[kernel] r14012 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Jul 25 20:59:53 UTC 2009
Author: dannf
Date: Sat Jul 25 20:59:49 2009
New Revision: 14012
Log:
personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
- copied unchanged from r13973, dists/sid/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/17lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sat Jul 25 18:24:56 2009 (r14011)
+++ dists/lenny-security/linux-2.6/debian/changelog Sat Jul 25 20:59:49 2009 (r14012)
@@ -2,6 +2,7 @@
* [KVM] x86: check for cr3 validity in ioctl_set_sregs
(CVE-2009-2287)
+ * personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
-- dann frazier <dannf at debian.org> Sun, 05 Jul 2009 22:57:23 -0600
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch (from r13973, dists/sid/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch Sat Jul 25 20:59:49 2009 (r14012, copy of r13973, dists/sid/linux-2.6/debian/patches/bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch)
@@ -0,0 +1,52 @@
+commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
+Author: Julien Tinnes <jt at cr0.org>
+Date: Fri Jun 26 20:27:40 2009 +0200
+
+ personality: fix PER_CLEAR_ON_SETID
+
+ We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
+ include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
+
+ The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
+
+ We believe it is important to add MMAP_PAGE_ZERO, because by using this
+ personality it is possible to have the first page mapped inside a
+ process running as setuid root. This could be used in those scenarios:
+
+ - Exploiting a NULL pointer dereference issue in a setuid root binary
+ - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
+ running a setuid binary that would drop privileges before giving us
+ control back (for instance by loading a user-supplied library), we
+ could get the first page mapped in a process we control. By further
+ using mremap and mprotect on this mapping, we can then completely
+ bypass the mmap_min_addr restrictions.
+
+ Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
+ since on x86 32bits it will in practice disable most of the address
+ space layout randomization (only the stack will remain randomized).
+
+ Signed-off-by: Julien Tinnes <jt at cr0.org>
+ Signed-off-by: Tavis Ormandy <taviso at sdf.lonestar.org>
+ Cc: stable at kernel.org
+ Acked-by: Christoph Hellwig <hch at infradead.org>
+ Acked-by: Kees Cook <kees at ubuntu.com>
+ Acked-by: Eugene Teo <eugene at redhat.com>
+ [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/include/linux/personality.h b/include/linux/personality.h
+index a84e9ff..1261208 100644
+--- a/include/linux/personality.h
++++ b/include/linux/personality.h
+@@ -40,7 +40,10 @@ enum {
+ * Security-relevant compatibility flags that must be
+ * cleared upon setuid or setgid exec:
+ */
+-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
++#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
++ ADDR_NO_RANDOMIZE | \
++ ADDR_COMPAT_LAYOUT | \
++ MMAP_PAGE_ZERO)
+
+ /*
+ * Personality types.
Modified: dists/lenny-security/linux-2.6/debian/patches/series/17lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/17lenny1 Sat Jul 25 18:24:56 2009 (r14011)
+++ dists/lenny-security/linux-2.6/debian/patches/series/17lenny1 Sat Jul 25 20:59:49 2009 (r14012)
@@ -1 +1,2 @@
+ bugfix/x86/kvm-check-for-cr3-validity-in-ioctl_set_sregs.patch
++ bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
More information about the Kernel-svn-changes
mailing list