[kernel] r16092 - in dists: lenny-security/linux-2.6 lenny-security/linux-2.6/debian lenny-security/linux-2.6/debian/patches/bugfix/all lenny-security/linux-2.6/debian/patches/features/all/openvz lenny-security/linux-2.6/debian/patches/series lenny/linux-2.6/debian lenny/linux-2.6/debian/patches/bugfix/all lenny/linux-2.6/debian/patches/features/all/openvz lenny/linux-2.6/debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Aug 6 02:08:55 UTC 2010
Author: dannf
Date: Fri Aug 6 02:08:51 2010
New Revision: 16092
Log:
broke through security, fix through security
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
- copied unchanged from r15989, dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
Deleted:
dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
Modified:
dists/lenny-security/linux-2.6/ (props changed)
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
dists/lenny/linux-2.6/debian/patches/series/25
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Fri Aug 6 01:50:14 2010 (r16091)
+++ dists/lenny-security/linux-2.6/debian/changelog Fri Aug 6 02:08:51 2010 (r16092)
@@ -7,6 +7,8 @@
* nfsd4: bug in read_buf (CVE-2010-2521)
* GFS2: rename causes kernel Oops (CVE-2010-2798)
* [parisc] fix potential stack overflow in led_proc_write() (CVE-REQUESTED)
+ * exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179;
+ regression due to fix for CVE-2010-0307)
-- dann frazier <dannf at debian.org> Wed, 30 Jun 2010 00:32:02 -0600
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch (from r15989, dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch Fri Aug 6 02:08:51 2010 (r16092, copy of r15989, dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch)
@@ -0,0 +1,63 @@
+From 7ad2dabd30866715de71b2d3f0be136c0a26b3bd Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Tue, 2 Feb 2010 12:37:44 -0800
+Subject: [PATCH] Fix 'flush_old_exec()/setup_new_exec()' split
+
+commit 7ab02af428c2d312c0cf8fb0b01cc1eb21131a3d upstream.
+
+Commit 221af7f87b9 ("Split 'flush_old_exec' into two functions") split
+the function at the point of no return - ie right where there were no
+more error cases to check. That made sense from a technical standpoint,
+but when we then also combined it with the actual personality setting
+going in between flush_old_exec() and setup_new_exec(), it needs to be a
+bit more careful.
+
+In particular, we need to make sure that we really flush the old
+personality bits in the 'flush' stage, rather than later in the 'setup'
+stage, since otherwise we might be flushing the _new_ personality state
+that we're just setting up.
+
+So this moves the flags and personality flushing (and 'flush_thread()',
+which is the arch-specific function that generally resets lazy FP state
+etc) of the old process into flush_old_exec(), so that it doesn't affect
+any state that execve() is setting up for the new process environment.
+
+This was reported by Michal Simek as breaking his Microblaze qemu
+environment.
+
+Reported-and-tested-by: Michal Simek <michal.simek at petalogix.com>
+Cc: Peter Anvin <hpa at zytor.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backport to 2.6.26]
+---
+ fs/exec.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index f12ede3..164ac13 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -967,6 +967,10 @@ int flush_old_exec(struct linux_binprm * bprm)
+ goto out;
+
+ bprm->mm = NULL; /* We're using it now */
++
++ current->flags &= ~PF_RANDOMIZE;
++ flush_thread();
++
+ return 0;
+
+ out:
+@@ -1003,9 +1007,6 @@ void setup_new_exec(struct linux_binprm * bprm)
+ tcomm[i] = '\0';
+ set_task_comm(current, tcomm);
+
+- current->flags &= ~PF_RANDOMIZE;
+- flush_thread();
+-
+ /* Set the new mm task size. We have to do that late because it may
+ * depend on TIF_32BIT which is only updated in flush_thread() on
+ * some architectures like powerpc
+--
+1.7.1
+
Modified: dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch Fri Aug 6 01:50:14 2010 (r16091)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch Fri Aug 6 02:08:51 2010 (r16092)
@@ -7875,9 +7875,9 @@
goto out;
- bprm->mm = NULL; /* We're using it now */
- return 0;
- out:
+ current->flags &= ~PF_RANDOMIZE;
+ flush_thread();
@@ -1275,6 +1303,10 @@ int do_execve(char * filename,
struct files_struct *displaced;
int retval;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Fri Aug 6 01:50:14 2010 (r16091)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Fri Aug 6 02:08:51 2010 (r16092)
@@ -5,3 +5,4 @@
+ bugfix/all/nfsd4-bug-in-read_buf.patch
+ bugfix/all/gfs2-rename-causes-kernel-oops.patch
+ bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
++ bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Fri Aug 6 01:50:14 2010 (r16091)
+++ dists/lenny/linux-2.6/debian/changelog Fri Aug 6 02:08:51 2010 (r16092)
@@ -2,8 +2,6 @@
[ Ben Hutchings ]
* pid_ns: Ensure that child_reaper is always valid (Closes: #570350)
- * exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179;
- regression due to fix for CVE-2010-0307)
[ Moritz Muehlenhoff ]
* parport: quickfix the proc registration bug (Closes: #588672)
Modified: dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Fri Aug 6 01:50:14 2010 (r16091)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch Fri Aug 6 02:08:51 2010 (r16092)
@@ -7875,9 +7875,9 @@
goto out;
- bprm->mm = NULL; /* We're using it now */
+ return 0;
- current->flags &= ~PF_RANDOMIZE;
- flush_thread();
+ out:
@@ -1275,6 +1303,10 @@ int do_execve(char * filename,
struct files_struct *displaced;
int retval;
Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25 Fri Aug 6 01:50:14 2010 (r16091)
+++ dists/lenny/linux-2.6/debian/patches/series/25 Fri Aug 6 02:08:51 2010 (r16092)
@@ -1,4 +1,4 @@
+ bugfix/all/pid_ns-zap_pid_ns_processes-fix-the-child_reaper.patch
+ bugfix/all/pid_ns-change-child_reaper-when-init-group_leader-exits.patch
+ bugfix/all/parport-quickfix-proc-registration.patch
-+ bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
+
More information about the Kernel-svn-changes
mailing list