[kernel] r14715 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Dec 3 02:34:16 UTC 2009
Author: dannf
Date: Thu Dec 3 02:34:15 2009
New Revision: 14715
Log:
Avoid /proc/$pid/maps visibility during initial setuid ELF loading
(CVE-2009-2691)
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/21
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Thu Dec 3 01:48:39 2009 (r14714)
+++ dists/lenny/linux-2.6/debian/changelog Thu Dec 3 02:34:15 2009 (r14715)
@@ -30,6 +30,8 @@
* isdn: hfc_usb: Fix read buffer overflow (CVE-2009-4005)
* fuse: prevent fuse_put_request on invalid pointer (CVE-2009-4021)
* hpilo: new PCI ID (Closes: #559064)
+ * Avoid /proc/$pid/maps visibility during initial setuid ELF loading
+ (CVE-2009-2691)
-- Ben Hutchings <ben at decadent.org.uk> Sat, 24 Oct 2009 23:45:45 +0100
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch Thu Dec 3 02:34:15 2009 (r14715)
@@ -0,0 +1,59 @@
+kernel: /proc/$pid/maps visible during initial setuid ELF loading
+
+Description of problem:
+From Kees Cook: Steve Beattie and I noticed that the /proc/$pid/maps and smaps
+files are readable during ELF loading for processes that a user should not
+normally be able to see (for example, when launching a setuid process).
+
+Oleg Nesterov wrote the original version of this patch and Clark Williams
+slighly modified it.
+
+Author: Oleg Nesterov <onestero at redhat.com>
+Signed-off-by: Clark Williams <williams at redhat.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/exec.c linux-source-2.6.26/fs/exec.c
+--- linux-source-2.6.26.orig/fs/exec.c 2009-10-23 16:53:12.000000000 -0600
++++ linux-source-2.6.26/fs/exec.c 2009-12-02 13:18:15.000000000 -0700
+@@ -355,6 +355,7 @@ int bprm_mm_init(struct linux_binprm *bp
+ if (err)
+ goto err;
+
++ mm->flags |= MMF_IN_EXEC;
+ return 0;
+
+ err:
+@@ -1103,6 +1104,7 @@ void compute_creds(struct linux_binprm *
+ task_lock(current);
+ unsafe = unsafe_exec(current);
+ security_bprm_apply_creds(bprm, unsafe);
++ clear_bit(MMF_IN_EXEC, ¤t->mm->flags);
+ task_unlock(current);
+ security_bprm_post_apply_creds(bprm);
+ }
+diff -urpN linux-source-2.6.26.orig/fs/proc/base.c linux-source-2.6.26/fs/proc/base.c
+--- linux-source-2.6.26.orig/fs/proc/base.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/proc/base.c 2009-12-02 13:18:15.000000000 -0700
+@@ -251,7 +251,8 @@ struct mm_struct *mm_for_maps(struct tas
+ task_lock(task);
+ if (task->mm != mm)
+ goto out;
+- if (task->mm != current->mm && __ptrace_may_attach(task) < 0)
++ if (task->mm != current->mm && ((mm->flags & MMF_IN_EXEC) ||
++ __ptrace_may_attach(task) < 0))
+ goto out;
+ task_unlock(task);
+ return mm;
+diff -urpN linux-source-2.6.26.orig/include/linux/sched.h linux-source-2.6.26/include/linux/sched.h
+--- linux-source-2.6.26.orig/include/linux/sched.h 2009-10-23 16:53:12.000000000 -0600
++++ linux-source-2.6.26/include/linux/sched.h 2009-12-02 13:18:15.000000000 -0700
+@@ -395,6 +395,8 @@ extern int get_dumpable(struct mm_struct
+ #define MMF_DUMP_SECURELY 1 /* core file is readable only by root */
+ #define MMF_DUMPABLE_BITS 2
+
++#define MMF_IN_EXEC 4 /* Not sure we can use 4 .... */
++
+ /* coredump filter bits */
+ #define MMF_DUMP_ANON_PRIVATE 2
+ #define MMF_DUMP_ANON_SHARED 3
Modified: dists/lenny/linux-2.6/debian/patches/series/21
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/21 Thu Dec 3 01:48:39 2009 (r14714)
+++ dists/lenny/linux-2.6/debian/patches/series/21 Thu Dec 3 02:34:15 2009 (r14715)
@@ -36,3 +36,4 @@
+ features/x86/hpilo-new-pci-device.patch
+ bugfix/all/atl1e-remove-broken-tsov6.patch
+ features/all/atl1e-allow-offload-disable.patch
++ bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
More information about the Kernel-svn-changes
mailing list