[kernel] r16617 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Dec 2 13:34:41 UTC 2010 

Author: dannf
Date: Thu Dec  2 13:34:37 2010
New Revision: 16617

Log:
posix-cpu-timers: workaround to suppress the problems with mt exec (CVE-2010-4248)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Dec  2 13:34:26 2010	(r16616)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Dec  2 13:34:37 2010	(r16617)
@@ -6,6 +6,8 @@
   * block: check for proper length of iov entries in blk_rq_map_user_iov()
     (CVE-2010-4163)
   * bluetooth: Fix missing NULL check (CVE-2010-4242)
+  * posix-cpu-timers: workaround to suppress the problems with mt exec
+    (CVE-2010-4248)
 
  -- dann frazier <dannf at debian.org>  Wed, 01 Dec 2010 20:32:11 -0700
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch	Thu Dec  2 13:34:37 2010	(r16617)
@@ -0,0 +1,55 @@
+commit ce9f93e8b9de16fedcf73d7f88f3d2352354b102
+Author: Oleg Nesterov <oleg at redhat.com>
+Date:   Fri Nov 5 16:53:42 2010 +0100
+
+    posix-cpu-timers: workaround to suppress the problems with mt exec
+    
+    posix-cpu-timers.c correctly assumes that the dying process does
+    posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD
+    timers from signal->cpu_timers list.
+    
+    But, it also assumes that timer->it.cpu.task is always the group
+    leader, and thus the dead ->task means the dead thread group.
+    
+    This is obviously not true after de_thread() changes the leader.
+    After that almost every posix_cpu_timer_ method has problems.
+    
+    It is not simple to fix this bug correctly. First of all, I think
+    that timer->it.cpu should use struct pid instead of task_struct.
+    Also, the locking should be reworked completely. In particular,
+    tasklist_lock should not be used at all. This all needs a lot of
+    nontrivial and hard-to-test changes.
+    
+    Change __exit_signal() to do posix_cpu_timers_exit_group() when
+    the old leader dies during exec. This is not the fix, just the
+    temporary hack to hide the problem for 2.6.37 and stable. IOW,
+    this is obviously wrong but this is what we currently have anyway:
+    cpu timers do not work after mt exec.
+    
+    In theory this change adds another race. The exiting leader can
+    detach the timers which were attached to the new leader. However,
+    the window between de_thread() and release_task() is small, we
+    can pretend that sys_timer_create() was called before de_thread().
+    
+    Signed-off-by: Oleg Nesterov <oleg at redhat.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 2bd672d..b3b6377 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -93,6 +93,14 @@ static void __exit_signal(struct task_struct *tsk)
+ 		posix_cpu_timers_exit_group(tsk);
+ 	else {
+ 		/*
++		 * This can only happen if the caller is de_thread().
++		 * FIXME: this is the temporary hack, we should teach
++		 * posix-cpu-timers to handle this case correctly.
++		 */
++		if (unlikely(has_group_leader_pid(tsk)))
++			posix_cpu_timers_exit_group(tsk);
++
++		/*
+ 		 * If there is any task waiting for the group exit
+ 		 * then notify it:
+ 		 */

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Thu Dec  2 13:34:26 2010	(r16616)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Thu Dec  2 13:34:37 2010	(r16617)
@@ -2,3 +2,4 @@
 + bugfix/all/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
 + bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
 + bugfix/all/bluetooth-fix-missing-NULL-check.patch
++ bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch

More information about the Kernel-svn-changes mailing list