[kernel] r13955 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Jul 17 05:51:15 UTC 2009
Author: dannf
Date: Fri Jul 17 05:51:13 2009
New Revision: 13955
Log:
personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/3
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Fri Jul 17 05:43:29 2009 (r13954)
+++ dists/sid/linux-2.6/debian/changelog Fri Jul 17 05:51:13 2009 (r13955)
@@ -11,6 +11,7 @@
[ dann frazier ]
* Fix NULL pointer dereference in tun_chr_pool() (CVE-2009-1897)
+ * personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
-- Bastian Blank <waldi at debian.org> Wed, 08 Jul 2009 09:51:46 +0200
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch Fri Jul 17 05:51:13 2009 (r13955)
@@ -0,0 +1,52 @@
+commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
+Author: Julien Tinnes <jt at cr0.org>
+Date: Fri Jun 26 20:27:40 2009 +0200
+
+ personality: fix PER_CLEAR_ON_SETID
+
+ We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
+ include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
+
+ The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
+
+ We believe it is important to add MMAP_PAGE_ZERO, because by using this
+ personality it is possible to have the first page mapped inside a
+ process running as setuid root. This could be used in those scenarios:
+
+ - Exploiting a NULL pointer dereference issue in a setuid root binary
+ - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
+ running a setuid binary that would drop privileges before giving us
+ control back (for instance by loading a user-supplied library), we
+ could get the first page mapped in a process we control. By further
+ using mremap and mprotect on this mapping, we can then completely
+ bypass the mmap_min_addr restrictions.
+
+ Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
+ since on x86 32bits it will in practice disable most of the address
+ space layout randomization (only the stack will remain randomized).
+
+ Signed-off-by: Julien Tinnes <jt at cr0.org>
+ Signed-off-by: Tavis Ormandy <taviso at sdf.lonestar.org>
+ Cc: stable at kernel.org
+ Acked-by: Christoph Hellwig <hch at infradead.org>
+ Acked-by: Kees Cook <kees at ubuntu.com>
+ Acked-by: Eugene Teo <eugene at redhat.com>
+ [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/personality.h b/include/linux/personality.h
+index a84e9ff..1261208 100644
+--- a/include/linux/personality.h
++++ b/include/linux/personality.h
+@@ -40,7 +40,10 @@ enum {
+ * Security-relevant compatibility flags that must be
+ * cleared upon setuid or setgid exec:
+ */
+-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
++#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
++ ADDR_NO_RANDOMIZE | \
++ ADDR_COMPAT_LAYOUT | \
++ MMAP_PAGE_ZERO)
+
+ /*
+ * Personality types.
Modified: dists/sid/linux-2.6/debian/patches/series/3
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/3 Fri Jul 17 05:43:29 2009 (r13954)
+++ dists/sid/linux-2.6/debian/patches/series/3 Fri Jul 17 05:51:13 2009 (r13955)
@@ -1,3 +1,4 @@
+ bugfix/arm/export-__cpuc_flush_dcache_page.patch
+ bugfix/ia64/fix-asm-fpu-h.patch
+ bugfix/all/tun-tap-fix-crash-on-open-and-poll.patch
++ bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
More information about the Kernel-svn-changes
mailing list