[kernel] r14715 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Dec 3 02:34:16 UTC 2009 

Author: dannf
Date: Thu Dec  3 02:34:15 2009
New Revision: 14715

Log:
Avoid /proc/$pid/maps visibility during initial setuid ELF loading
(CVE-2009-2691)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/21

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Thu Dec  3 01:48:39 2009	(r14714)
+++ dists/lenny/linux-2.6/debian/changelog	Thu Dec  3 02:34:15 2009	(r14715)
@@ -30,6 +30,8 @@
   * isdn: hfc_usb: Fix read buffer overflow (CVE-2009-4005)
   * fuse: prevent fuse_put_request on invalid pointer (CVE-2009-4021)
   * hpilo: new PCI ID (Closes: #559064)
+  * Avoid /proc/$pid/maps visibility during initial setuid ELF loading
+    (CVE-2009-2691)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 24 Oct 2009 23:45:45 +0100
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch	Thu Dec  3 02:34:15 2009	(r14715)
@@ -0,0 +1,59 @@
+kernel: /proc/$pid/maps visible during initial setuid ELF loading
+
+Description of problem:
+From Kees Cook: Steve Beattie and I noticed that the /proc/$pid/maps and smaps
+files are readable during ELF loading for processes that a user should not
+normally be able to see (for example, when launching a setuid process).  
+
+Oleg Nesterov wrote the original version of this patch and Clark Williams
+slighly modified it.
+
+Author: Oleg Nesterov <onestero at redhat.com>
+Signed-off-by: Clark Williams <williams at redhat.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/exec.c linux-source-2.6.26/fs/exec.c
+--- linux-source-2.6.26.orig/fs/exec.c	2009-10-23 16:53:12.000000000 -0600
++++ linux-source-2.6.26/fs/exec.c	2009-12-02 13:18:15.000000000 -0700
+@@ -355,6 +355,7 @@ int bprm_mm_init(struct linux_binprm *bp
+ 	if (err)
+ 		goto err;
+ 
++	mm->flags |= MMF_IN_EXEC;
+ 	return 0;
+ 
+ err:
+@@ -1103,6 +1104,7 @@ void compute_creds(struct linux_binprm *
+ 	task_lock(current);
+ 	unsafe = unsafe_exec(current);
+ 	security_bprm_apply_creds(bprm, unsafe);
++	clear_bit(MMF_IN_EXEC, &current->mm->flags);
+ 	task_unlock(current);
+ 	security_bprm_post_apply_creds(bprm);
+ }
+diff -urpN linux-source-2.6.26.orig/fs/proc/base.c linux-source-2.6.26/fs/proc/base.c
+--- linux-source-2.6.26.orig/fs/proc/base.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/proc/base.c	2009-12-02 13:18:15.000000000 -0700
+@@ -251,7 +251,8 @@ struct mm_struct *mm_for_maps(struct tas
+ 	task_lock(task);
+ 	if (task->mm != mm)
+ 		goto out;
+-	if (task->mm != current->mm && __ptrace_may_attach(task) < 0)
++	if (task->mm != current->mm && ((mm->flags & MMF_IN_EXEC) ||
++					__ptrace_may_attach(task) < 0))
+ 		goto out;
+ 	task_unlock(task);
+ 	return mm;
+diff -urpN linux-source-2.6.26.orig/include/linux/sched.h linux-source-2.6.26/include/linux/sched.h
+--- linux-source-2.6.26.orig/include/linux/sched.h	2009-10-23 16:53:12.000000000 -0600
++++ linux-source-2.6.26/include/linux/sched.h	2009-12-02 13:18:15.000000000 -0700
+@@ -395,6 +395,8 @@ extern int get_dumpable(struct mm_struct
+ #define MMF_DUMP_SECURELY 1  /* core file is readable only by root */
+ #define MMF_DUMPABLE_BITS 2
+ 
++#define MMF_IN_EXEC	  4  /* Not sure we can use 4 .... */
++
+ /* coredump filter bits */
+ #define MMF_DUMP_ANON_PRIVATE	2
+ #define MMF_DUMP_ANON_SHARED	3

Modified: dists/lenny/linux-2.6/debian/patches/series/21
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/21	Thu Dec  3 01:48:39 2009	(r14714)
+++ dists/lenny/linux-2.6/debian/patches/series/21	Thu Dec  3 02:34:15 2009	(r14715)
@@ -36,3 +36,4 @@
 + features/x86/hpilo-new-pci-device.patch
 + bugfix/all/atl1e-remove-broken-tsov6.patch
 + features/all/atl1e-allow-offload-disable.patch
++ bugfix/all/maps-visible-during-initial-setuid-ELF-loading.patch

More information about the Kernel-svn-changes mailing list