[kernel] r13332 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Apr 4 21:39:56 UTC 2009
Author: dannf
Date: Sat Apr 4 21:39:54 2009
New Revision: 13332
Log:
shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM (CVE-2009-0859)
This issue does not effect pre-build Debian kernels.
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/shm-fix-shmctl(SHM_INFO)-lockup-without-CONFIG_SHMEM.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog (original)
+++ dists/lenny-security/linux-2.6/debian/changelog Sat Apr 4 21:39:54 2009
@@ -6,6 +6,8 @@
(CVE-2009-0787)
* [amd64] syscall-audit: fix 32/64 syscall hole (CVE-2009-0834)
* seccomp: fix 32/64 syscall hole (CVE-2009-0835)
+ * shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM (CVE-2009-0859)
+ This issue does not effect pre-build Debian kernels.
-- dann frazier <dannf at debian.org> Fri, 03 Apr 2009 19:12:51 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/shm-fix-shmctl(SHM_INFO)-lockup-without-CONFIG_SHMEM.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/shm-fix-shmctl(SHM_INFO)-lockup-without-CONFIG_SHMEM.patch Sat Apr 4 21:39:54 2009
@@ -0,0 +1,46 @@
+commit a68e61e8ff2d46327a37b69056998b47745db6fa
+Author: Tony Battersby <tonyb at cybernetics.com>
+Date: Wed Feb 4 15:12:04 2009 -0800
+
+ shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM
+
+ shm_get_stat() assumes that the inode is a "struct shmem_inode_info",
+ which is incorrect for !CONFIG_SHMEM (see fs/ramfs/inode.c:
+ ramfs_get_inode() vs. mm/shmem.c: shmem_get_inode()).
+
+ This bad assumption can cause shmctl(SHM_INFO) to lockup when
+ shm_get_stat() tries to spin_lock(&info->lock). Users of !CONFIG_SHMEM
+ may encounter this lockup simply by invoking the 'ipcs' command.
+
+ Reported by Jiri Olsa back in February 2008:
+ http://lkml.org/lkml/2008/2/29/74
+
+ Signed-off-by: Tony Battersby <tonyb at cybernetics.com>
+ Cc: Jiri Kosina <jkosina at suse.cz>
+ Reported-by: Jiri Olsa <olsajiri at gmail.com>
+ Cc: Hugh Dickins <hugh at veritas.com>
+ Cc: <stable at kernel.org> [2.6.everything]
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org
+
+diff -urpN linux-source-2.6.26.orig/ipc/shm.c linux-source-2.6.26/ipc/shm.c
+--- linux-source-2.6.26.orig/ipc/shm.c 2009-03-25 17:20:41.000000000 -0600
++++ linux-source-2.6.26/ipc/shm.c 2009-04-04 15:13:27.000000000 -0600
+@@ -579,11 +579,15 @@ static void shm_get_stat(struct ipc_name
+ struct address_space *mapping = inode->i_mapping;
+ *rss += (HPAGE_SIZE/PAGE_SIZE)*mapping->nrpages;
+ } else {
++#ifdef CONFIG_SHMEM
+ struct shmem_inode_info *info = SHMEM_I(inode);
+ spin_lock(&info->lock);
+ *rss += inode->i_mapping->nrpages;
+ *swp += info->swapped;
+ spin_unlock(&info->lock);
++#else
++ *rss += inode->i_mapping->nrpages;
++#endif
+ }
+
+ total++;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 (original)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Sat Apr 4 21:39:54 2009
@@ -3,3 +3,4 @@
+ bugfix/all/ecryptfs-allocate-a-variable-number-of-pages-for-file-headers.patch
+ bugfix/x86/syscall-audit-fix-32+64-syscall-hole.patch
+ bugfix/all/seccomp-fix-32+64-syscall-hole.patch
++ bugfix/all/shm-fix-shmctl(SHM_INFO)-lockup-without-CONFIG_SHMEM.patch
More information about the Kernel-svn-changes
mailing list