[kernel] r11047 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Sat Apr 5 00:19:46 UTC 2008 

Author: dannf
Date: Sat Apr  5 00:19:45 2008
New Revision: 11047

Log:
bugfix/RLIMIT_CPU-earlier-checking.patch
[SECURITY] Move check for an RLIMIT_CPU with a value of 0 earlier
to prevent a user escape (closes: #419706)
See CVE-2008-1294

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/RLIMIT_CPU-earlier-checking.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/18etch2

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Sat Apr  5 00:19:45 2008
@@ -8,8 +8,12 @@
     [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
     a fault handler but do not bounds check the offset argument
     See CVE-2008-0007
+  * bugfix/RLIMIT_CPU-earlier-checking.patch
+    [SECURITY] Move check for an RLIMIT_CPU with a value of 0 earlier
+    to prevent a user escape (closes: #419706)
+    See CVE-2008-1294
 
- -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 22:21:27 -0700
+ -- dann frazier <dannf at debian.org>  Fri, 04 Apr 2008 18:10:38 -0600
 
 linux-2.6 (2.6.18.dfsg.1-18etch1) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/RLIMIT_CPU-earlier-checking.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/RLIMIT_CPU-earlier-checking.patch	Sat Apr  5 00:19:45 2008
@@ -0,0 +1,80 @@
+commit 9926e4c74300c4b31dee007298c6475d33369df0
+Author: Tom Alsberg <alsbergt at cs.huji.ac.il>
+Date:   Tue May 8 00:30:31 2007 -0700
+
+    CPU time limit patch / setrlimit(RLIMIT_CPU, 0) cheat fix
+    
+    As discovered here today, the change in Kernel 2.6.17 intended to inhibit
+    users from setting RLIMIT_CPU to 0 (as that is equivalent to unlimited) by
+    "cheating" and setting it to 1 in such a case, does not make a difference,
+    as the check is done in the wrong place (too late), and only applies to the
+    profiling code.
+    
+    On all systems I checked running kernels above 2.6.17, no matter what the
+    hard and soft CPU time limits were before, a user could escape them by
+    issuing in the shell (sh/bash/zsh) "ulimit -t 0", and then the user's
+    process was not ever killed.
+    
+    Attached is a trivial patch to fix that.  Simply moving the check to a
+    slightly earlier location (specifically, before the line that actually
+    assigns the limit - *old_rlim = new_rlim), does the trick.
+    
+    Do note that at least the zsh (but not ash, dash, or bash) shell has the
+    problem of "caching" the limits set by the ulimit command, so when running
+    zsh the fix will not immediately be evident - after entering "ulimit -t 0",
+    "ulimit -a" will show "-t: cpu time (seconds) 0", even though the actual
+    limit as returned by getrlimit(...) will be 1.  It can be verified by
+    opening a subshell (which will not have the values of the parent shell in
+    cache) and checking in it, or just by running a CPU intensive command like
+    "echo '65536^1048576' | bc" and verifying that it dumps core after one
+    second.
+    
+    Regardless of whether that is a misfeature in the shell, perhaps it would
+    be better to return -EINVAL from setrlimit in such a case instead of
+    cheating and setting to 1, as that does not really reflect the actual state
+    of the process anymore.  I do not however know what the ground for that
+    decision was in the original 2.6.17 change, and whether there would be any
+    "backward" compatibility issues, so I preferred not to touch that right
+    now.
+    
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/kernel/sys.c linux-source-2.6.18/kernel/sys.c
+--- linux-source-2.6.18.orig/kernel/sys.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/kernel/sys.c	2008-04-04 18:04:09.000000000 -0600
+@@ -1807,6 +1807,16 @@ asmlinkage long sys_setrlimit(unsigned i
+ 	if (retval)
+ 		return retval;
+ 
++	if (resource == RLIMIT_CPU && new_rlim.rlim_cur == 0) {
++		/*
++		 * The caller is asking for an immediate RLIMIT_CPU
++		 * expiry.  But we use the zero value to mean "it was
++		 * never set".  So let's cheat and make it one second
++		 * instead
++		 */
++		new_rlim.rlim_cur = 1;
++	}
++
+ 	task_lock(current->group_leader);
+ 	*old_rlim = new_rlim;
+ 	task_unlock(current->group_leader);
+@@ -1828,15 +1838,6 @@ asmlinkage long sys_setrlimit(unsigned i
+ 		unsigned long rlim_cur = new_rlim.rlim_cur;
+ 		cputime_t cputime;
+ 
+-		if (rlim_cur == 0) {
+-			/*
+-			 * The caller is asking for an immediate RLIMIT_CPU
+-			 * expiry.  But we use the zero value to mean "it was
+-			 * never set".  So let's cheat and make it one second
+-			 * instead
+-			 */
+-			rlim_cur = 1;
+-		}
+ 		cputime = secs_to_cputime(rlim_cur);
+ 		read_lock(&tasklist_lock);
+ 		spin_lock_irq(&current->sighand->siglock);

Modified: dists/etch-security/linux-2.6/debian/patches/series/18etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/18etch2	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/18etch2	Sat Apr  5 00:19:45 2008
@@ -1,2 +1,3 @@
 + bugfix/powerpc-chrp-null-deref.patch
 + bugfix/mmap-VM_DONTEXPAND.patch
++ bugfix/RLIMIT_CPU-earlier-checking.patch

More information about the Kernel-svn-changes mailing list