[kernel] r16617 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Dec 2 13:34:41 UTC 2010
Author: dannf
Date: Thu Dec 2 13:34:37 2010
New Revision: 16617
Log:
posix-cpu-timers: workaround to suppress the problems with mt exec (CVE-2010-4248)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Dec 2 13:34:26 2010 (r16616)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Dec 2 13:34:37 2010 (r16617)
@@ -6,6 +6,8 @@
* block: check for proper length of iov entries in blk_rq_map_user_iov()
(CVE-2010-4163)
* bluetooth: Fix missing NULL check (CVE-2010-4242)
+ * posix-cpu-timers: workaround to suppress the problems with mt exec
+ (CVE-2010-4248)
-- dann frazier <dannf at debian.org> Wed, 01 Dec 2010 20:32:11 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch Thu Dec 2 13:34:37 2010 (r16617)
@@ -0,0 +1,55 @@
+commit ce9f93e8b9de16fedcf73d7f88f3d2352354b102
+Author: Oleg Nesterov <oleg at redhat.com>
+Date: Fri Nov 5 16:53:42 2010 +0100
+
+ posix-cpu-timers: workaround to suppress the problems with mt exec
+
+ posix-cpu-timers.c correctly assumes that the dying process does
+ posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD
+ timers from signal->cpu_timers list.
+
+ But, it also assumes that timer->it.cpu.task is always the group
+ leader, and thus the dead ->task means the dead thread group.
+
+ This is obviously not true after de_thread() changes the leader.
+ After that almost every posix_cpu_timer_ method has problems.
+
+ It is not simple to fix this bug correctly. First of all, I think
+ that timer->it.cpu should use struct pid instead of task_struct.
+ Also, the locking should be reworked completely. In particular,
+ tasklist_lock should not be used at all. This all needs a lot of
+ nontrivial and hard-to-test changes.
+
+ Change __exit_signal() to do posix_cpu_timers_exit_group() when
+ the old leader dies during exec. This is not the fix, just the
+ temporary hack to hide the problem for 2.6.37 and stable. IOW,
+ this is obviously wrong but this is what we currently have anyway:
+ cpu timers do not work after mt exec.
+
+ In theory this change adds another race. The exiting leader can
+ detach the timers which were attached to the new leader. However,
+ the window between de_thread() and release_task() is small, we
+ can pretend that sys_timer_create() was called before de_thread().
+
+ Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 2bd672d..b3b6377 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -93,6 +93,14 @@ static void __exit_signal(struct task_struct *tsk)
+ posix_cpu_timers_exit_group(tsk);
+ else {
+ /*
++ * This can only happen if the caller is de_thread().
++ * FIXME: this is the temporary hack, we should teach
++ * posix-cpu-timers to handle this case correctly.
++ */
++ if (unlikely(has_group_leader_pid(tsk)))
++ posix_cpu_timers_exit_group(tsk);
++
++ /*
+ * If there is any task waiting for the group exit
+ * then notify it:
+ */
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Thu Dec 2 13:34:26 2010 (r16616)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Thu Dec 2 13:34:37 2010 (r16617)
@@ -2,3 +2,4 @@
+ bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
+ bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
+ bugfix/all/bluetooth-fix-missing-NULL-check.patch
++ bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
More information about the Kernel-svn-changes
mailing list