[kernel] r16092 - in dists: lenny-security/linux-2.6 lenny-security/linux-2.6/debian lenny-security/linux-2.6/debian/patches/bugfix/all lenny-security/linux-2.6/debian/patches/features/all/openvz lenny-security/linux-2.6/debian/patches/series lenny/linux-2.6/debian lenny/linux-2.6/debian/patches/bugfix/all lenny/linux-2.6/debian/patches/features/all/openvz lenny/linux-2.6/debian/patches/series

Dann Frazier dannf at alioth.debian.org
Fri Aug 6 02:08:55 UTC 2010 

Author: dannf
Date: Fri Aug  6 02:08:51 2010
New Revision: 16092

Log:
broke through security, fix through security

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
      - copied unchanged from r15989, dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
Deleted:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
Modified:
   dists/lenny-security/linux-2.6/   (props changed)
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
   dists/lenny/linux-2.6/debian/patches/series/25

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Fri Aug  6 01:50:14 2010	(r16091)
+++ dists/lenny-security/linux-2.6/debian/changelog	Fri Aug  6 02:08:51 2010	(r16092)
@@ -7,6 +7,8 @@
   * nfsd4: bug in read_buf (CVE-2010-2521)
   * GFS2: rename causes kernel Oops (CVE-2010-2798)
   * [parisc] fix potential stack overflow in led_proc_write() (CVE-REQUESTED)
+  * exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179;
+    regression due to fix for CVE-2010-0307)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Jun 2010 00:32:02 -0600
 

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch (from r15989, dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch	Fri Aug  6 02:08:51 2010	(r16092, copy of r15989, dists/lenny/linux-2.6/debian/patches/bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch)
@@ -0,0 +1,63 @@
+From 7ad2dabd30866715de71b2d3f0be136c0a26b3bd Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Tue, 2 Feb 2010 12:37:44 -0800
+Subject: [PATCH] Fix 'flush_old_exec()/setup_new_exec()' split
+
+commit 7ab02af428c2d312c0cf8fb0b01cc1eb21131a3d upstream.
+
+Commit 221af7f87b9 ("Split 'flush_old_exec' into two functions") split
+the function at the point of no return - ie right where there were no
+more error cases to check.  That made sense from a technical standpoint,
+but when we then also combined it with the actual personality setting
+going in between flush_old_exec() and setup_new_exec(), it needs to be a
+bit more careful.
+
+In particular, we need to make sure that we really flush the old
+personality bits in the 'flush' stage, rather than later in the 'setup'
+stage, since otherwise we might be flushing the _new_ personality state
+that we're just setting up.
+
+So this moves the flags and personality flushing (and 'flush_thread()',
+which is the arch-specific function that generally resets lazy FP state
+etc) of the old process into flush_old_exec(), so that it doesn't affect
+any state that execve() is setting up for the new process environment.
+
+This was reported by Michal Simek as breaking his Microblaze qemu
+environment.
+
+Reported-and-tested-by: Michal Simek <michal.simek at petalogix.com>
+Cc: Peter Anvin <hpa at zytor.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backport to 2.6.26]
+---
+ fs/exec.c |    7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index f12ede3..164ac13 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -967,6 +967,10 @@ int flush_old_exec(struct linux_binprm * bprm)
+ 		goto out;
+ 
+ 	bprm->mm = NULL;		/* We're using it now */
++
++	current->flags &= ~PF_RANDOMIZE;
++	flush_thread();
++
+ 	return 0;
+ 
+ out:
+@@ -1003,9 +1007,6 @@ void setup_new_exec(struct linux_binprm * bprm)
+ 	tcomm[i] = '\0';
+ 	set_task_comm(current, tcomm);
+ 
+-	current->flags &= ~PF_RANDOMIZE;
+-	flush_thread();
+-
+ 	/* Set the new mm task size. We have to do that late because it may
+ 	 * depend on TIF_32BIT which is only updated in flush_thread() on
+ 	 * some architectures like powerpc
+-- 
+1.7.1
+

Modified: dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Fri Aug  6 01:50:14 2010	(r16091)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Fri Aug  6 02:08:51 2010	(r16092)
@@ -7875,9 +7875,9 @@
  		goto out;
  
 -	bprm->mm = NULL;		/* We're using it now */
- 	return 0;
  
- out:
+ 	current->flags &= ~PF_RANDOMIZE;
+ 	flush_thread();
 @@ -1275,6 +1303,10 @@ int do_execve(char * filename,
  	struct files_struct *displaced;
  	int retval;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Fri Aug  6 01:50:14 2010	(r16091)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Fri Aug  6 02:08:51 2010	(r16092)
@@ -5,3 +5,4 @@
 + bugfix/all/nfsd4-bug-in-read_buf.patch
 + bugfix/all/gfs2-rename-causes-kernel-oops.patch
 + bugfix/parisc/fix-potential-stack-overflow-in-led_proc_write.patch
++ bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Fri Aug  6 01:50:14 2010	(r16091)
+++ dists/lenny/linux-2.6/debian/changelog	Fri Aug  6 02:08:51 2010	(r16092)
@@ -2,8 +2,6 @@
 
   [ Ben Hutchings ]
   * pid_ns: Ensure that child_reaper is always valid (Closes: #570350)
-  * exec: Fix 'flush_old_exec()/setup_new_exec()' split (Closes: #589179;
-    regression due to fix for CVE-2010-0307)
 
   [ Moritz Muehlenhoff ]
   * parport: quickfix the proc registration bug (Closes: #588672)

Modified: dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Fri Aug  6 01:50:14 2010	(r16091)
+++ dists/lenny/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Fri Aug  6 02:08:51 2010	(r16092)
@@ -7875,9 +7875,9 @@
  		goto out;
  
 -	bprm->mm = NULL;		/* We're using it now */
+ 	return 0;
  
- 	current->flags &= ~PF_RANDOMIZE;
- 	flush_thread();
+ out:
 @@ -1275,6 +1303,10 @@ int do_execve(char * filename,
  	struct files_struct *displaced;
  	int retval;

Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25	Fri Aug  6 01:50:14 2010	(r16091)
+++ dists/lenny/linux-2.6/debian/patches/series/25	Fri Aug  6 02:08:51 2010	(r16092)
@@ -1,4 +1,4 @@
 + bugfix/all/pid_ns-zap_pid_ns_processes-fix-the-child_reaper.patch
 + bugfix/all/pid_ns-change-child_reaper-when-init-group_leader-exits.patch
 + bugfix/all/parport-quickfix-proc-registration.patch
-+ bugfix/all/exec-Fix-flush_old_exec-setup_new_exec-split.patch
+

More information about the Kernel-svn-changes mailing list