[kernel] r13981 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jul 20 05:48:40 UTC 2009 

Author: dannf
Date: Mon Jul 20 05:48:38 2009
New Revision: 13981

Log:
personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
      - copied unchanged from r13973, dists/sid/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Mon Jul 20 04:53:45 2009	(r13980)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Jul 20 05:48:38 2009	(r13981)
@@ -7,6 +7,7 @@
   * [sparc64] Fix crash when reading /proc/iomem w/ heap memory checking
     (CVE-2009-1914)
   * splice: fix deadlock in ocfs2 (CVE-2009-1961)
+  * personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
 
  -- dann frazier <dannf at debian.org>  Sat, 06 Jun 2009 09:49:28 -0600
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch (from r13973, dists/sid/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch	Mon Jul 20 05:48:38 2009	(r13981, copy of r13973, dists/sid/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch)
@@ -0,0 +1,52 @@
+commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
+Author: Julien Tinnes <jt at cr0.org>
+Date:   Fri Jun 26 20:27:40 2009 +0200
+
+    personality: fix PER_CLEAR_ON_SETID
+    
+    We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
+    include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
+    
+    The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
+    
+    We believe it is important to add MMAP_PAGE_ZERO, because by using this
+    personality it is possible to have the first page mapped inside a
+    process running as setuid root.  This could be used in those scenarios:
+    
+     - Exploiting a NULL pointer dereference issue in a setuid root binary
+     - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
+       running a setuid binary that would drop privileges before giving us
+       control back (for instance by loading a user-supplied library), we
+       could get the first page mapped in a process we control.  By further
+       using mremap and mprotect on this mapping, we can then completely
+       bypass the mmap_min_addr restrictions.
+    
+    Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
+    since on x86 32bits it will in practice disable most of the address
+    space layout randomization (only the stack will remain randomized).
+    
+    Signed-off-by: Julien Tinnes <jt at cr0.org>
+    Signed-off-by: Tavis Ormandy <taviso at sdf.lonestar.org>
+    Cc: stable at kernel.org
+    Acked-by: Christoph Hellwig <hch at infradead.org>
+    Acked-by: Kees Cook <kees at ubuntu.com>
+    Acked-by: Eugene Teo <eugene at redhat.com>
+    [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/personality.h b/include/linux/personality.h
+index a84e9ff..1261208 100644
+--- a/include/linux/personality.h
++++ b/include/linux/personality.h
+@@ -40,7 +40,10 @@ enum {
+  * Security-relevant compatibility flags that must be
+  * cleared upon setuid or setgid exec:
+  */
+-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
++#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC  | \
++			    ADDR_NO_RANDOMIZE  | \
++			    ADDR_COMPAT_LAYOUT | \
++			    MMAP_PAGE_ZERO)
+ 
+ /*
+  * Personality types.

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2	Mon Jul 20 04:53:45 2009	(r13980)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2	Mon Jul 20 05:48:38 2009	(r13981)
@@ -4,3 +4,4 @@
 + bugfix/all/cifs-fix-unicode-string-area-word-alignment-in-session-setup.patch
 + bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
 + bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch
++ bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch

More information about the Kernel-svn-changes mailing list