[kernel] r13438 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Apr 18 20:41:39 UTC 2009
Author: dannf
Date: Sat Apr 18 20:41:38 2009
New Revision: 13438
Log:
Make 'kill sig -1' only apply to caller's namespace (CVE-2009-1338)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sat Apr 18 20:37:07 2009 (r13437)
+++ dists/lenny-security/linux-2.6/debian/changelog Sat Apr 18 20:41:38 2009 (r13438)
@@ -11,6 +11,7 @@
* af_rose/x25: Sanity check the maximum user frame size (CVE-2009-1265)
* KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)
* exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)
+ * Make 'kill sig -1' only apply to caller's namespace (CVE-2009-1338)
-- dann frazier <dannf at debian.org> Fri, 03 Apr 2009 19:12:51 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch Sat Apr 18 20:41:38 2009 (r13438)
@@ -0,0 +1,36 @@
+commit d25141a818383b3c3b09f065698c544a7a0ec6e7
+Author: Sukadev Bhattiprolu <sukadev at linux.vnet.ibm.com>
+Date: Wed Oct 29 14:01:11 2008 -0700
+
+ 'kill sig -1' must only apply to caller's namespace
+
+ Currently "kill <sig> -1" kills processes in all namespaces and breaks the
+ isolation of namespaces. Earlier attempt to fix this was discussed at:
+
+ http://lkml.org/lkml/2008/7/23/148
+
+ As suggested by Oleg Nesterov in that thread, use "task_pid_vnr() > 1"
+ check since task_pid_vnr() returns 0 if process is outside the caller's
+ namespace.
+
+ Signed-off-by: Sukadev Bhattiprolu <sukadev at linux.vnet.ibm.com>
+ Acked-by: Eric W. Biederman <ebiederm at xmission.com>
+ Tested-by: Daniel Hokka Zakrisson <daniel at hozac.com>
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 105217d..4530fc6 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1144,7 +1144,8 @@ static int kill_something_info(int sig, struct siginfo *info, pid_t pid)
+ struct task_struct * p;
+
+ for_each_process(p) {
+- if (p->pid > 1 && !same_thread_group(p, current)) {
++ if (task_pid_vnr(p) > 1 &&
++ !same_thread_group(p, current)) {
+ int err = group_send_sig_info(sig, info, p);
+ ++count;
+ if (err != -EPERM)
Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Sat Apr 18 20:37:07 2009 (r13437)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Sat Apr 18 20:41:38 2009 (r13438)
@@ -7,3 +7,4 @@
+ bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
+ bugfix/x86/kvm-vmx-inhibit-EFER-access.patch
+ bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
++ bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch
More information about the Kernel-svn-changes
mailing list