[kernel] r13438 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat Apr 18 20:41:39 UTC 2009 

Author: dannf
Date: Sat Apr 18 20:41:38 2009
New Revision: 13438

Log:
Make 'kill sig -1' only apply to caller's namespace (CVE-2009-1338)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/15lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sat Apr 18 20:37:07 2009	(r13437)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sat Apr 18 20:41:38 2009	(r13438)
@@ -11,6 +11,7 @@
   * af_rose/x25: Sanity check the maximum user frame size (CVE-2009-1265)
   * KVM: VMX: Don't allow uninhibited access to EFER on i386 (CVE-2009-1242)
   * exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)
+  * Make 'kill sig -1' only apply to caller's namespace (CVE-2009-1338)
 
  -- dann frazier <dannf at debian.org>  Fri, 03 Apr 2009 19:12:51 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch	Sat Apr 18 20:41:38 2009	(r13438)
@@ -0,0 +1,36 @@
+commit d25141a818383b3c3b09f065698c544a7a0ec6e7
+Author: Sukadev Bhattiprolu <sukadev at linux.vnet.ibm.com>
+Date:   Wed Oct 29 14:01:11 2008 -0700
+
+    'kill sig -1' must only apply to caller's namespace
+    
+    Currently "kill <sig> -1" kills processes in all namespaces and breaks the
+    isolation of namespaces.  Earlier attempt to fix this was discussed at:
+    
+    	http://lkml.org/lkml/2008/7/23/148
+    
+    As suggested by Oleg Nesterov in that thread, use "task_pid_vnr() > 1"
+    check since task_pid_vnr() returns 0 if process is outside the caller's
+    namespace.
+    
+    Signed-off-by: Sukadev Bhattiprolu <sukadev at linux.vnet.ibm.com>
+    Acked-by: Eric W. Biederman <ebiederm at xmission.com>
+    Tested-by: Daniel Hokka Zakrisson <daniel at hozac.com>
+    Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 105217d..4530fc6 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1144,7 +1144,8 @@ static int kill_something_info(int sig, struct siginfo *info, pid_t pid)
+ 		struct task_struct * p;
+ 
+ 		for_each_process(p) {
+-			if (p->pid > 1 && !same_thread_group(p, current)) {
++			if (task_pid_vnr(p) > 1 &&
++					!same_thread_group(p, current)) {
+ 				int err = group_send_sig_info(sig, info, p);
+ 				++count;
+ 				if (err != -EPERM)

Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Sat Apr 18 20:37:07 2009	(r13437)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Sat Apr 18 20:41:38 2009	(r13438)
@@ -7,3 +7,4 @@
 + bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
 + bugfix/x86/kvm-vmx-inhibit-EFER-access.patch
 + bugfix/all/exit_notify-kill-wrong-CAP_KILL-check.patch
++ bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch

More information about the Kernel-svn-changes mailing list