[kernel] r14152 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

Thu Aug 20 20:38:24 UTC 2009

Author: dannf
Date: Thu Aug 20 20:38:22 2009
New Revision: 14152

Log:
execve: must clear current->clear_child_tid (CVE-2009-2848)

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/execve-must-clear-current-clear_child_tid.patch
      - copied, changed from r14148, dists/lenny/linux-2.6/debian/patches/bugfix/all/execve-must-clear-current-clear_child_tid.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/24etch4

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	Thu Aug 20 20:29:33 2009	(r14151)
+++ dists/etch-security/linux-2.6/debian/changelog	Thu Aug 20 20:38:22 2009	(r14152)
@@ -3,6 +3,7 @@
   * [parisc] isa-eeprom - Fix loff_t usage (CVE-2009-2846)
   * do_sigaltstack: avoid copying 'stack_t' as a structure to user space
     (CVE-2009-2847)
+  * execve: must clear current->clear_child_tid (CVE-2009-2848)
 
  -- dann frazier <dannf at debian.org>  Thu, 20 Aug 2009 14:20:23 -0600
 

Copied and modified: dists/etch-security/linux-2.6/debian/patches/bugfix/all/execve-must-clear-current-clear_child_tid.patch (from r14148, dists/lenny/linux-2.6/debian/patches/bugfix/all/execve-must-clear-current-clear_child_tid.patch)
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/bugfix/all/execve-must-clear-current-clear_child_tid.patch	Thu Aug 20 14:32:46 2009	(r14148, copy source)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/execve-must-clear-current-clear_child_tid.patch	Thu Aug 20 20:38:22 2009	(r14152)
@@ -85,21 +85,19 @@
     Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
     Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
 
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 466531e..021e113 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -568,18 +568,18 @@ void mm_release(struct task_struct *tsk, struct mm_struct *mm)
- 	 * the value intact in a core dump, and to save the unnecessary
- 	 * trouble otherwise.  Userland only wants this done for a sys_exit.
- 	 */
--	if (tsk->clear_child_tid
--	    && !(tsk->flags & PF_SIGNALED)
--	    && atomic_read(&mm->mm_users) > 1) {
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/kernel/fork.c linux-source-2.6.18/kernel/fork.c
+--- linux-source-2.6.18.orig/kernel/fork.c	2009-08-15 12:05:16.000000000 -0600
++++ linux-source-2.6.18/kernel/fork.c	2009-08-20 14:35:30.000000000 -0600
+@@ -439,16 +439,17 @@ void mm_release(struct task_struct *tsk,
+ 		tsk->vfork_done = NULL;
+ 		complete(vfork_done);
+ 	}
+-	if (tsk->clear_child_tid && atomic_read(&mm->mm_users) > 1) {
 -		u32 __user * tidptr = tsk->clear_child_tid;
 +	if (tsk->clear_child_tid) {
-+		if (!(tsk->flags & PF_SIGNALED) &&
-+		    atomic_read(&mm->mm_users) > 1) {
++		if (atomic_read(&mm->mm_users) > 1) {
 +			/*
 +			 * We don't check the error code - if userspace has
 +			 * not set up a proper pointer then tough luck.

Modified: dists/etch-security/linux-2.6/debian/patches/series/24etch4
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/24etch4	Thu Aug 20 20:29:33 2009	(r14151)
+++ dists/etch-security/linux-2.6/debian/patches/series/24etch4	Thu Aug 20 20:38:22 2009	(r14152)
@@ -1,3 +1,4 @@
 + bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch
 + bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch
 + bugfix/all/do_sigaltstack-small-cleanups.patch
++ bugfix/all/execve-must-clear-current-clear_child_tid.patch

