[kernel] r13324 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Sat Apr 4 01:14:41 UTC 2009

Author: dannf
Date: Sat Apr  4 01:14:40 2009
New Revision: 13324

Log:
copy_process: fix CLONE_PARENT && parent_exec_id interaction
(CVE-2009-0028)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
   dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
Modified:
   dists/lenny-security/linux-2.6/debian/changelog

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	(original)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sat Apr  4 01:14:40 2009
@@ -1,3 +1,10 @@
+linux-2.6 (2.6.26-15lenny1) UNRELEASED; urgency=high
+
+  * copy_process: fix CLONE_PARENT && parent_exec_id interaction
+    (CVE-2009-0028)
+
+ -- dann frazier <dannf at debian.org>  Fri, 03 Apr 2009 19:12:51 -0600
+
 linux-2.6 (2.6.26-15) stable; urgency=high
 
   * Switch out mips/llseek regression fix for the less invasive one

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch	Sat Apr  4 01:14:40 2009
@@ -0,0 +1,52 @@
+commit 2d5516cbb9daf7d0e342a2e3b0fc6f8c39a81205
+Author: Oleg Nesterov <oleg at redhat.com>
+Date:   Mon Mar 2 22:58:45 2009 +0100
+
+    copy_process: fix CLONE_PARENT && parent_exec_id interaction
+    
+    CLONE_PARENT can fool the ->self_exec_id/parent_exec_id logic. If we
+    re-use the old parent, we must also re-use ->parent_exec_id to make
+    sure exit_notify() sees the right ->xxx_exec_id's when the CLONE_PARENT'ed
+    task exits.
+    
+    Also, move down the "p->parent_exec_id = p->self_exec_id" thing, to place
+    two different cases together.
+    
+    Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+    Cc: Roland McGrath <roland at redhat.com>
+    Cc: Andrew Morton <akpm at linux-foundation.org>
+    Cc: David Howells <dhowells at redhat.com>
+    Cc: Serge E. Hallyn <serge at hallyn.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+diff -urpN linux-source-2.6.26.orig/kernel/fork.c linux-source-2.6.26/kernel/fork.c
+--- linux-source-2.6.26.orig/kernel/fork.c	2009-03-25 17:20:41.000000000 -0600
++++ linux-source-2.6.26/kernel/fork.c	2009-04-03 19:10:19.000000000 -0600
+@@ -1109,10 +1109,6 @@ static struct task_struct *copy_process(
+ #endif
+ 	clear_all_latency_tracing(p);
+ 
+-	/* Our parent execution domain becomes current domain
+-	   These must match for thread signalling to apply */
+-	p->parent_exec_id = p->self_exec_id;
+-
+ 	/* ok, now we should be set up.. */
+ 	p->exit_signal = (clone_flags & CLONE_THREAD) ? -1 : (clone_flags & CSIGNAL);
+ 	p->pdeath_signal = 0;
+@@ -1152,10 +1148,13 @@ static struct task_struct *copy_process(
+ 		set_task_cpu(p, smp_processor_id());
+ 
+ 	/* CLONE_PARENT re-uses the old parent */
+-	if (clone_flags & (CLONE_PARENT|CLONE_THREAD))
++	if (clone_flags & (CLONE_PARENT|CLONE_THREAD)) {
+ 		p->real_parent = current->real_parent;
+-	else
++		p->parent_exec_id = current->parent_exec_id;
++	} else {
+ 		p->real_parent = current;
++		p->parent_exec_id = current->self_exec_id;
++	}
+ 	p->parent = p->real_parent;
+ 
+ 	spin_lock(&current->sighand->siglock);

Added: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Sat Apr  4 01:14:40 2009
@@ -0,0 +1 @@
++ bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch

