Cook <kees at ubuntu.com>
+Acked-by: Scott James Remnant <scott at ubuntu.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/kernel/exit.c linux-source-2.6.18/kernel/exit.c
+--- linux-source-2.6.18.orig/kernel/exit.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/kernel/exit.c 2007-11-25 13:39:32.000000000 -0700
+@@ -1287,8 +1287,7 @@ static int wait_task_stopped(struct task
+ int why = (p->ptrace & PT_PTRACED) ? CLD_TRAPPED : CLD_STOPPED;
+
+ exit_code = p->exit_code;
+- if (unlikely(!exit_code) ||
+- unlikely(p->state & TASK_TRACED))
++ if (unlikely(!exit_code) || unlikely(p->exit_state))
+ goto bail_ref;
+ return wait_noreap_copyout(p, pid, uid,
+ why, (exit_code << 8) | 0x7f,
Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch5
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch5 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch5 Sun Nov 25 21:36:10 2007
@@ -2,3 +2,4 @@
+ bugfix/sysfs_readdir-NULL-deref-2.patch
+ bugfix/sysfs-fix-condition-check.patch
+ bugfix/ieee80211-underflow.patch
++ bugfix/wait_task_stopped-hang.patch
More information about the Kernel-svn-changes
mailing list